Ransomware Attack on Colonial Pipeline: Was It Preventable?

Late last Friday, Colonial Pipeline suffered a DarkSide ransomware attack, putting in peril fuel and gas supplies to most of the U.S. East Coast. The resulting outage forced the Biden administration to force-start an “all-of-government” effort to secure critical energy supply chains and to help alleviate shortages. This was yet another ransomware attack targeting a critical infrastructure organization shortly after a cyber attack targeted the water treatment system in Oldsmar, Florida. 

But was it preventable?

After Colonial Pipeline reported the attack to the public via a series of press releases, the FBIOpens a new window said the Darkside ransomware was responsible for the compromise of the Colonial Pipeline networks. While it is known in some circles as a ‘left-wing’ hacker group, DarkSide quickly issued a statement, insisting it is apolitical and targets large organizations only to make money. As for the real-world consequences, the group said it would introduce “moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Keeping aside the specific motivations of the hacker groupOpens a new window responsible for the incident, it is up to major corporations to keep their networks and data protected from unauthorized access and hacking attacks at all times. This requires a potpourri of cybersecurity protocols, network security investments, sufficient cybersecurity personnel to monitor networks, and the deployment of ML-based security solutions to detect abnormalities and filter out false positives.

Learn more: Top 3 Security Tools To Protect Networks From Ransomware Attacks

Colonial Pipeline Didn’t Know How Exposed It Was To Cyber Risks

However, as per the cybersecurity firm Coalition, Colonial Pipeline, which is the largest refined products pipeline company in the U.S. and supplies around 45% of all fuel in the east coast region, let numerous security risks persist in its IT network. This indicates that there could be several ways hackers could have breached its perimeter and infiltrated critical operational systems. The DarkSide ransomware group reportedly exploited security vulnerabilities in Microsoft Exchange services to deploy ransomware in the company’s network, but according to Coalition’s head of Threat Intelligence Jeremy Turner, here’s why the company was exposed to other cyber risks:

“Coalition evaluated Colonial Pipeline and found numerous potential risks that could have led to the breach: The most likely culprit is vulnerable Microsoft Exchange services, but the organization also exposed SNMP, NTP, and DNS services, which indicates an overall lack of cybersecurity sophistication, unfortunately. Other possibilities include the numerous network protocols exposed on the internet publicly, as well as targeted virtualization software or SSL VPN access with names that imply ICS network access–also with an invalid certificate–could be culpable vulnerability points. 

“Overall, Colonial Pipeline likely did not have the awareness needed to protect themselves. It could be as simple as a lack of two-factor authentication on their VPN – one of the most common threats to an organization’s cybersecurity – or even just an indirect victim of the general, and widespread targeting of exchange servers.” 

A lack of awareness of basic cybersecurity risks displayed by a critical infrastructure services provider indicates that hackers will forever find it easy to breach networks, obtain credentials for privileged accounts, or access sensitive enterprise or customer information by exploiting known vulnerabilities that major organizations fail to patch.

With the rise of the ransomware-as-a-service industry and the increasing propensity of organizations towards paying hush money to cyber criminals instead of taking a resolute stand, the future looks bleak as far as winning the war against cybercrime is concerned.

Learn More: 5 Reasons Why Your Business Should Have a Ransomware Plan in 2021

How Serious Is the Threat?

The latest ransomware attack has, however, jolted the government, which is still smarting from the impact of large-scale supply chain attacks that involved the exploitation of vulnerabilities in Solarwinds’ Orion IT monitoring software and Microsoft’s Exchange servers to target federal agencies. 

On Wednesday, President Biden signed an Executive OrderOpens a new window to “improve the nation’s cybersecurity and protect federal government networks,” noting that “recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.”

The administration’s check-list to prevent such attacks in the future contains references that we have heard before- improving investigative and remediation capabilities, creating a standard playbook for responding to cyber incidents, improving software supply chain security, implementing stronger cybersecurity standards, and increasing threat intelligence sharing between federal and private organizations.

While the government can certainly provide a roadmap and mobilize intelligence agencies to help organizations respond to cyber attacks, it is up to organizations to figure out how exposed they are to cybersecurity threats, how can they prevent ransomware attacks or breaches, and how much money they must allocate to cybersecurity to stand a good chance of recovering from devastating attacks. 

The International Association of IT Asset Managers (IAITAM) is confident that more high-profile infrastructure attacks are likely to follow the hack of the Colonial Pipeline, and a crucial part of the problem is weak IT Asset Management of computing devices and software. “The problem here comes down to one central reality: If you are not managing your assets, you’re not managing your business … and you can’t secure what you don’t know you have,” says Dr. Barbara Rembiesa, CEO and president of IAITAM.

“All the people behind these ransomware attacks need is someone running a laptop in an unauthorized fashion on a non-secure network, such as a home Wi-Fi system. They don’t need much more than a central computer system that is running software that has not been properly patched or otherwise updated. And they are delighted to find an employee who is tapping into key systems remotely on a personal cell phone or other device that has not been authorized for such access. 

“Until the operators of public water systems, energy pipelines, nuclear power plants, bridges, tunnels, airports, and other key infrastructure elements get serious about thorough and tough-minded IT Asset Management, we are going to see more and more ransomware attacks like the one on the Colonial Pipeline,” she adds.

Learn More: Looking for an Antidote to Tackle the Ransomware Pandemic? Try These Prevention Tricks

Are Ransomware Attacks Preventable?

Considering that there are many ways malicious actors can infiltrate an enterprise network, there’s no magic pill to help organizations tide over the threat. However, according to  Kumar Mehta, founder and CDO of Versa Networks, here are some steps your IT security team should take to make the network more resilient to cybersecurity threats, especially ransomware attacks:

Security-Hardening for Domain Controller:

•         Create Replicas of Domain Controller, allow users to access Replicas only
•         Enforce Firewall policies for Domain Controller
•         Deploy EDR on Domain Controller
•         Enforce Lateral Movement Detection for traffic in/out of Domain Controller

Protection against Command and Control:

•         Block access to Anonymizers, TOR Proxies
•         Enable IPS to detect/block other types of C&C
•         Security-Hardening of File Shares
•         Enforce Firewall policies for File Shares
•         Deploy EDR on File Shares
•         Enforce Lateral Movement Detection for traffic in/out of File Shares
•         Protect access from File Shares to Backup Servers

Using multilayer Protection: While it may be a good idea to engage best-in-class products to ensure system security, it makes sense to employ the right products at every layer to detect threats if any of the products miss detection. A recent survey concluded that using multiple products facilitates organization security better than relying on a single breed of product. Classifying networks in layers can help organize security response as appropriate and reduce the attack surface.

Implement Password policy and internal zoning of files to prevent personal access of the undesired files and folders. Employ lateral movement detection for east-west traffic.

Apply security patches: Applications can introduce security loopholes and can be a problem for organizations. It would be a great idea to patch applications when security updates are made available.

Is your organization prepared to detect and prevent ransomware attacks that could result in prolonged outage and financial loss? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!