Colonial Pipeline: One year on from the ransomware attack that shocked the world

On 7th May 2021, Colonial Pipeline – the largest fuel pipeline in the US – suffered a ransomware attack as the result of a single compromised password. DarkSide, the hackers responsible for the attack, stole nearly 100 gigabytes of data and threatened to leak it unless their demand of $4.4 million was paid. While Colonial Pipeline paid the ransom to get its data back, approximately $2.2 million was later recovered by the Department of Justice.

However, the hack opened up the conversation of how the government and all organisations must be more diligent about protecting critical infrastructure and addressing vulnerabilities.

One year on from the attack, Cyber Protection Magazine speaks to three cybersecurity experts to learn what progress has been made since, and what organisations can still do to prevent themselves from becoming the next victim.

Bringing cybersecurity into the spotlight

Sam Hutton, Chief Revenue Officer at Glasswall, recalls how “a year ago, the US supply chain came to a temporary, screeching halt when its largest fuel pipeline fell victim to a ransomware attack. The Colonial Pipeline incident, while devastating, helped push cybersecurity to the forefront of the conversation for both the US government and critical infrastructure organisations.

“In March, the House sent a cyber crime bill inspired by these events to President Biden for final sign off. This helped US law enforcement agencies better identify cyber threats, prosecute those involved, and prevent future attacks. While this was a substantial move forward, it is also important for companies to be aware of proactive security measures they can take on their own in an effort to avoid an attack in the first place.”

Neil Jones, director of cybersecurity evangelism at Egnyte struggles to “believe it’s been a year since the Colonial Pipeline ransomware attack,” and agrees that the “good news is that cybersecurity requirements for infrastructure providers like Colonial have become more formalised since the cyber-attack occurred, and there’s broader corporate awareness of ransomware’s impact.”

Cybercriminals aren’t backing down

However, despite these new steps forward, ransomware is still as big a threat as it was 12 months ago. As Jones emphasises, “recent geopolitical events in Europe and global supply chain pressures remind us that service disruptions from ransomware are just as likely now as they were a year ago. And, organisations are even having to manage data infiltration allegations via social media that may or may not have even occurred.”

Steve Moore, chief security strategist at Exabeam argues that “there’s enough out there on what ransomware is, how it works, and a massive push to ‘stop’ it, but we never solved the foundational problems that make it possible. Ransomware is a missed intrusion, period. The attacks are only possible because of a weakness in an endpoint, server, or cloud environment or via a compromised credential that gets missed. If you unsuccessfully manage intrusions, you will eventually fail amazingly with ransomware.

Related:   Interview: Prevention vs. Recovery - how to handle ransomware attacks

“Last year’s Verizon Data Breach Investigation Report (DBIR) revealed that ransomware instances have doubled; but again, that’s because of these three reasons:

  1. We never fixed the core problems (break the cycle of compromise) which allow it to occur.
  2. It’s profitable for the adversary – therefore incentive.
  3. It detects itself so the reported numbers increase – so anyone can ‘find’ it.

“Ransomware is simply a product of an upstream failure; in order to improve our position against these attacks, we must address these failures first.”

So what must be done?

Hutton believes that while the US government initiatives are a step in the right direction, “the government should not be relied upon for your cyber defence strategy. Instead, organisations should always adopt a zero-trust approach and have the proper systems in place to prevent attacks from penetrating their systems. A simple, proactive solution such as Content Disarm and Reconstruction (CDR) creates a digital environment where threats cannot exist, making a more efficient and cost-effective option overall and taking the burden off of employees.”

Jones also shares “several proven approaches that organisations can follow to help prevent ransomware:

  1. Develop a comprehensive incident response plan.
  2. Utilise a solution with ransomware detection and recovery.
  3. Educate executive management about ransomware’s impact.
  4. Perform cybersecurity awareness training, which should include implementing effective data protection policies like strong password protection and multi-factor authentication. It’s also critical that they understand any company can be a potential victim, regardless of size or location.”

Preparation is key

It’s vital that organisations globally take ransomware threats seriously – as the Colonial Pipeline incident showed, the stakes have never been higher.

Jones concludes: “Without adequate preparation, disruptions are likely to become more severe. For years, we’ve realised how vulnerable global organisations are to potential attacks, but many of our concerns were dismissed as fear, uncertainty, and doubt (FUD). Colonial was an important inflection point for public and private sector infrastructure security, but organisations need to remain vigilant to stay a step ahead of cyber attackers.”

One thought on “Colonial Pipeline: One year on from the ransomware attack that shocked the world

Leave a Reply

Your email address will not be published. Required fields are marked *