The Colonial Pipeline ransomware attack a year on: 5 lessons for security teams

At the moment marks the one-year anniversary of the Colonial Pipeline ransomware attack, one of many largest cyber attacks in latest historical past, the place a risk actor named DarkSide used a single compromised password to achieve entry to the US’s largest pipeline operator’s inside methods. 

In the course of the assault, whereas the hackers started encrypting the group’s knowledge, Colonial Pipeline responded by taking its methods offline to cease the unfold of the risk, however quickly ceased pipeline operations and ended up paying a ransom of $4.4 million. 

Whereas the Colonial Pipeline assault might have handed, ransomware stays an existential risk to trendy enterprises, and with ransomware attacks on the rise, enterprises should be ready. 

The excellent news is that there are a rising variety of safety controls that organizations can implement to guard themselves from these pervasive threats.

Deploy zero-trust architectures 

Login credentials are one of many key targets of cyber criminals. In consequence, it’s turning into extra essential for safety groups to implement assist for zero-trust authentication, to make it tougher for unauthorized customers to login with compromised credentials. 

“The Colonial Pipeline ransomware assault was yet one more high-profile instance of compromised credentials being leveraged to take advantage of a beforehand believed to be safe infrastructure. In consequence, safety protocols should evolve to maintain tempo with dynamic threats throughout distributed computing environments,” stated CTO and Co-Founding father of Id Entry Administration supplier Plain ID, Gal Helemski. 

Helemski recommend that organizations can stop themselves from falling sufferer to related assaults by implementing a zero-trust structure that extends entry controls previous conventional community entry safety all through the whole lifecycle of the digital journey. 

Implement strong incident detection and response capabilities 

One of many largest elements that determines the general impression of a ransomware breach is the time it takes for the group to reply. The slower the response time, the extra alternative a cyber prison has to find and encrypt essential knowledge property. 

“Colonial was an essential inflection level for private and non-private sector infrastructure safety, however organizations want to stay vigilant to remain a step forward of cyber-attackers,” stated Director of Cybersecurity Evangelism at ransomer detection and restoration platform Egnyte, Neil Jones. 

In observe, meaning creating a complete incident response plan, deploying options with ransomware detection and restoration capabilities, and providing workers cybersecurity consciousness coaching on the best way to implement efficient knowledge safety insurance policies like sturdy passwords and multi-factor authentication. 

Don’t depend on backup and restoration options to guard knowledge 

Many organizations search to defend in opposition to themselves from ransomware threats by counting on knowledge backup and restoration options. Whereas this appears like an efficient protection on paper, ransomware attackers have began to threaten to leak the information they’ve encrypted if the sufferer group doesn’t pay the ransom. 

Quite than counting on encryption-at-rest, which attackers can use compromised credentials to sidestep, Arti Raman, CEO and Founding father of encryption-in-use supplier Titaniam recommends that organizations change to knowledge in-use safety. 

“With encryption-in use knowledge safety, ought to adversaries break by means of perimeter safety infrastructure and entry measures, structured in addition to unstructured knowledge can [and] will [be] undecipherable and unusable to unhealthy actors – making digital blackmail considerably tougher, if not inconceivable,” Raman stated. 

Create a list of your assault floor 

With so many superior risk actors concentrating on trendy organizations with ransomware threats, technical resolution makers and safety groups have to have an entire stock of what methods are uncovered to exterior risk actors and what knowledge they maintain. 

“Because the U.S. authorities strikes to bolster nationwide cybersecurity, organizations should take a proactive strategy to safe their very own property, and right here is the place the benefit lies: responsiveness,” stated CEO and co-founder of managed safety companies group,Cyber Security Works, Aaron Sandeen. 

“By conducting an entire system stock both independently or outsource to a vulnerability administration firm, organizations develop their cybersecurity visibility of identified and unknown exploits,” Sandeen stated.  

Whereas the group behind the Colonial Pipeline assault are defunct, Sandeen warns that enterprises will proceed to see a rising variety of exploits, vulnerabilities and APT risk actors keen to take advantage of them, “which is able to want safety leaders offering predictive and creative help in categorizing and eliminating ransomware threats.” 

Deploy id administration options to establish anomalous consumer exercise 

Within the period of distant working and workers utilizing private gadgets to entry enterprise assets, the chance of knowledge theft is bigger than ever earlier than. “Many of the breaches we hear about within the information are a results of companies counting on automated entry management and realizing too late when a consumer has been hijacked. 

“As soon as an account is compromised, identity-based fraud will be extraordinarily troublesome to detect contemplating the superior ways and randomness of various crime teams like LAPUS$ and Conti,” stated CISO of belief platform, Forter, Gunnar Peterson. 

Because of this, organizations have to have the power to establish anomalous consumer exercise to allow them to detect account takeover, which Peterson says will be obtained by means of utilizing an AI-driven id administration resolution with anomaly detection.