The Colonial Pipeline ransomware attack a year on: 5 lessons for security teams

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today marks the one-year anniversary of the Colonial Pipeline ransomware attack, one of the biggest cyber attacks in recent history, where a threat actor named DarkSide used a single compromised password to gain access to the US’s largest pipeline operator’s internal systems. 

During the attack, while the hackers began encrypting the organization’s data, Colonial Pipeline responded by taking its systems offline to stop the spread of the threat, but temporarily ceased pipeline operations and ended up paying a ransom of $4.4 million. 

While the Colonial Pipeline attack may have passed, ransomware remains an existential threat to modern enterprises, and with ransomware attacks on the rise, enterprises need to be prepared. 

The good news is that there are a growing number of security controls that organizations can implement to protect themselves from these pervasive threats.

Deploy zero-trust architectures 

Login credentials are one of the key targets of cyber criminals. As a result, it’s becoming more important for security teams to implement support for zero-trust authentication, to make it harder for unauthorized users to login with compromised credentials. 

“The Colonial Pipeline ransomware attack was yet another high-profile example of compromised credentials being leveraged to exploit a previously believed to be secure infrastructure. As a result, security protocols must evolve to keep pace with dynamic threats across distributed computing environments,” said CTO and Co-Founder of Identity Access Management provider Plain ID, Gal Helemski. 

Helemski suggest that organizations can prevent themselves from falling victim to similar attacks by implementing a zero-trust architecture that extends access controls past traditional network access security throughout the entire lifecycle of the digital journey. 

Implement robust incident detection and response capabilities 

One of the biggest factors that determines the overall impact of a ransomware breach is the time it takes for the organization to respond. The slower the response time, the more opportunity a cyber criminal has to locate and encrypt critical data assets. 

“Colonial was an important inflection point for public and private sector infrastructure security, but organizations need to remain vigilant to stay a step ahead of cyber-attackers,” said Director of Cybersecurity Evangelism at ransomer detection and recovery platform Egnyte, Neil Jones. 

In practice, that means developing a comprehensive incident response plan, deploying solutions with ransomware detection and recovery capabilities, and offering employees cybersecurity awareness training on how to implement effective data protection policies like strong passwords and multi-factor authentication. 

Don’t rely on backup and recovery solutions to protect data 

Many organizations seek to defend against themselves from ransomware threats by relying on data backup and recovery solutions. While this sounds like an effective defense on paper, ransomware attackers have started to threaten to leak the data they’ve encrypted if the victim organization doesn’t pay the ransom. 

Rather than relying on encryption-at-rest, which attackers can use compromised credentials to sidestep, Arti Raman, CEO and Founder of encryption-in-use provider Titaniam recommends that organizations switch to data in-use protection. 

“With encryption-in use data protection, should adversaries break through perimeter security infrastructure and access measures, structured as well as unstructured data can [and] will [be] undecipherable and unusable to bad actors – making digital blackmail significantly more difficult, if not impossible,” Raman said. 

Create an inventory of your attack surface 

With so many advanced threat actors targeting modern organizations with ransomware threats, technical decision makers and security teams need to have a complete inventory of what systems are exposed to external threat actors and what data they hold. 

“As the U.S. government moves to bolster national cybersecurity, organizations must take a proactive approach to secure their own assets, and here is where the advantage lies: responsiveness,” said CEO and co-founder of managed security services organization,Cyber Security Works, Aaron Sandeen. 

“By conducting a complete system inventory either independently or outsource to a vulnerability management company, organizations expand their cybersecurity visibility of known and unknown exploits,” Sandeen said.  

While the group behind the Colonial Pipeline attack are defunct, Sandeen warns that enterprises will continue to see a growing number of exploits, vulnerabilities and APT threat actors willing to exploit them, “which will need security leaders providing predictive and inventive assistance in categorizing and eliminating ransomware threats.” 

Deploy identity management solutions to identify anomalous user activity 

In the era of remote working and employees using personal devices to access enterprise resources, the risk of data theft is greater than ever before. “Most of the breaches we hear about in the news are a result of businesses relying on automated access control and realizing too late when a user has been hijacked. 

“Once an account is compromised, identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups like LAPUS$ and Conti,” said CISO of trust platform, Forter, Gunnar Peterson. 

For this reason, organizations need to have the ability to identify anomalous user activity so they can detect account takeover, which Peterson says can be obtained through using an AI-driven identity management solution with anomaly detection. 

Originally appeared on: TheSpuzz