With the recent fallout surrounding the Colonial Pipeline breach felt across much of the country, I think it’s important that businesses embrace key takeaways on the techniques used in this attack and heighten our sense of awareness to detect when things are going wrong in our environment. Educating ourselves on the many shared techniques of these criminal groups, like DarkSide, will serve as an added layer of protection to our IT environments, and in many cases, our infrastructure as a whole.
In this blog, we’ll cover what we’ve learned about the penetration & movement of this particular attack, the realities of sophisticated cyber-attacks and what you need to defend your IT environment. Let’s jump into the DarkSide Ransomware attack to learn more.
DarkSide Ransomware: How It Gets In
Targeting primarily U.S.-based companies, compromise is quick with the techniques used by DarkSide to infiltrate networks. Threat actors from the group gain access to a device, posing as a legitimate user enabling installation of malicious code on the penetrated endpoint. Next, the cybercriminals escalate privileges and move laterally in the network to secure access to highly sensitive company information. Once secured, business data is usually quietly exfiltrated and then critical processes are encrypted & ransom is demanded, promising to decrypt the data once the company pays the ransom. It is increasingly understood that a ransom payment does not guarantee that your business can restore lost data. Estimates show 30-35% of the time, businesses that have paid the ransom, still, cannot restore the data.
Speed of Attack Leading to Catastrophic Downtime & Financial Loss
This particular attack moved incredibly fast through the network. From the time Colonial Pipeline discovered their IT environment had been infiltrated to resuming partial operations was a total of six days. For a company that supplies approximately 45% of the fuel consumed on the East Coast, distributing 3 million barrels of fuel per day from Texas to New York, six days of disruption is catastrophic for the business and the consumer.
Not only did Colonial Pipeline experience financial loss from a 6-day shutdown, but they also paid the ransom to DarkSide soon after the breach was detected. The ransom payment alone was reported to be in the neighborhood of $4.4 million.
Key Takeaways from the Colonial Pipeline Cyber-Attack
1. Cyber-attacks can happen to anyone: It’s a matter of “when,” not “if”
No organization is completely protected against a cyber-attack, even if their firewalls are strong and their networks are appropriately segmented. Instead, focus on implementing tools for active monitoring and change detection for all of your IT assets so that a potential threat is identified as soon as possible.
2. The New Norm: Cyber-attacks will only increase year over year.
Businesses should view the attack at Colonial Pipeline Company as a reality check, rather than an irregularity. The Cybersecurity and Infrastructure Agency (CISA) warned of the potential for new foreign attacks earlier this year. Malware attacks like Stuxnet, WannaCry, and NotPetya have already been successful. Attacks on industrial control systems (ICS) like the recent cyber-attack on a Florida water treatment plant are also on the rise, along with Toshiba Tech France.
3. An important step in improving overall cybersecurity is identifying all IT assets.
You can’t secure what you can’t see. Critical infrastructure organizations should make it a priority to identify all assets, identifying weaknesses like outdated operating systems. The Asset Inventory Service can help critical infrastructure organizations, and any organizations with both IT and OT assets, quickly and clearly identify all their devices.
After identifying assets, it is important to begin protecting them from malicious or negligent changes. Unauthorized changes to IT assets can be quickly identified through active monitoring or with change management that automatically backs up the data running on IT devices and compares it against the corresponding data on the server. If a difference is detected, the appropriate personnel is alerted to investigate a potential cybersecurity concern.
4. Adopting Zero Trust Policy-Driven Security to your endpoints to strengthen security posture.
Protecting the perimeter alone is no longer an option for businesses. Once hackers penetrate the perimeter, they are free to move about the IT environment. This is approach is being replaced by Zero Trust Policy-Driven Security – not automatically trusting anything inside or outside the perimeter, instead, must verify anything and everything trying to connect to its systems before granting access.
Protecting your endpoints with policy-based application whitelisting & storage control is a must in a world of highly sophisticated cybersecurity threats.
Application whitelisting is considered the gold standard when it comes to blocking ransomware, viruses & other software-based threats. This tool allows only trusted software to run on endpoints & services, while blocking everything else.
The Power to Protect Your Business from Cyber Threats is in Your Hands. Here’s How.
A critical step in mitigation is performing routine IT risk assessments and analyses. You have the unique opportunity to leverage an invaluable assessment tool that uncovers areas of exposure in your processes that you can address today, before threats take hold of your network.
Find out how your environment stacks up:
- Security risk rating
- How your cybersecurity plan measures up to your competition
- Specific recommendations to modify your security plan & avoid costly attacks
- Solid recovery & business continuity plan before you need one
- Comprehensive plan of action on next steps to take
Security Awareness: Your first line of defense.
Shawn Brown, COO, Snap Tech IT