One Year Later: Lessons from the Colonial Pipeline Ransomware Attack

  • Use Multi-Factor Authentication (MFA) to make it much harder for attackers to break in. Colonial Pipeline’s VPN account was compromised because the password was found on the dark web. Enabling MFA would make it much harder to attack than simply obtaining a password.
  • Backup systems regularly. After the ransom was paid, the decryption tool provided was so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.
  • Detect early signs of an attack and stop it quickly before it progresses to minimize damage. In the Colonial Pipeline case, data exfiltration happened before the ransomware attack. A detection and response system could have triggered an exfiltration alert, which would have prompted an investigation and response to stop the attack from progressing to a ransomware attack.
  • Detect any suspicious behaviors in addition to having coverage on MITRE ATT&CK techniques and tactics. Attackers may simply buy credentials from the dark web and login as a legitimate user. They will not trigger detections based on MITRE ATT&CK tactics and techniques. However, after they got in, they will most certainly exhibit suspicious behaviors.
  • Show a clear picture of how the attack happened, to conclusively show that the attack has been contained. Colonial Pipeline hired Mandiant to perform an exhaustive search of their environment to determine that there was no other related activity before the attacker gained access to the network on April 29 using the VPN account. However, a good detection system would have shown this in real-time without days of manual tracing and sweeping.
  • Show how far the attack has gone and understand the impact. Has it reached critical assets? This helps to determine the impact to the business to avoid unnecessary disruption. The primary target of the attack was the billing infrastructure of the company. The actual oil pumping systems were still able to work. However, it was not clear to Colonial Pipeline whether the attacker had compromised their operational technology network — the system of computers that control the actual flow of gasoline, until days later after Mandiant swept and traced their whole network. A detection system should clearly show how far the attack has progressed and what are the impacted assets to determine the corresponding actions.
  • Show any new follow up attacks that are going on. During the investigation, Mandiant installed detection tools to monitor any follow-up attacks. A solid detection and response system will monitor 24/7 no matter when (or if) an attack is happening.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store