The recent ransomware attack on Colonial Pipeline is reportedly one of the most significant cyberattacks on the energy sector till date, and it has overwhelmed cybersecurity experts across the globe.
On April 29, 2021, Colonial Pipeline—the company that runs the largest fuel pipeline in the US, transporting around 45% of fuel used on the East Coast—was attacked by hackers from the criminal group DarkSide. As a result, the company temporarily shut down its entire network, leading to severe fuel shortages and a spike in gas prices. Although Colonial Pipeline resumed its services within two weeks of the shutdown, the bad actors still wrecked one of the nation’s most critical energy resources, affecting over 50 million residents, all while getting paid a ransom of $4.4 million in return (although some of the ransom has since been seized by the authorities).
Security incidents like this one highlight that cyberattacks and breaches not only cost organizations their reputations but can potentially disrupt or even cut off service delivery to the public. Therefore, it’s about time that organizations, especially those that serve the public’s interest and play important roles in the economy, tighten their cybersecurity program.
The backstory: How hackers accessed the company’s network
An abandoned, idle VPN account coupled with poor password practices followed by one of Colonial Pipeline’s employees set backdoors for the ransomware attack. On April 29, hackers gained entry into the corporate network through a VPN account, which was no longer active at the time of the attack. The account’s password was available on the dark web inside a series of leaked passwords, meaning a Colonial employee may have used the same password on another account that was previously hacked. What was more favorable to the hackers was that the account also didn’t use multi-factor authentication (MFA). The incident went unnoticed for more than a week, until May 7, when a ransom note appeared on a computer screen, demanding cryptocurrency. It took another week for the company to confirm the pipeline’s operational unit wasn’t damaged, and Colonial Pipeline resumed its services on May 12.
This goes on to substantiate how when it comes to systems that manage the most critical assets, organizations still don’t pay heed to the importance of practicing basic security hygiene, like adopting MFA, identifying and deleting idle privileged accounts, and employing robust access controls. What would have been easily prevented with just the basic set of controls escalated into a cybersecurity disaster due to the sheer lack of attention to recommended security best practices.
Where Colonial Pipeline’s security system failed
The growing popularity of remote work among the global workforce has led to a significant surge in the number of remote-access-based attacks, and cybercriminals are always on the hunt for insecure VPNs and vulnerable remote access pathways to break into critical infrastructure. One negligent step from an employee or organization ultimately results in the exploit of potential yet often neglected vulnerabilities.
The hacking of Colonial Pipeline was disastrous, but it was also very likely preventable; it resulted from sheer negligence to protect critical infrastructure. To summarize, here are the key aspects that catalyzed the attack:
Use of duplicate passwords for sensitive accounts:
Had the organization mandated the use of unique passwords for privileged accounts, the employee wouldn’t have chosen a formerly used password for their corporate account. The easiest way to do this is via the use of a password generator that suggests strong, complex passwords in a random fashion.
Orphaned, abandoned, and inactive privileged accounts:
The account used to access Colonial Pipeline’s IT network was not active at the time of attack. Many organizations don’t keep track of inactive accounts as well as those belonging to former employees. They stay intact until they’re permanently deleted post a breach or security incident.
No MFA for privileged remote access accounts:
Lack of strong authentication can enable unauthorized, unhindered access to critical systems with just a single credential. Even with the legitimate credentials in hand, the attacker wouldn’t have gained access to the system had they been challenged again to prove their identity.
Not having a unified solution for network access in place:
VPNs with poor access controls are now considered insecure and unreliable for remote access. What critical organizations like Colonial Pipeline need is a central console that unifies all access to the corporate network—on-premises as well as via public and private clouds—with stringent access controls and session monitoring.
Lack of proper threat detection and prevention controls:
Even if an attacker manages to get into the corporate network, having comprehensive network monitoring tools could trigger timely alarms and warnings to the concerned supervisors to instantly terminate suspicious sessions. Intrusion detection systems, intrusion prevention systems, AI- and ML-based analytics tools, and SIEM solutions can monitor a network continuously, capture any information about possible threats and malware, and report them to the administrators for preventive actions. It’s about time modern organizations implement advanced technologies to gain meaningful insights and curb cyberattacks at the nub.
Inability to promptly trace the activities carried out during the session:
It took more than a week for investigators to check the entire pipeline network for further vulnerabilities. A comprehensive audit trail of events carried out during the session, along with tamper-proof session recordings, could have stepped up the inspection process.
Poor network segmentation:
The attack targeted Colonial Pipeline’s IT systems, but since these were connected to the operational unit, the company had to immediately shut down the entire pipeline. Colonial Pipeline’s failure to keep its network segmented—so that one can’t easily hop from one corporate division to another—was pivotal for the attack to succeed, highlighting the lack of proper cyberhygiene.
How to build a holistic security posture to shut out ransomware attacks
To achieve complete protection against ransomware attacks, organizations require multiple layers of defense. A mature, resilient cybersecurity posture combines a range of IT security solutions that work in an integrated fashion to protect against threats. Here are a few expert tips to step up your defense against ransomware.
Secure your email platform and educate employees about phishing:
Email is the source of most ransomware attacks, often exploited by cybercriminals to spoof credentials for illegitimate network access or to distribute malware directly. Add advanced phishing and malware protection capabilities to the mail server to scan and segregate inbound emails, block anomalous attachments, and protect from inbound phishing emails.
Educate employees on the importance of following basic security hygiene, like not disclosing personal information when answering an email, phone call, or text message; being aware of how fraudulent emails and attachments look; and contacting the IT department after receiving suspicious calls or emails.
Invest in antivirus software and firewalls:
Install antivirus software on all devices and update them with security patches regularly. Also install a firewall and configure it to limit traffic to the network to only necessary ports and IP addresses.
Patch your systems regularly:
Keeping every system up-to-date on patches is important to guard against ransomware since attackers often leverage security loopholes and bugs within software or operating systems to spread malware after gaining access.
Conduct regular risk assessments:
Evaluate security risks periodically to proactively mitigate potential risks by identifying security vulnerabilities and shortcomings across the entire corporate network.
Back up your systems periodically:
Get the basics right: The key to avoid ransom payouts is to have robust backups. Regularly back up data—locally and in the cloud—with strong encryption and controlled access to ensure that your corporate data is secured. Security experts recommend keeping at least three copies of your company’s data, on different devices or storage media, and having one of them completely offline and accessible only physically.
Invest in a strong privileged access management solution:
While it’s true that attackers today employ sophisticated methods and tools, it’s more often open administrative privileges and compromised credentials that give them initial access to critical infrastructure. Even for the recent attack on a Florida water treatment plant, all it took was one unprotected password for the unidentified perpetrator to access and manage the control systems remotely. That said, it’s crucial for organizations to ensure complete privileged account governance, manage access to critical systems, and monitor remote privileged sessions in real time with comprehensive auditing and reporting. In short, a robust privileged access management (PAM) solution can prove to be the ideal first line of defense for enterprises.
ManageEngine PAM360 is an enterprise-grade PAM solution that defends enterprises against cybercrime through powerful privileged access governance, smooth workflow automation, and advanced analytics. PAM360 readily integrates with various IT security tools, like SIEM, AI- and ML-based threat analytics, and vulnerability scanners, enabling administrators to achieve complete control over all privileged activities across the corporate network.
The post The Colonial Pipeline ransomware attack: Lessons for cybersecurity teams appeared first on ManageEngine Blog.
*** This is a Security Bloggers Network syndicated blog from ManageEngine Blog authored by Anuja K. Read the original post at: https://blogs.manageengine.com/corporate/manageengine/pam360/2021/06/15/the-colonial-pipeline-ransomware-attack-lessons-for-cybersecurity-teams.html