How Could the Colonial Pipeline Ransomware Attack Have Been Stopped?
It’s been months since the Colonial Pipeline ransomware attack led to a $5 million payment in ransom. Following the attack, many have wondered how it could have been fended off. After all, the ransomware attack Colonial Pipeline experienced was of a tremendous scale — and one would hope that greater security measures would be levied in a system that was so critical to so many.
In the postmortem period, we’ve learned a lot of things about the cyber-attack on Colonial Pipeline systems, and these lessons can be studied by those hoping for the best ransomware defense.
The Colonial Pipeline phishing email
It’s likely that the Colonial Pipeline attack was caused by a phishing email. Phishing emails can be quite advanced. If they’re sent directly from a malicious attacker, they will look just like any other email: Anyone can send you an email asking for your credentials.
Today, phishing emails are best countered in two ways. First, employees need additional training. Second, phishing emails can be automatically detected by a scanning solution. An active scanning solution can detect things such as employees sending their credentials; this information can be marked as privileged, and the outgoing email can be stopped to ensure this isn’t a scam.
Bottom line: Better training regarding phishing attempts and better scanning technological could have stopped the Colonial Pipeline attack. But it’s likely that it will never be known exactly what caused it — so this part is educated supposition on the behalf of experts.
The Colonial Pipeline’s backups
An interesting twist to the pipeline case is that they ended up paying the ransom but not using the encryption key. The encryption key was taking too long, so they used their own backups.
If your organization has its own backups and can restore them quickly, there’s no reason to give in to ransom demands. But it’s likely that either the Colonial Pipeline was concerned that restoring from backup would take too long, or their backups were too far behind.
Many companies aren’t managing their backups correctly. They don’t know whether their backups are timely or could even be corrupted. People don’t think about backups until they need them.
The bottom line: Make sure you have reliable backups that are tested and timely and you won’t need to worry as much about ransomware.
The Colonial Pipeline shutdown
It’s important to note that the attack didn’t cause the shutdown. Rather, the Colonial Pipeline company shut itself down in response to the attack. This shutdown caused widespread panic, gas buying and shortages. But the pipeline was forced to do this as a precautionary measure, as they weren’t sure exactly how much of their system had been compromised or how damaging that compromise might have been.
As networks grow larger, it becomes more difficult to monitor them all. It becomes essential for companies to be able to detect potential compromise in their network and silo the most important data. Otherwise, massive disruption can occur. If the Colonial Pipeline could have verified the integrity of its system faster, it could have avoided this shutdown.
The bottom line: The true cost of an attack usually isn’t ransom, it’s disruption. If you can improve your company’s security infrastructure, you can reduce the potential costs of this disruption.
The Colonial Pipeline attacker
A Russian hacker gang named DarkSide took responsibility for the Colonial Pipeline attack. But there were over 100 ransomware attacks against American entities that year. There are many malicious attackers out there trying to make a name for themselves — and they aren’t always thinking their attacks through.
Today, anyone with access to a computer system can create a botnet through IoT devices and virtual private servers. A phishing attempt can be sent with nothing more than a random, anonymous email address. It’s not that difficult for an attack to occur… and because of that, there are more attacks than ever.
The bottom line: Companies need to protect themselves since malicious attackers are constantly increasing. Even amateurs from across the world could potentially hack your network given enough time and energy.
Ultimately, the Colonial Pipeline attack was a perfect storm of factors that can happen to many companies today. The Colonial Pipeline was not prepared to restore its data. It didn’t have enough control over its systems to determine what had been compromised and what hadn’t. And it wasn’t able to detect the attack for quite some time.
As always, the best anti ransomware defense is preparation. The better prepared a company is for these attacks, the less likely it is to be so devastating.