The Colonial Pipeline ransomware attack exposed long-standing vulnerabilities in U.S. cybersecurity: the government and private sector have struggled to work together to build more resilient defenses, and outdated security models have made it difficult for the federal government to keep up with advanced threats.(1)
So what happened?
On Friday, May 7, Colonial Pipeline said in a statement that the company learned it was the victim of a cybersecurity attack which forced them to temporarily halt operations and proactively bring some OT systems offline to contain the attack.
The FBI has identified DarkSide ransomware gang as the culprit.(2) The group is a notorious — and surprisingly professional and efficient — ransomware-as-a-service operation that franchises its ransomware out to criminal affiliates and takes a cut of whatever its clients earn. In the past, the group has stated it wouldn’t attack certain industries or businesses who couldn’t afford the ransom. (The ethics of a self-policing criminal ransomware group is a topic for another day…)
Though the group’s ransomware was used in the Colonial Pipeline attack, it seems they have blamed a criminal affiliate. On Monday, DarkSide posted, “We are apolitical, we do not participate in geopolitics. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
It has now been reported that, shortly after the attack, Colonial Pipeline paid the hackers nearly $5 million to regain access to its network, though as of this writing, the initial attack vector is still unknown and few official details have been released. (3)
On May 13, the company said operations had restarted. However, it could take days before the delivery supply chain is restored and operations return to normal.
Ransomware Attacks and ThreatWarrior
While not necessarily as sophisticated as some attacks organizations face today, ransomware poses a serious and growing threat. This form of malware encrypts a victim’s files and the group responsible demands a ransom payment before restoring the victim’s access to its data. Some also threaten to release a victim’s private data if they are not paid off, a situation the Washington D.C. police department is currently enduring.(4)
Ransomware attacks in general are easy for ThreatWarrior to detect, as there are many opportunities for anomaly detection across the Tactics, Techniques, and Procedures (TTPs) involved in the crime. And because these attacks are carried out by criminals, not nation-state actors, they use well known, off-the-shelf Command and Control (C2) tools to coordinate their probes, and they rely primarily on tried-and-true known vulnerabilities instead of zero-day attacks.
After ransomware gangs find a way past perimeter security, they have to move laterally until they gain a foothold where they can escalate privileges. Then, they have to fan out over the network to find valuable data. With data in hand, they have to exfiltrate the pristine, readable copy for blackmail. Finally, they pull the trigger to encrypt the data for ransom. At each step, there are ways for ThreatWarrior’s multiple engines to detect the incursion, and, if the malware is known, our Continuous Deep Packet Inspection would catch it immediately.
Colonial Pipeline Ransomware Attack
DarkSide, the group that attacked Colonial Pipeline, is a great example of an unknown attack.(5) While the details of that breach are not yet public, researchers have documented the group’s modus operandi:
- They often enter the perimeter through the VPN, which would give ThreatWarrior an opportunity to detect anomalous VPN traffic. Once they were inside, ThreatWarrior would have opportunities to see unusual external communication from C2 agents on impacted devices, as well as opportunities to perform deep packet inspection and match that traffic against signatures of C2 systems known to the threat intel community.
- They escalate privileges using well known attacks like ZeroLogon and Mimikatz, which would provide more opportunities to detect anomalous traffic and match packets against known vulnerabilities.
- Once they control the ground, the reconnaissance stage involves many unusual connections between devices on the network as well as IP scans, offering even more opportunities for anomaly detection.
- Data exfiltration involves large volumes of data being sent to external IPs from devices which do not usually do that, creating yet more opportunities for anomaly detection.
- Finally, when encryption is triggered, there is a flurry of activity as the command is sent to all the compromised devices. This is another opportunity for ThreatWarrior to alert due to anomalous activity from a ransomware attack.
All of these opportunities are missed if no one’s looking. That’s why the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, (6) along with the Multi-State Information Sharing & Analysis Center,(7) urge all organizations to follow best practices to prevent ransomware:
- “Detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.”
- “Baseline and analyze network activity over a period of months to determine behavioral patterns so that normal, legitimate activity can be more easily distinguished from anomalous network activity.”
ThreatWarrior not only excels at both of these best practices — they are core capabilities of the platform.
Additionally, this attack highlights a lesson learned from the SolarWinds attack — the importance of your security solutions remaining invisible on the network. If attackers can see the security solutions monitoring them, they can change methodologies, practice evasion methods or even attempt to disable or damage your security. ThreatWarrior sits passively on the network and is obscured from sight by the network switch, ensuring that you’ll see attackers but they won’t see ThreatWarrior.
President Biden’s Executive Order on Improving the Nation’s Cybersecurity
With cybersecurity catastrophes like this on the rise, organizations must be taking advanced and proactive measures to defend against them. We’ve seen example after example of just how damning cyber incidents can be.
President Joe Biden on Wednesday signed an Executive Order aimed at improving the nation’s cybersecurity.(8) The policies outlined ensure that the federal government will be taking “ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.” Private enterprises are encouraged to do the same.
Specific initiatives include:
- Improving digital supply chain security.
ThreatWarrior’s take: Too much of an organization’s critical software is vulnerable to exploit. We must utilize solutions that can provide visibility into the software an organization uses, and security-by-design principles must become standard practices across all software development. ThreatWarrior identifies known threat signatures and anomalies in the digital supply chain, including in other security tools, to stop threats other solutions miss.
- Modernizing and implementing stronger cybersecurity standards.
ThreatWarrior’s take: Organizations (especially the federal government and critical infrastructures) must modernize security standards and migrate to zero-trust security models. This makes it more important than ever that they have the ability to monitor their network for anomalous activity. Zero trust slows and restricts malware infections, but with zero visibility they will fester unseen. ThreatWarrior provides unprecedented visibility into all network activity to help stop threats as they happen.
- Improving investigation and remediation capabilities.
ThreatWarrior’s take: The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging and reporting hampers an organization’s ability to detect and mitigate intrusions, and determine the extent of an incident after the fact. With our network detection and response (NDR) solution, ThreatWarrior provides autonomous, consistent monitoring and reporting, and provides incident forensics and response capabilities that will help solve much of this problem.
It is only a matter of time before another attack like this happens. If the SolarWinds attack or other major hacks haven’t woken you up yet, this one should. Organizations must step up to the plate and put cybersecurity at the forefront, or risk suffering the same fate.
Contact ThreatWarrior to learn how we can help and, as always, stay vigilant.