The Colonial Pipeline ransomware attack a year on: 5 lessons for security teams

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Today marks the one-year anniversary of the Colonial Pipeline ransomware attack, one of the largest cyber attacks in recent history, where a dangerous actor named Darkside used a single tampered password to gain access to the internal system of one of the largest pipeline operators in the United States.

During the attack, when hackers began encrypting the organization’s data, Colonial responded by taking its systems offline to stop the pipeline from being threatened, but temporarily shut down the pipeline operation and ended up paying a 4.4 million ransom.

When a colonial pipeline attack has passed, ransomware is an existential threat to modern enterprises and while ransomware attacks are on the rise, ventures need to be prepared.

The good news is that the number of security restrictions that organizations can implement to protect themselves from these pervasive threats is increasing.

Use a zero-trust architecture

Login credentials are one of the main targets of cyber criminals. As a result, it is becoming increasingly important for security teams to implement support for zero-trust authentication, making it difficult for unauthorized users to login with tampered credentials.

“The Colonial Pipeline Ransomware Attack was another high-profile example of taking advantage of compromised credentials to exploit previously protected infrastructure. As a result, security protocols need to be developed to keep pace with dynamic threats in distributed computing environments, “said Gail Helmsky, co-founder of CTO and Identity Access Management Provider Plane ID.

Helmsky suggests that organizations can prevent themselves from becoming victims of similar attacks by implementing a zero-trust architecture that extends network access security throughout the traditional lifecycle of digital travel.

Implement strong event detection and response capabilities

One of the biggest factors determining the overall impact of ransomware breaches is the time it takes for an organization to respond. The slower the response time, the greater the chance for cybercriminals to detect and encrypt important data assets.

“Settlement was a turning point for public and private sector infrastructure security, but organizations need to be vigilant to stay one step ahead of cyber-attackers,” said Cyber ​​Security Evangelist at Ransmer Detection and Recovery Platform Agnite, Neil Jones.

In practice, this means developing a comprehensive event response plan, deploying solutions with ransomware detection and retrieval capabilities, and training employees in cyber security awareness on how to implement effective data security policies such as strong passwords and multi-factor authentication.

Don’t rely on backup and recovery solutions to keep data safe

Many organizations try to protect themselves from the dangers of ransomware by relying on data backup and recovery solutions. While this may seem like an effective defense on paper, ransomware attackers have begun threatening to leak encrypted data if the victim organization does not pay the ransom.

Instead of relying on encryption-at-rest, which attackers can use tampered credentials to sidestep, Aarti Raman, CEO and founder of encryption-in-use provider Titanium, recommends that organizations switch to data in-use protection.

“With encryption-in-use data protection, competitors must break perimeter security infrastructure and access parameters, structured as well as unstructured data. [and] Will [be] Unusable for obscure and bad artists – making digital blackmail significantly more difficult, if not impossible, “said Raman.

Make inventory of your attack surface

With so many advanced risk actors targeting modern organizations with ransomware threats, technical decision makers and security teams need to have a complete inventory of what systems are exposed to external risk actors and what data they contain.

“As the U.S. government moves to promote national cyber security, organizations must take an active approach to protecting their own assets, and here’s the benefit: Response,” said the managing security services organization, CEO and co Said the founder. Works, Aaron Sandin.

“By conducting the entire system inventory independently or by outsourcing it to a vulnerability management company, organizations expand their cyber security visibility of known and unknown exploits,” Sandy said.

While the group behind the Colonial Pipeline attack has become inactive, Sanden warns that the enterprise will be prepared to exploit a growing number of vulnerabilities, vulnerabilities and APT dangerous actors, “which will require security leaders providing predictive and exploratory assistance in classifying and eliminating. Ransomware threats. ”

Use identity management solutions to identify inconsistent user activity

In the age of employees working remotely and using personal devices to access enterprise resources, the risk of data theft is higher than ever before. “Most of the violations we hear about in the news rely on automated access control and are the result of the user realizing too late when hijacked.

“Once the account is compromised, it can be extremely difficult to detect identity-based fraud, given the sophisticated tactics and clutter of various crime groups such as LAPUS $ and Conti,” said Gunner Peterson, CISO of the trust platform, Forter.

For this reason, organizations need to have the ability to identify discrepancy user activity in order to detect account takeovers, which Peterson says can be achieved using an AI-powered identity management solution with discrepancy detection.

Venturebeat’s mission Digital Town Square is about to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.