Colonial Pipeline Attack Drives New Mandates for Cyber Resiliency

I recently posted a meme showing a post-apocalyptic future scape in which resources like gasoline were incredibly scarce and valuable with the words “Ransomware? What’s the worst that could happen?” Obviously, the meme was a little tongue-in-cheek, but the fact is the threat is real and not always taken seriously. A most recent example of the Colonial Pipeline attack, which caused panic buying of gasoline that led to shortages and even led to injuries due to improper handling of said gasoline, is a clear example to examine. This Colonial Pipeline event illustrates that the impact of ransomware can, does, and will go beyond simple IT system downtime; the ripples of an attack can shift markets, impact infrastructure, and even lead to action at the highest levels of government. 

In the wake of the pipeline attack and other events like the SolarWinds attack, the executive branch has taken action in the form of an executive order (EO), which covers several cybersecurity concepts. Still, for brevity, I will narrow the focus to just two of the key points. First is the requirement to Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. Elements of this include (but are not limited to) zero-trust architecture, encryption at all stages of the data life cycle, and multifactor authentication. At Veritas, we take zero-trust further to zero-security with the basic idea that even the most effective endpoint security will be breached. It is important to have a plan for when this happens. For more information on this particular point, refer to my earlier blog on the subject here. 

Proactive encryption of data is a key step in ransomware resiliency for a couple of important reasons. First, one vector for an attack on an environment is a man-in-the-middle attack that reads data transmitted for information, including credentials for accessing systems. Second is unencrypted data at rest can then be used in further extortion beyond simply ransomware as sensitive information exposure can lead to fines, trade secrets could be shared with competitors, all the way up to strategic defense information being shared with hostile foreign agents. This is why it is so critical that every aspect of an environment has encryption both in transit and at rest; this covers production servers but, of course, extends to backup operations and even archived data.

Multifactor authentication (MFA) is mentioned directly in the EO, coupled with role-based access control (RBAC), can help mitigate one of the most commonly used vectors in Ransomware attacks, namely Phishing. MFA helps ensure that even if one set of credentials is compromised, it doesn’t necessarily grant access to all systems and data slowing down or perhaps even preventing an infiltration event. RBAC acts as compartmentalization, ensuring that even if a set of credentials are compromised, the impact to an environment can be contained to only a few systems and files instead of the entire environment. 

The other aspect of the EO I wanted to touch on was the call to Create a Standard Playbook for Responding to Cyber Incidents. The federal government plans on creating a playbook for federal agencies that will also act as a template for the private sector. Having a reference architecture for organizations of all types and sizes to follow will help remove confusion and encourage action on resiliency. I covered some key steps for any playbook a few months ago in a couple of blogs here and here but to sum up some key points:

• Digital Runbook: Having a plan on paper is a start but having a digital plan that can be easily viewed and executed with a single click is essential. The more complex a plan is to run, the longer it will take to recover from an attack.
• Test, Test, Test: Testing ensures your plan will work when you need it. Initial testing is important to ensure all aspects of the plan work, but IT environments are constantly in flux, so it is critical to test regularly.  
• Remove Single Points of Failure: The 3-2-1 practice is the idea that you should have 3 or more copies of your data so that any single failure doesn’t derail your plan. That you have at least 2 distinct mediums of storage so a vulnerability in one doesn’t compromise all of your copies and at least 1 offsite or even air-gapped copy so that you have options should an attack take out an entire data center.  
• Have Options for Rapid Recovery: When an attack recovery takes down an entire data center can be slowed dealing with compounded challenges around hardware, network, workloads, and the data itself. Having an alternative option such as rapidly standing up a data center on a public cloud provider can shorten downtime and provide alternatives to paying a ransom.

The last key takeaway from the Colonial Pipeline attack I wish to highlight is the challenge around decryption. I often say that while there is a clear financial incentive for black hat actors of all kinds to create strong tools for finding weaknesses and encrypting data, they don’t have the same incentive to ensure the tools for decrypting function as well. As a result, we see an uneven ability to deliver on the promise of relief if a ransom is paid as we can see from Bloomberg:

“Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.” 

This is why it is so vitally important to have a sound backup plan before an attack, practice executing restores on a regular basis, and have as many options for recovery as possible.