Ransomware Attack Shuts Down Colonial Pipeline Operations; Insurer Stops Reimbursing CyberRansom Payments; Ransomware Exposes Personal Health Information

This attack is yet another reminder how ransomware is out of control and currently by far the largest threat facing organizations. Over the last few years, hundreds of millions in ransom payments have built a ransomware industry that in some cases dwarfs government budgets. This particular attack does however highlight another "supply chain" issue: The concentration of the flow of goods, be it shipments via the port of LA or the Suez Canal, a single pipeline being responsible for supplying refined gas to a large part of the US or the small number of chip manufacturers. This concentration has caused bottlenecks and easy exploitable vulnerabilities to the supply chain that are easily leveraged by criminals or nation states to hold economies hostage.

Johannes Ullrich

This last year has shown a dramatic increase in disruptive attacks, many taking advantage of health care systems involved with Covid-19 research. In recent months a renewed interest in disrupting or taking critical infrastructure offline has emerged. This past year of remote work seems to have exposed added attack vectors, as well as shown a light on existing ones. Operators, public or private, need to review their systems to make sure that they are following security best practices, and engage an external assessor. Don’t wait for attackers or your regulator’s audit to discover issues which need addressing.

Lee Neely

This attack was motivated by money and has disrupted operations and, potentially, fuel supply and prices in the Northeast US. However, it is one more demonstration of the vulnerability of our infrastructure to adversarial nation states. The same breach could have been used to mis-operate the pipeline. "Security as usual," the state of the practice, is not getting the job done. We must increase the cost of attack against our systems tenfold. We know what needs to be done. What will it take to motivate us to do it?

William Hugh Murray

Connectivity is a double-edged sword. While it enables external services such as remote access or cloud based monitoring/analysis, the risks and security of those connections must be carefully examined. Both NSA and CISA have been publishing OT security guidance lately for you to leverage. Also look to your IT operation impact on OT: can those OT services operate if your IT systems go down? Are you ready for this sort of event? Be sure that your incident response plan is current and tested regularly. Colonial Pipeline brought in help right away and took immediate action to contain the incident and protect systems from further damage, and is now following their recovery plan as well as spinning up teams to address customer, regulator, and public concerns.

Lee Neely

Details aren’t out yet, but the vast majority of successful ransomware attacks start with reusable passwords being obtained through phishing and other means. More recently, unsecure/unpatched remote access methods put in place during the pandemic have enabled direct attacks, as well. A December 2019 National Petroleum Council report submitted to the Department of Energy acknowledged that “The Council found that cyber threats to energy infrastructure control systems are increasing and security protections are being challenged due to increasing connectivity and growing malicious cyber activity,” but there does not seem to have been much progress forward on those essential security hygiene issues.

John Pescatore

It can cost three times as much to ship these fuels via rail car versus pipeline and even so the delivery capacity is lessened. If you have a critical service, is your fallback plan viable? Is the difference in cost and delivery acceptable? Do your customers see your service at the same level as criticality as you do? All of these need to be aligned. Build relationships with your regulator, law enforcement and cyber security firms now, while you don’t need them. Leverage any guidance they can offer. When is the last time you engaged a new external assessment team?

Lee Neely

See my comment above. This is a good thing. Ransomware has become as big as it is now due to cyber insurance payments feeding the development of new and more sophisticated ransomware.

Johannes Ullrich

Attackers are leveraging the trend of ransomware payout through the victim’s cyber insurance provider becoming a sure bet. Note the September 2020 report from insurance provider Coalition which showed a 260% increase in ransomware attacks among their policyholders and that 41% of all cyber insurance claims in the first half of 2020 were ransomware incidents. There is a larger call to de-incentivize ransomware, reducing the avenues of a sure payout. If you want to retain the option with your insurance provider into the future, expect a significant increase in premiums. It is time to revisit your cyber insurance risk assessment based on input from your provider.

Lee Neely

SANS instructor Ben Wright and I are doing a May 20th webinar around ransomware and cyberinsurance: https://www.sans.org/webcasts/avoiding-minimizing-ransomware-impact-bottom-line-118430.

John Pescatore

One hopes that their competitors will follow suit. Reliance on insurance to pay extortion has become a moral hazard. This is a risk that must be mitigated, not merely accepted or assigned.

William Hugh Murray

This is third-party risk realized. When using a shared service, verify and accept the protections between client datasets as these can range from a field tag in a shared database to completely separate systems. Also understand who can access your data and how. Prefer solutions where your data is encrypted with different keys from other customers, ideally using keys you manage. Make sure you have adequate cyber provisions, including incident response, indemnification, and flow-down of your information protection requirements. Have your legal team not only review these provisions to ensure you both agree on what they mean, but also engage them on any pushback during contract negotiations.

Lee Neely

Four years into extortion attacks, disproportionately targeting healthcare, there is simply no excuse for this. We really need to up our game. We have been focusing on threat intelligence but not using what it is telling us. We must increase the cost of attack across all systems and industry segments.

William Hugh Murray

The appendix to the report includes Snort and Yara rules you need to incorporate into your defenses. While your SOC is doing that, read the Mitigation Advice and Further guidance to make sure that you’re covered. The advice is relevant for many attackers, not just the Russian cyber threat actors. There should be no reason not to implement these mitigations and protections.

Lee Neely

Post Solarwinds, and after many of the Exchange servers were patched, some threat actors had to find new ways to gain access to networks. This is a good thing. Cycling TTPs is expensive and risky to a threat actor as they diminish their arsenal of vulnerabilities, and risk discovery using less proven and familiar attack techniques.

Johannes Ullrich

One of the costs of incidents is downtime and too often downtime is caused by the response to the incident, not just by the attack. There are many software components or services that are similar to electricity – backups and work arounds need to be tested in advance (and regularly) just as UPS switchovers are tested.

John Pescatore

This guidance includes references to other standards and best practices, provides a holistic approach to securing OT, and has broad applicability beyond a city or the UK. Use this not only when designing new systems but also when reviewing existing implementations.

Lee Neely

It is nice for these agencies to be on record. However, the problem is not that we do not know what to do but that we lack the will to do it.

William Hugh Murray