What Did We Learn From The Colonial Pipeline Cyberattack?

It's hard to believe, but it's been a year since the Colonial Pipeline ransomware attack. In case your memory's fuzzy, this incident completely shut down the largest fuel pipeline in the United States, causing gas shortages across the East Coast. It was the perfect demonstration that cybersecurity doesn't merely exist between strings of binary code; it has real-world implications. Although the gas shortage was brief and the ransom payment recovered, significant incidents like this should serve as teaching tools to develop a better cybersecurity posture and harden defenses.

Roger Koehler, Huntress's VP of ThreatOps, recently had some thoughts on the incident and gave us the top lessons we should have learned from this incident. Here's what he had to say:

Lesson #1: It doesn't matter if you're a small business or enterprise. You are a target.

One of the biggest mistakes businesses (and individuals) make is assuming threat actors won't waste their time chasing them. Typically, small businesses and individuals have less money than larger enterprises; therefore, folks at these smaller organizations believe that hackers will follow the money.

The reality is quite the opposite.

Those large enterprises usually do have more money, meaning they can invest in fancier and better cybersecurity tools to keep their assets safe. They can afford to hire experts to monitor their environments. So, while a hacker might need to spin a few cycles to make her way into the environments of these large enterprises, it might only take a few clicks to take down Charlotte's Ice Cream Shop up the street.

Whether you operate a meat factory, a university, or a small business, you are a potential target. Sometimes, an attack is just a crime of opportunity, much like we saw with log4j, where attackers were scanning and hacking any vulnerable devices they found. Other times, attacks are targeted, as we saw with VMware Horizon. The point is, no one is immune–not even a gas pipeline.

Lesson #2: Attackers will find (and exploit) the weakest link.

The culprit of the Colonial Pipeline ransomware attack? A single password to a virtual private network (VPN) account. The real knife twister is that the account in question wasn't even being used at the time of the attack–but it could still access the network.

The point here is closely related to our first lesson: hackers are lazy but efficient and are fans of targeting the weakest link. Sure, they could consistently go after an organization's most critical assets (such as their servers), but why go through all that hassle when there's a much easier route to gain entry?

And sometimes, that route is as simple as sending a phishing email.

For this reason, layered security is such a critical component of any modern cybersecurity stack. It's harder to detect an attacker moving laterally within a network once she gains access. A stack that features detection and response features to find and evict hackers can make all the difference in how detrimental an attack is.

Lesson #3: Attackers are agile. Defenders need to be, too.

Oh, to be as ambitious as an attacker...

Their success correlates to constantly leveling up their cyber knowledge. They study their adversaries (that's us) and the tools we use, learning how to circumvent them, and they're good at it. They are masters at defense evasion. Hackers embrace that they will be lifelong learners as long as defenders keep defending. That is why we can't just keep pace with today's hackers. We must think ahead, continue to upskill, and question to improve the status quo. We must be on the lookout for new threats and actively learn how to combat them.

Learn More:

If you're reading this, I hope your takeaway from this reflective piece is simply to exercise caution. No business is too small or unknown to be a dangling carrot for today's threat actors. 

Take reasonable steps, such as implementing multi-factor authentication (MFA) and using (never reusing!) strong passwords. If attackers target you and realize you're going to present more of a challenge than anticipated, they will likely move on to the next "weakest link." Although, the most important fact is that cybersecurity is and will continuously change. This is why you must have an experienced security team on your side. Let Pendello Solutions be that partner, and be sure to contact us today!