The Colonial Pipeline and WannaCry attacks provided plenty of lessons on how to create a better security strategy, members of Protocol's Braintrust say.
Good afternoon! In today's Braintrust, we asked the experts to consider the ransomware attacks that have been in the headlines and share what they thought the lessons from them were. Questions or comments? Send us a note at firstname.lastname@example.org
Director of Strategic Threat at Darktrace
While executives can learn from any cyberattack against any industry, the lessons gleaned from attacks on critical infrastructure are most influential. The ransomware attack on Colonial Pipeline was a watershed moment for security professionals and business executives.
First, it demonstrated to leaders that ransomware could disrupt business operations beyond data encryption and exfiltration. Ransomware can threaten business operations in both IT and OT environments. Because many OT systems depend on IT, an IT cyberattack can also force the disruption of OT and ICS processes.
Second, this attack was the first example for many Americans that demonstrated how cyberattacks might impact daily life (e.g., shut down gas stations, increased prices, lines at the pump). Cyberattacks against critical infrastructure and utilities have the potential to disrupt supply chains, harm the environment and even threaten human life. It forced company leaders to think critically about their responsibilities for security.
Third, the attack highlighted that paying a ransomware actor does not immediately translate into returning to normal business. Resolving issues and resuming full operations can take days or weeks. Colonial Pipeline paid the ransom, but the decrypting tool DarkSide provided was so slow that Colonial used its own backups to restore the system.
Finally, the attack marked a critical lesson for all: There must be higher expectations and new requirements for reporting, customer notifications and executive responsibility after a successful ransomware attack. Case in point: Biden’s cybersecurity executive order came days after the crippling incident and shortly before Colonial Pipeline’s CEO testified before Congress.
Chief Product Officer at Arctic Wolf
I’m going to cheat and pick two because I think these two examples fundamentally changed the landscape of cyber and the attention that executives now pay to it. The first is WannaCry – it was really the launching point for ransomware entering the mainstream news cycle, C-suites, and boardrooms for a variety of reasons. The primary reason was the sheer breadth of the impact because it spanned the globe, across all industries, and how rapidly it spread within an organization. Defense technologies were mostly ineffective as this was a zero-day Windows kernel exploit and therefore was highly impactful to those infected by it. The aftermath resulted in the need for better defensive technologies.
The second is the SolarWinds attack. If WannaCry introduced ransomware to the mainstream, SolarWinds brought the sophistication of the adversary to mainstream attention. By infiltrating SolarWinds, attackers showed how to compromise servers and exploit the technology supply chain to deliver ransomware from a trusted source. With this evolution in attack methods, the result showed leadership that even great defensive technologies are insufficient in stopping attacks, and ultimately having a robust, comprehensive security operation is critical to a company’s defense.
Vice President, Security Business & Strategy at Juniper Networks
The Kaseya service chain compromise in summer of 2021 drove home the lesson that organizations are only as secure as their service providers. With 50 managed services providers compromised via Kaseya VSA, the REvil ransomware group responsible for the Kaseya compromise was able to impact more than 1000 organizations and demanded a ransom of $70M.
In general, the increase in ransomware and the media’s coverage of its impact since the onset of the pandemic has led to more security-focused discussions in the board room. Although successful ransomware attacks have been happening for years, we’ve seen a sharp increase in focus on preventing such attacks – not just by the technical decision-makers, but also by business leaders.
Kaseya, in particular, helped business leaders better understand the impact-to-compromise ratio, not just financially, but including brand perception and customer trust. Many security teams within organizations now have a presence at executive and board levels, and we’ve seen security budgets remain stable – and even grow – when other budgets shrink. Business leaders understand that compromise is inevitable, but the impact of compromise can controlled given the right tool, technology and planning. Specifically, we see a greater focus on implementing Zero Trust, especially within the data center, to limit the impact of a successful attack.
CEO at Absolute Software
With ransomware attacks targeting national infrastructure, large enterprises and increasingly even the smallest of businesses, it can be confusing to read the headlines and discern good advice. It is important to remember that so many case studies we see are from large multinational companies, with equally large budgets to hire expensive consultants to dissect attacks and to help them recover. This is less practical for main street enterprises that may have limited resources but are just as likely, or even more likely, to fall victim to a successful attack.
The best advice I can offer IT and security leaders is to understand that Detection & Prevention and Remediation are separate, but equally critical, investment strategies in the fight against ransomware. We often think about Detection & Prevention exclusively when it comes to ransomware protection but, however much you invest in this pillar, understand that you will be experiencing a successful attack at some point in your future. So, your Remediation strategy must be equally prioritized and with needed investments made before your day comes.
Think about endpoint visibility and resilience in advance; how will you find, contain and restore infected endpoints if your endpoint management, detection and prevention tools have already been attacked and explicitly rendered inoperable? Deploy solutions, in advance of that inevitably successful attack, that will: first and foremost, maintain your critical line of communication to infected devices; second, enable you to contain the infection and break the cycle of re-infection; and lastly, restore your devices back to health as quickly as possible and with minimum loss of information or service.
Deputy CISO at Netskope
The most insightful instance of ransomware that has the best lesson for executives was DarkSide, which was used with the Colonial Pipeline attack, primarily because it brought ransomware awareness to a national stage, allowing the government to set guidelines for the public and private sectors. Like other attacks over the years, whether it is ransomware or another form of cyberattack, taking a programmatic approach is key. As a security team, we have begun moving from news-based threat modeling and response to simulation-based models that test controls on a more continuous nature. We have an operational process to gather intelligence, dismantle the ransomware, pull out indicators, report on the position and exposure and implement blocks and detections. We communicate that exposure and position using an immediate “Threat Flash Report,” which includes an exposure level and rating, to swiftly communicate the details about the given threat instance by targeted industries and tactics.
The flash report is followed by a more detailed “Threat Report” which includes details on controls and confidence to defend, detect and respond to an attack. Along with this, we have also matured kill chain analysis so we can reflect any new tactics and controls we can have. We continue to zero in on tabletops incorporating business continuity and crisis response protocols. As we have done this, the newsworthy events have changed from an intel source to a source that shows how companies’ responsibilities in communication and legal affairs have changed.
Dr. Robert Blumofe
EVP and Chief Technology Officer at Akamai
Recent targeted ransomware attacks against various pieces of infrastructure — oil pipelines, water treatment plants, hospitals and others — have highlighted how critical it is for executives to focus on doing the security basics really well. Eliminating shared credentials, using multi-factor authentication (ideally without passwords), using micro-segmentation and limiting individual employee access to only the applications they need to do their jobs are all basic security measures all organizations can, and should, be taking.
In many of these recent attacks, we learn too late that most, if not all, of these basic security practices have been ignored or have fallen by the wayside. The consequences of this must not be overlooked. More and more of society’s critical, real-world infrastructure is becoming inextricably intertwined with the digital world. A couple of years ago, a misconfigured set of credentials might have resulted in your social media account being taken over, or even worse, some form of fraud. But now it can result in an inability for cities to get heat, for hospitals to accurately get telemetry for heart monitors and more.
Bottom line: You don’t have to get everything perfect. Start with implementing one security best practice and expand from there. Any little piece often is enough to stop a ransomware attack from becoming catastrophic.
Bridget Quinn Choi
Principal at Booz Allen Hamilton
Booz Allen Hamilton in concert with Forrester Consulting conducted a study to understand the ransomware experience directly from those who have fallen victim to an attack. Some of the important lessons for executives are:
Most organizations have some type of incident response and business continuity plan in place, but significant gaps still exist. These gaps are driven by unclear objectives on recovery times, lack of regular data integrity tests or recovery tests and a lack of retainer for incident response services.
Another lesson learned was that most companies were not as prepared as they thought they were to respond to an attack. They quickly realized that productivity loss, financial loss and data loss are top impacts of a successful attack. As a result, a business impact assessment must account for these areas of loss and be the basis for a recovery and continuity plan responding to a ransomware event.
Lastly, the decision to pay attackers rests largely on the ability to restore proper data access and functionality. The following insights are lessons learned from companies faced with this situation: Having cyber insurance plays a significant role in the decision; paying ransom did not necessary ensure that data access was wholly restored; negative business ramifications were higher among those who chose to pay the ransom; and the CEO is the key decision-maker in the ransom payment paradigm, thus he or she will have to be embedded in any incident response plan.
CEO and Founder at SailPoint
Unfortunately, what causes damage down the line after a ransomware attack is if the organization does not understand how they were susceptible to infection in the first place. If a company doesn't learn this "lesson" the first time, the real risk factor is putting an "easy target" bullseye on its back. Criminals are always testing the waters… And we've seen this repeatedly; threat actors will walk right back into the front door they used the first time if you continue to leave it open. They will also open footholds in the network for re-entry if you do not investigate and quickly dispose of them. Therefore, the best decision-making process is to lean on a previously documented ransomware playbook to learn from past instances and to also invest in identity security offerings to help alert an enterprise of suspicious user activity. Having these two protocols in place will help defend against future attacks: Tweak your organization’s cybersecurity playbook following an attack so you have updated practices in place for the next attack and ensure appropriate solutions are in place to detect irregular behavior by way of continuously running AI/ML analysis so you are able to unearth anomalous identities within the organization.
See who's who in the Protocol Braintrust and browse every previous edition by category here (Updated Feb. 8, 2022).
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.
More from Braintrust