The recent cyber attack on the Colonial Pipeline is more evidence—as if more was needed—that organizations need to take risk management and their investment in cybersecurity seriously. The impact of this ransomware attack has led to a shortage of refined gasoline and jet fuel in multiple states along the eastern seaboard. The shortage was exacerbated by panic buying and long lines at gas stations—all the result of one cyber ransomware attack affecting one strategic pipeline.
With ransomware attacks making the news every day and countless others occurring out of the public eye, it’s obvious that these threats are on the rise. So it’s imperative that organizations take steps now to safeguard their critical data and other assets.
Unfortunately, technology is changing rapidly, and so are the multitude of threats launched by bad actors who are motivated by both financial and political gain. What’s more, for the past year, companies have had to deal with a remote workforce, with employees teleworking on non-secure home networks connected to company systems. They may be sharing these networks with their children attending classes online, home appliances and entertainment systems linked together as part of the Internet of Things, and a myriad of mobile devices. All this unprotected cyber landscape has increased the opportunities for malicious actors to take advantage of organizational vulnerabilities.
So what can you do to safeguard your organization?
What is a ransomware attack? And what is a double extortion ransomware attack?
For a business owner, corporate CEO, or director of a government agency, a ransomware attack is a nightmare.
The attackers in these scenarios first exploit a weakness in your cyber defenses to gain access to your company data. They then encrypt your data, asking for ransom in return. These payment demands are frequently in the form of crypto currencies that make it almost impossible to trace the perpetrators.
With a double extortion ransomware attack, the hackers also leak selective sensitive data on the dark web, inflicting more damage as they increase their financial demands! If you don’t pay up, they threaten to leak more data and raise their ransom price. For a recent example, a well-known chemical distribution company paid a $4.4 million ransom in Bitcoin to a ransomware gang to receive a decryptor for encrypted files the hackers had stolen and to prevent them from publicly leaking the stolen data.
What do these attacks look like? How can you spot them before they do any damage?
Hackers usually gain access to a company’s system through its weakest link: its employees. Hackers send spam or phishing emails that include a link containing the malware (these are called social engineering campaigns). Someone clicks on the link, and the nightmare begins.
How to spot ransomware attacks varies. Once the malware is downloaded, the threat could be lurking in your environment for weeks or months undetected. The hacker now has access to your corporate network and is just waiting for the right time to trigger an attack from within. You might notice it when data suddenly becomes inaccessible or folders disappear off your corporate network. Sometimes employees receive emails from the perpetrator letting them know they’ve been a victim and demanding payment, increasing the chaos and spreading panic.
As these attacks so frequently start with employees falling for a social engineering campaign, it’s important to point out that everyone in your company, regardless of position or title, should receive security awareness training. Informed and aware employees can spot suspicious emails or situations and report them to their security leads. At a minimum, your staff should learn security best practices and work to implement them in their daily routines. And having in place a robust cyber security program, continuous monitoring, alerting, and an effective incident response and communication plan is imperative in these cases.
What type of damage can ransomware attacks cause?
Endless and crippling damage, both for the attacked company and for the public affected by the attack! If you have seen the recent images of people filling up plastic bags with gasoline and stashing them in their car trunks, you have a glimpse into the real-life impact!
In a world of regulations and legal as well as financial penalties for data leakage, for the hacked company, this includes damage to reputation and damage to customer confidence. Companies can also suffer huge financial penalties for lack of compliance with regulations, such as the California privacy act (GDPR). These regulators don’t care that your data leakage was caused by a hack. You are responsible for it anyway.
Make no mistake. These attacks are sophisticated. This means that no organization is immune. Fortune 500 companies with enormous IT resources, governmental agencies, cybersecurity companies (remember SolarWinds?), and today’s high-profile victim, Colonial Pipeline, have all been successfully hacked. The question is not will you be subject to such an attack. It’s when will you be subject to such an attack.
That is why companies of all sizes need to adopt a proactive posture to mitigate the impact of such attacks. And they need to do so today.
I recommend following this short list of good practices to start building effective defenses. They can help your organization withstand the inevitable threats from ransomware attacks.
Look to independent resources to assess your security posture. Begin with a gap analysis and then implement the recommended changes to shore up your security posture.
Starting with employee awareness training and education, conduct regular phishing exercises to keep everyone alert and minimize the risk of clicking on that shiny email.
Know where your corporate assets are, make sure approved traffic is whitelisted, and ensure software patching is always up to date or compensating controls are in place to protect where patching is not possible.
Have effective auditing and alerting in place. Establish an incident response plan and incident response team that is trained and familiar with the process through regular tabletop exercises.
Set clear policies and rules of behavior about using corporate assets for personal use and manage data leakage effectively.
Invest in cyber insurance policies. They are your friend.
Test your environment using threat hunting techniques to be one step ahead of the hackers; these techniques can help you discover your weaknesses so you can mitigate them.
What is the most important takeaway from the Colonial Pipeline ransomware scenario?
Have an incident response plan. The most critical element when a company is under a ransomware attack is how quickly it can stand up its incident response team and establish effective communications with staff and the public, before word gets out. Things move very rapidly, and you need to manage all the related activities, people and communications. Without that, panic can ensue, and chaos will take over. Also, be ahead of the game by proactively monitoring and testing your defenses and making sure new risks have not been introduced to your environment while you weren’t looking.
Baan Alsinawi is president at TalaTek and chief compliance officer at Cerberus Sentinel.