Here We Go Again....One Week After the Colonial Pipeline Attack, More Ransomware

May 17, 2021
Tim Wade
Deputy Chief Technology Officer
Here We Go Again....One Week After the Colonial Pipeline Attack, More Ransomware

Just a week after the Colonial Pipeline was shut down due to a massive ransomware attack—attackers are at it again. It’s now being reported that Ireland’s health service shut down its IT systems on Friday after a targeted ransomware attack, while a chemical company in Germany had to fork out a $4.4 million ransom on the same day.  

We’re already seeing the initial ramifications of the attack on Colonial as American drivers in multiple states are unable to fill their gas tanks due to a fuel shortage, and who knows how this will impact industries like travel and shipping in the near future. Now we have an entire country’s healthcare system being impacted by cybercriminals—this is no longer just a technology problem, it’s much bigger.

Ransomware in the healthcare sector is further evidence of the convergence of physical and digital life—an impact with potential to diminish the quality of life and care that people need to live. But before we get used to jumping out of bed and pointing our fingers at overwhelmed security operations centers (SOCs) with every hint of a breach or attack—let’s put the blame game on hold for just a second.

If there’s any entity within an organization that doesn’t want something like this to happen, it’s the SOC. It’s also incredibly likely that their C-staff has been sold on the promises of prioritizing security prevention and alerts, even to the point that SOCs have a security alert quota to hit and report on as part of their job. A crazy thing to measure considering that alerts don’t equal attacks.

A large part of the issue here is that too many security vendors fill the room with hot air by pointing out that alerts are the answer. They aren’t.

Searching for answers

Our Director of Security Research, Nathan Einwechter recently caught up with Security Boulevard to discuss the Colonial Pipeline attack, stating that while the group behind the attack “are well known for their level of sophistication and intentional, slow progression,” nothing within the tooling or tactics used in the attack was particularly new or novel.  

And that’s what’s really alarming here. The tactics being used aren’t new, yet security teams are expected to leverage the same tools that we know aren’t working when the focus should really be on providing better SOC support. With the right support, they’ll be able to properly adjust the overall approach to detection and response.

To truly move ahead and away from the insanity, we need to learn from these incidents and apply a different approach. Organizations should assume that a breach will happen, and when it does, this is once again proof that shows you can’t solely rely on endpoint alerts to stop it. As the Security Boulevard article mentions, the group behind the Colonial attack is known for their slow progression, often taking weeks or months before becoming destructive.  

We don’t how long the hackers were inside, but if attackers are sitting in your environment remotely controlling your endpoints, moving laterally to expand access, collecting information, exfiltrating data or working towards whatever objective they are determined to reach—how will you know?

It’s important to recognize that attackers don’t make obvious moves—they don’t need to send noisy exploits over the wire when stealing credentials to use existing administrative services will do just fine. All of this goes back to supporting the SOC. Too often, they’re understaffed with insufficient visibility into their environments and generally don’t have the resources necessary to chase down the flood of events that are inevitably coming out of their existing tools.

SOCs aren’t failing for lack of intelligence, or trying hard enough, their organizations are failing them by not providing the resources and support they need. This includes support to move away from the standard, broken way of operating, where they're expected to manage thousands of events a day and somehow find those one or two critical issues. It’s a matter of being equipped with enough time and resources (training, policies and tools) to address any urgent matters. But keep mind, the longer the larger issue goes undealt with, the more frequent we’ll expect to hear these cautionary tales—let’s hope they spur action, not numb indifference.