Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

May 11, 2021

3 Steps To Prevent The Next Colonial Pipeline Attack

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

On Friday, May 7, a ransomware attack conducted by a Russian group named “Darkside”  shut down operations of the 5,500 mile oil & gas Colonial Pipeline. Colonial’s operations remain at a standstill. This attack exposed the vulnerability of critical infrastructure to cyber attacks and represents an escalation in what has already been a damaging year for ransomware – with attacks surging more than 700%.

The Situation:

As of Tuesday, May 11 – the Colonial Pipeline remains closed. The company has stated that they hope to restore service by the end of the week, but their CEO has warned states to be ready for fuel shortages. Gas shortages are already being reported in Virginia and North Carolina’s governor has declared a state of emergency. 

This is as close as you can get to the jugular of infrastructure in the United States,” said Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab. “It’s not a major pipeline. It’s the pipeline.” 

Source: Forbes

The Players: 

  • Colonial Pipeline: Colonial Pipeline is one of the largest pipeline operators in the U.S. and operates pipelines that transport an estimated 100 million gallons of gasoline, diesel fuel and natural gas daily along more than 5,000 miles from Texas to New Jersey. The pipeline is the largest in the eastern United States, transporting approximately 45% of all fuel consumed on the east coast. The company was founded in 1962 and is privately owned by five groups (CDPQ, IFM, KKR, Shell, and Koch Capital). 
  • Darkside: Darkside, an Eastern European-based criminal organization that the FBI has confirmed is responsible. Formed in August, 2020, they announced their presence via a press release on TOR and operate a highly sophisticated Ransomware as a Service business, including an affiliate program. They primarily target US and english speaking commercial organizations. 

Source: DigitalShadows

3 Steps You Can Take to Reduce Your Risk to Darkside: 

  1. Know What’s Exposed: By the time an attacker is on your devices and thinking of holding you for ransom, it’s already too late. Ransomware attacks are painful and get a lot of attention but are simply the latest symptom in a deeper problem with security programs today – the inability to assess and proactively reduce risk. Based on initial reports, Colonial was able to proactively halt operations to prevent further damage but not without disrupting operations.  If you want to prevent disruption from ransomware attacks, like the one against Colonial Pipeline, you have to cut them off at the source by hardening your external attack surface.
  2. Harden Your Top Targets First: Know where attackers are most likely to strike first. Organizations often have tens of thousands of exposed assets on the internet, the key is to find the ones hackers will target first. Gartner suggests investing in an External Attack Surface Management platform that specializes in providing the “attacker’s perspective”, like Randori. This will provide you with  an external perspective of your business using the same advanced techniques threat actors use to identify your most tempting ransomware targets – helping you zero in on your greatest risks quickly. 
  3. Test Your MDR & IR Capabilities: Your attack surface is always changing and ultimately a hacker will gain access. When this happens you need to know if your security program can contain the threat. Traditional penetration test and newer BAS solutions focus on configuration testing and control validation. These solutions can be helpful at ensuring systems are set up as expected, but they provide little insight into your team’s ability to defend against threats in a real-world scenario. For those without an internal red team, invest in continuous and automated red team platforms, like Randori, and enable your team to quickly test your defenses in an ongoing and authentic manner. Using platforms like these you can build a scorecard of your MDR and IR effectiveness that can be used to build the case for further investment or assess the effectiveness of previous investments and create valuable opportunities for your team to gain experience before a real incident occurs. 

How Randori Can Help: 

The Randori Attack Platform was designed to think and act like Darkside, the hackers who are holding Colonial at ransom. Our attack platform will identify the targets hackers will attack first, exposing where and how attackers will strike your environment. Sign up now to get your free hacker assessment.

With this free assessment you will gain:

  • Instant visibility to your most exposed assets
  • A hacker’s assessment of where they’d strike first. 
  • Actionable insight to reduce your ransomware risk today.

Get your Free Hacker Assessment

Additional Resources: 

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.