As someone who works in the cybersecurity industry and is a neighbor to the current headline news, I’ve had questions from customers, friends and coworkers on the Colonial Pipeline cyberattack. Those questions have ranged from what my thoughts are, how to prevent it, how did this happen and how long until it’s fixed?
Firstly, I empathize with the IT staff at Colonial. Whenever incidents like this occur, it is easy to forget that there are actual humans trying to remediate the issue. They’re tired, stressed and worried about the future of their career. While I have no inside knowledge, the IT staff is likely overworked and has known that something was coming and either didn’t have the time or budget to prepare. Likely, both were the cause of the breach to begin with.
There are always a multitude of ways to infiltrate an organization. From what we’ve seen in responding to other Darkside attacks, lack of Multi Factor Authentication (MFA) is the number one way this threat group infiltrates an organization. From there, they work for weeks performing reconnaissance, exfiltrating data then finally performing the encryption script. Different systems are generating alarms. This goes undetected as the IT staff doesn’t have the time to monitor and respond. This happens when internal IT resources aren’t able to dedicate time to the management and monitoring of their security solutions. Right now, product vendors are strategizing how to spin their product offering to match the demand caused by this attack. The truth is organizations do not need another product, they need to find a way to add time and value to their IT staff.
Currently, Colonial has the resources needed from the Federal Government and Fireeye to resume operations in a few days. From my experience, it is fairly straightforward to patch the initial entry point. It’s the work afterwards that’s difficult to prevent reinfection. Situations like this require time and attention which most IT staff lack.
Feel free to reach out to me with any questions regarding cybersecurity and how it relates to your industry. Cole@thinkgard.com
Cole Two Bears is ThinkGard’s VP of Security Services. He is a security systems architect focused on designing and deploying enterprise infrastructure and cyber security solutions. Cole has obtained multiple certification such as CEH, Security+, MCSA, VCP-DCV, CCNP Security and CCNP Enterprise. Cole is also a frequent esteemed presenter for Cisco Security Systems. You can reach Cole at (205) 564-2734 or email cole@thinkGard.com