Another high-profile breach brings cybersecurity into the public eye and serves as a startling example of how an attack on a private company can have far reaching effects throughout society. If you’re in a part of the United States currently experiencing higher gas prices, you’ll certainly agree.
The Colonial Pipeline attack wasn’t a novel attack nor one involving some special strain of ransomware. As a matter of fact, the majority of forensic cases I’ve worked involving ransomware were quite similar. The attacker gains access to the network via a known security flaw and pivots throughout the network until they get to their desired destination. At that point, the attacker manually executes an off-the-shelf piece of ransomware.
In this instance, like most ransomware attacks, the attack was a well-known risk in the cybersecurity industry and purchased through a ransomware-as-a-service on the dark web. Although unfortunate, it highlights to organizations, big and small, the importance of not just being prepared to react after an attack, but to take the appropriate steps before an attack to prevent it from ever occurring.
Understand Your Security Posture
The key to preventing and mitigating the impact of attacks like this has more to do with analyzing your security posture, consisting of visibility, exposures, and threats.
Visibility + Exposure + Threats
= Security Posture
Are you certain your security tools are able to detect threats and exposures on all your assets? If you’re not, it’s critical you start here. The old adage is true, you can’t protect what you can’t see. An optimal security posture begins with complete visibility over all your assets.
This is no simple problem to overcome. Standard configurations and gold images aside, it can be difficult to manage the myriad dashboards and tools to achieve maximum visibility. In any case, you must start with understanding what you’re trying to protect, then validate that your solutions have been properly configured and deployed to monitor those assets.
This will be a never-ending process if the appropriate alerts and response plans aren’t in place for when this visibility begins to slip — and it will. Visibility is arguably the most important aspect of your security posture.
- Do all of your endpoints have your agent(s) installed? Are they reporting in?
- Does your IDS/IPS have visibility across your entire network?
- Are you collecting logs from all of your critical assets? Are they all consistent in what they’re logging?
Everything in your environment which could be taken advantage of and result in a compromise is an exposure. Exposures aren’t limited to your typical vulnerability, but also include misconfigurations and over privileged accounts. Understanding where you’re susceptible to attack is critical in making risk-based decisions and building response plans. Exposures include typical CVE and configuration issues found throughout your network, including cloud environments like AWS and Azure. For example:
- IAM roles with full admin privileges — Is this necessary and can this role be broken out into multiple users?
- S3 bucket misconfigurations — Is the publicly available S3 bucket expected?
- Outdated version of PHP — Is this system publicly available and what types of vulnerabilities does this expose?
It’s likely your environment experiences security events daily which require some level of action — from simple blocks at a firewall to a full incident response and forensics engagement. You are also subjected to low level threats and observations that have not yet reached the level of an incident. Knowing what assets and/or groups of assets that are under attack, and the types of attacks these systems experience, is just as important as knowing where you are exposed. These failed attacks help to highlight where more rigor may need to be applied or possibly where architectural changes may want to be contemplated.
Examples can include:
- Brute force attacks on internet exposed services — Has MFA been considered, VPN, or is the service required anymore?
- SQLi against public sites — How well are the developers trained on secure coding?
- Malware blocks — Are there particular asset groups these occur the most on, and are additional controls or training needed?
When you fully understand the state of your visibility, exposure, and threats, you now know your security posture. The combination of this data is required to provide a holistic perspective of a security posture, which leads to educated strategic decision making with measurable improvements that are meant to reduce the likelihood and impact of a successful attack.
Tips to improve your security posture:
- Combine threats and exposures to properly prioritize patches, architecture changes, and active projects
- Take actions now:
- Design proper segmentation
- Improve user awareness
- Develop response plans
Managed Detection and Response (MDR) — Needed Now More than Ever
The Colonial Pipeline attack is a further reminder of the need for a comprehensive, end-to-end cybersecurity solution — managed detection and response (MDR). As detailed in the MDR Manifesto, effective MDR must:
- Reduce attacks
- Provide comprehensive visibility
- Be refreshed often
- Use human intelligence combined with technology
- Customize responses
- Deliver results and reporting
With MDR in place, your organization is better able to not only safeguard your most critical systems and data from attacks, but also quickly react when a breach occurs to eliminate or minimize the impact.
The D of MDR could be the most important, yet is your organization doing everything it can to provide the visibility needed to detect the threats before they wreak havoc? If you don’t shine a light on all the components and assets of your business system, no solution you have in place will be able to protect it. That is why visibility is so crucial to a successful cybersecurity plan. And this ties back again to understanding your security posture. Knowing the risks and vulnerabilities can only come when you know what you need to protect.
In the event of an attack, how long will it take your organization to know it’s been breached? When the R is functioning at optimal levels, many of these attacks can be stopped in their tracks before they ever cause damage. At the very least, the damage can be severely minimized.
Will your organization know if a successful attack occurs in the middle of the night or over a holiday when your staff isn’t in the office? Often these are the times hackers attack because they know they have more time before they are detected.
The M is just as critical in these instances because it’s difficult to build your own security operations center (SOC) and adequately staff it 24/7 as needed. Relying on a partner to provide MDR can ensure your most essential systems are known and better protected. As the leading provider of MDR, it’s very likely Alert Logic would have caught the breach that so massively harmed Colonial and our nation’s infrastructure.
As I said, this wasn’t an unknown threat. Before we implement our solution in any environment, we work with each customer to fully understand their security posture. Our team of cybersecurity experts use our innovative technology to continually monitor our customers’ systems, detect anything that can be a threat, and respond accordingly to eliminate or minimize the impact of a breach. Our team of threat researchers also stays on top of emerging threats and feed that information to our threat hunters to proactively eliminate risks
Act Today to Prepare for Tomorrow
The Colonial Pipeline cyberattack is a wakeup call that, yes, threats to your organization are out there every day, looking for new and known ways to compromise your operations and data. But you can fight back through MDR to proactively monitor for risks, address vulnerabilities, take swift actions to thwart attacks, and respond quickly when they do occur. It’s much harder to do this effectively on your own, which is why it is so crucial to manage the detection and response.
Reach out today for a free assessment of your current security posture to understand your greatest risks, challenges, and opportunities, and learn more about Alert Logic’s unparalleled approach to cybersecurity.