One Year Later: Lessons From The Colonial Pipeline Ransomware Attack


A year has passed since the Colonial Pipeline Ransomware attack that caused Colonial Pipeline to stop service for five days. This attack created a huge fuel shortage for eastern and southern states and forced Colonial Pipeline to pay a hefty $4.4 million ransom.

Ransomware attacks have continued unabated since then, with the most recent ones including LAPSUS$ and ONYX. (These not only encrypt the file but also threaten to destroy the whole system.) Black Kite has released its 2022 Third-Party Breach Report, highlighting that Ransomware became the most common attack method of third-party attacks in 2021. All it takes is one hole: one stolen password, one open port (even just for a short time for testing), or one software vulnerability such as Log4j to leave the Ransomware door open.

Here are some lessons from the Colonial Pipeline attack and what organisations should do to protect themselves:

Raise security awareness and enforce security policies

  • Use Multi-Factor Authentication (MFA) to make it much harder for attackers to break in. Colonial Pipeline’s VPN account was compromised because the password was found on the dark web. Enabling MFA would make it much harder to attack than simply obtaining a password.
  • Backup systems regularly. After the ransom was paid, the decryption tool was so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.

A detection and response system is mandatory

After receiving the ransom message, Colonial Pipeline had to shut down production because they didn’t know how it happened and how far it had progressed. It took them several days to determine that the attack was fully contained. Having a detection and response system could have avoided the shutdown. A detection and response system should:

  • Detect early signs of an attack and stop it quickly before it progresses to minimise damage. In the Colonial Pipeline case, data exfiltration happened before the ransomware attack. A detection and response system could have triggered an exfiltration alert, which would have prompted an investigation and response to stop the attack from progressing to a ransomware attack.
  • Detect any suspicious behaviours in addition to having coverage on Mitre Att&ck techniques and tactics. Attackers may buy credentials from the dark web and log in as legitimate users. They will not trigger detections based on Mitre Att&ck tactics and techniques. However, they will most certainly exhibit suspicious behaviours after they get in.
  • Show a clear picture of how the attack happened to show that the attack has been contained conclusively. Colonial Pipeline hired Mandiant to perform an exhaustive search of their environment to determine that there was no other related activity before the attacker gained access to the network on April 29 using the VPN account. However, a good detection system would have shown this in real-time without manual tracing and sweeping days.
  • Show how far the attack has gone and understand the impact. Has it reached critical assets? This helps to determine the impact on the business to avoid unnecessary disruption. The primary target of the attack was the billing infrastructure of the company. The actual oil pumping systems were still able to work. However, it was not clear to Colonial Pipeline whether the attacker had compromised their operational technology network — the computer system that controls the actual flow of gasoline — until days after Mandiant swept and traced their whole network. A detection system should clearly show how far the attack has progressed and what are the impacted assets to determine the corresponding actions.
  • Show any new follow-up attacks that are going on. During the investigation, Mandiant installed detection tools to monitor any follow-up attacks. A solid detection and response system will monitor 24/7 no matter when (or if) an attack is happening.

The main lesson here is to use a unified detection and response system that monitors the entire security infrastructure 24X7, detects early signs of an attack, and correlates different signals to show how the attack happened and how far it has progressed.

If you liked reading this, you might like our other stories
5 Challenges That Data Pipelines Must Solve
The Cyber Pandemic In The Middle East