Lessons from the Colonial Pipeline, and SolarWinds Attack
Cyberattacks and their real world consequences: SolarWinds was infamously hacked around March 2020, in an attack that made international headlines. A backdoor was added to its Orion platform software update and a supply-chain attack occurred as customers unwittingly gave the threat actors access to their networks upon download and installation of the corrupted update. The scale of the malware attack was unprecedented, with the threat actors stealing nearly 100 gigabytes of data in only 2 hours, and affecting customers worldwide.
In May, 2021 Colonial Pipeline was forced to freeze operations and IT systems affecting fuel supply capabilities in the USA, from Texas across the east coast, causing a spike in gas prices and local shortages. Darkside, a Ransomware as a Service (RaaS) provider, claimed responsibility for the malware attack, threatening to sell stolen proprietary data to competitors if they didn’t receive a ransom payment. Around $5 million ransom was subsequently paid for an encryption key.
No agency or organization is immune: From healthcare to education, SMB’s to corporations and government agencies, each of these is a potential target. SMB’s are attractive because their limited ransomware protection budgets make them easier to attack, while larger companies can yield greater ransom payments.
“IT company SolarWinds said Monday that ‘fewer than 18,000 customers’ had software compromised in a damaging hack that led to intrusions at the Departments of Treasury and Commerce.”
Highlights of President Biden’s 2021 Cybersecurity Executive Order
Also in May, President Biden signed an executive order intending to shore up the countries’ cyber defenses and provide some protection for government agencies. While the order is a good start, and will help prevent some attacks, it isn’t enough to fully protect all agencies from attack, as explained below.
These are some of the highlights of the executive order:
- Requirements for MFA (Multifactor Authentication) – All Federal Civilian Executive Branch (FCEB) agencies are required to adopt data encryption and multifactor authentication within 180 days of the order. For multifactor authentication, access is granted based on providing a minimum of two identity verification techniques, such as password and fingerprint, one time phone code, key card or GPS location.
Implementation will be assisted by the Cybersecurity and Infrastructure Security Agency (CISA), with the order applicable to data both on premises and in transfer. Inability to fully comply requires submission of a rationale to the Secretary of Homeland Security.
2. Zero Trust – A move towards the NIST best practice to implement Zero Trust Architecture, where access is granted based on need. Zero trust architecture relies on a strong user identity and authentication, alongside granular access control policies.
3. Data Sharing – Remove the barriers to share threat information. Prioritizing data sharing, information and reporting amongst agencies with the FBI and CISA, in relation to cyber incidents and potential threats, while maintaining necessary privacy laws and policies. Log information must be made sharable upon request with the Secretary of Homeland Security. Procedures to enable the Department of Defense and Homeland Security to immediately share emergency directives to address cyber risks are required to be in place within 60 days of the order.
4. Cybersecurity Safety Review Board – The board will be made up of government and private sector representatives to assess threats, risk, vulnerabilities and agency responses. Convening as needed to address incident response and cybersecurity policies, any sensitive information revealed to the board will remain confidential.
The Cybersecurity Executive Order is a next step after the US Government advisory against paying ransomware in 2020, where sanctions and fines were imposed for facilitating ransomware payments. These payments encourage more malware attacks, and there is no guarantee that data will be returned unscathed. Cybersecurity insurance may cover malware attacks but can not return lost data so prevention, in the form of ransomware protection, is key.
Why Current Federal Plans Don’t Go Far Enough
Local governments and independent agencies can work to better protect themselves from ransomware attacks by educating their workforce on what to look out for, such as suspicious links and phishing emails. Backing up files with copies can help in case of deletion or file corruption, but malware often targets the recovery files. Ensuring anti-virus software is up to date can prevent attacks from known malware, but what about unknown threats which can bypass the existing ransomware protection layer.
Minerva’s ransomware protection is able to thwart malware attacks before they happen, before any damage can be done and backs up every file before changes are made to enable easy recovery. By preventing attacks on the endpoint, without prior knowledge of the malware, Minerva’s ransomware protection blocks malware memory injection, disables fileless programs, and prevents malicious document downloads.
To learn more about how Minerva’s ransomware protection can prevent even the stealthiest of malware attacks, contact us.