U.S. Issues Ransomware Guidance, Cybersecurity Executive Order

The U.S. Cybersecurity and Infrastructure Agency (CISA) and the FBI have issued guidance for protecting critical infrastructure from ransomware, shedding some light on the DarkSide attack that crippled the Colonial Pipeline and left much of the East Coast facing an energy shortage.

The agencies didn’t name Colonial in the alert, referring only to a “pipeline company.” The company proactively disconnected operational technology (OT) systems upon discovering the attack, the alert said, noting that “there are no indications that the threat actor moved laterally to OT systems.”

Despite those efforts, the pipeline is expected to remain shuttered for days. The alert follows reports that Colonial was slow to communicate with CISA.

Cybersecurity executive order

The Biden Administration followed hours later with an executive order overhauling the federal government’s cybersecurity preparedness and response. While mostly aimed at federal agencies, the order could influence cybersecurity at private organizations and in the technology industry. Measures in the executive order include:

More from eSecurity Planet on the Colonial Pipeline ransomware attack:

DarkSide methods

DarkSide actors have previously gained access through phishing and exploiting remotely accessible accounts and systems, Remote Desktop Protocol (RDP) and Virtual Desktop Infrastructure (VDI), CISA and the FBI said. After gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data. The DarkSide ransomware uses Salsa20 and RSA encryption, and the actors use TOR and Cobalt Strike for command and control.

Ransomware protection

CISA and the FBI urged critical infrastructure entities to adopt a number of ransomware mitigations and protections, based on the MITRE ATT&CK framework:

  • Multi-factor authentication for remote access
  • Spam filters to prevent phishing emails and executable files from reaching end users
  • User cybersecurity training
  • Network traffic filtering and URL blocklists to prevent communication with known malicious IP addresses
  • Updating and patching software, including a centralized patch management system
  • Limit access to resources over networks, especially by restricting RDP and requiring multi-factor authentication
  • Set regular antivirus/antimalware scans of IT network assets using up-to-date signatures
  • Implement unauthorized execution prevention by:
    • Disabling macro scripts from Microsoft Office files transmitted via email, and consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications

    • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder

    • Monitor or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected

    • Deploy signatures to detect or block inbound connection from Cobalt Strike servers and other post exploitation tools

Network segmentation and backups

The agencies recommended a number of security controls that could limit the damage of a ransomware attack, including “robust network segmentation between IT and OT networks,” and organizing OT assets into logical zones and ensuring operation even if the IT network is compromised.

Backups should be frequent, tested and isolated from networks to ensure protection from ransomware encryption. “Gold images” of critical systems, backup hardware, and stored source code and executables are also among the guidance.

Account access should be by least privilege or zero trust principles.

Stopping a ransomware attack

The agencies recommended a number of steps in event of a ransomware attack:

  • Isolate the infected system by removing the infected system from all networks, disabling the computer’s wireless, Bluetooth, and other network capabilities, and disconnecting all shared and networked drives.
  • Turn off other computers and devices that share a network with the infected computers and collect and secure all infected and potentially infected computers and devices in a central location, clearly labeling any computers that have been encrypted.
  • Ensure that your backup data is offline and secure, scanning for malware If possible.

CISA and the FBI urges anyone infected not to pay ransom and contact their local FBI field office and CISA.

CISA also offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their exposure to threats, including ransomware.

Cybersecurity investment needed

Nozomi Networks CEO Edgard Capdevielle said it will take more than best practices guidance to fix chronic underinvestment in critical infrastructure cybersecurity.

“More aggressive programs and incentives are needed to help critical infrastructure organizations strengthen their security and time to help keep threat actors at bay. That includes tax breaks for cybersecurity; in particular, cyber defense for critical infrastructure should be something we move toward, perhaps even having private companies take on their defense.

“From our work with critical infrastructure and industrial organizations around the world, we’ve found that those who invest early in cybersecurity are able to respond faster and with less financial damage to ransomware and other cyber attacks.”

Paul Shread
eSecurityPlanet Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including award-winning articles on endpoint security and virtual data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification.

Top Products

Top Cybersecurity Companies

Related articles