The U.S. Cybersecurity and Infrastructure Agency (CISA) and the FBI have issued guidance for protecting critical infrastructure from ransomware, shedding some light on the DarkSide attack that crippled the Colonial Pipeline and left much of the East Coast facing an energy shortage.
The agencies didn’t name Colonial in the alert, referring only to a “pipeline company.” The company proactively disconnected operational technology (OT) systems upon discovering the attack, the alert said, noting that “there are no indications that the threat actor moved laterally to OT systems.”
Despite those efforts, the pipeline is expected to remain shuttered for days. The alert follows reports that Colonial was slow to communicate with CISA.
Cybersecurity executive order
The Biden Administration followed hours later with an executive order overhauling the federal government’s cybersecurity preparedness and response. While mostly aimed at federal agencies, the order could influence cybersecurity at private organizations and in the technology industry. Measures in the executive order include:
- The adoption across the government of cloud security, a zero trust architecture, multi-factor authentication, encryption, better event logging, and perhaps most interestingly, a government-wide endpoint detection and response (EDR) system
- Standards for software supply chain security, which was at the heart of the SolarWinds hack
- A cybersecurity review board to learn from attacks
- Improved threat information sharing between the government and private sector, including IT service providers
- A standard playbook for incident response
More from eSecurity Planet on the Colonial Pipeline ransomware attack:
- Critical Infrastructure Protection: Both Physical and Cyber Security Matter
- Pipeline Ransomware Attack Shows Critical Vulnerabilities
- How Zero Trust Security Can Protect Against Ransomware
DarkSide actors have previously gained access through phishing and exploiting remotely accessible accounts and systems, Remote Desktop Protocol (RDP) and Virtual Desktop Infrastructure (VDI), CISA and the FBI said. After gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data. The DarkSide ransomware uses Salsa20 and RSA encryption, and the actors use TOR and Cobalt Strike for command and control.
CISA and the FBI urged critical infrastructure entities to adopt a number of ransomware mitigations and protections, based on the MITRE ATT&CK framework:
- Multi-factor authentication for remote access
- Spam filters to prevent phishing emails and executable files from reaching end users
- User cybersecurity training
- Network traffic filtering and URL blocklists to prevent communication with known malicious IP addresses
- Updating and patching software, including a centralized patch management system
- Limit access to resources over networks, especially by restricting RDP and requiring multi-factor authentication
- Set regular antivirus/antimalware scans of IT network assets using up-to-date signatures
- Implement unauthorized execution prevention by:
Disabling macro scripts from Microsoft Office files transmitted via email, and consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications
Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder
Monitor or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected
Deploy signatures to detect or block inbound connection from Cobalt Strike servers and other post exploitation tools
Network segmentation and backups
The agencies recommended a number of security controls that could limit the damage of a ransomware attack, including “robust network segmentation between IT and OT networks,” and organizing OT assets into logical zones and ensuring operation even if the IT network is compromised.
Backups should be frequent, tested and isolated from networks to ensure protection from ransomware encryption. “Gold images” of critical systems, backup hardware, and stored source code and executables are also among the guidance.
Account access should be by least privilege or zero trust principles.
Stopping a ransomware attack
The agencies recommended a number of steps in event of a ransomware attack:
- Isolate the infected system by removing the infected system from all networks, disabling the computer’s wireless, Bluetooth, and other network capabilities, and disconnecting all shared and networked drives.
- Turn off other computers and devices that share a network with the infected computers and collect and secure all infected and potentially infected computers and devices in a central location, clearly labeling any computers that have been encrypted.
- Ensure that your backup data is offline and secure, scanning for malware If possible.
CISA also offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their exposure to threats, including ransomware.
Cybersecurity investment needed
Nozomi Networks CEO Edgard Capdevielle said it will take more than best practices guidance to fix chronic underinvestment in critical infrastructure cybersecurity.
“More aggressive programs and incentives are needed to help critical infrastructure organizations strengthen their security and time to help keep threat actors at bay. That includes tax breaks for cybersecurity; in particular, cyber defense for critical infrastructure should be something we move toward, perhaps even having private companies take on their defense.
“From our work with critical infrastructure and industrial organizations around the world, we’ve found that those who invest early in cybersecurity are able to respond faster and with less financial damage to ransomware and other cyber attacks.”