The Colonial Pipeline ransomware attack has been by many measures the worst to date in the history of cybersecurity, nearly crippling the Southeastern U.S. and causing the pipeline company untold millions in damages.
Despite reportedly paying nearly $5 million in ransom to the DarkSide ransomware as a service group, the decryption tool provided by the hackers was so slow that the company apparently had to rely on its own backups to restore service.
The Biden Administration appears to have made good on its threat to shut down the ransomware group, at least temporarily, but the Colonial attack serves as a flashing warning that worse attacks may come in the future and organizations had better prepare themselves.
The attack has brought renewed interest to newer security technologies like zero trust and microsegmentation that might have limited the damage. Here’s how they could help limit damage from ransomware – and other cyber attacks.
More from eSecurity Planet on the Colonial Pipeline ransomware attack:
- Critical Infrastructure Protection: Both Physical and Cyber Security Matter
- Pipeline Ransomware Attack Shows Critical Vulnerabilities
- U.S. Issues Ransomware Guidance, Cybersecurity Executive Order
Limit lateral movement
The biggest problem with traditional perimeter security such as firewalls is that if they’re breached, as is likely to happen at some point, there’s nothing to prevent the intruder from going anywhere they want inside a network – including to an organization’s most critical data and operations.
“You can build thick walls around a network, but an adversary can move anywhere once they’re behind the perimeter,” Matt Glenn, vice president of product management at Illumio, told eSecurity Planet. “We build walls where there are no walls.”
Illumio is an early leader in the zero trust market, competing with established vendors like Cisco and Palo Alto Networks.
Glenn notes that ransomware groups like DarkSide can operate with relative ease. They can purchase stolen passwords on the internet, hire pentesters to find vulnerabilities, and then share the ransom with them.
“The upside for very little work is tremendously high,” he said. The challenge for those defending an organization’s assets is “to make that risk-reward ratio drop.”
How zero trust works
So how does Illumio “build walls where there are no walls”?
Illumio’s software operates at network layers 3 and 4 – the network and transport layers – to create a graph of relationships or expected communications, “then we restrict lateral movement based on what should be communicating,” Glenn said.
He equates it to the “cone of silence” in the “Get Smart” TV show and movie, essentially placing a bubble around servers and workstations so that only work stations that should be communicating connect with each other. Anything outside of that “graph of relationships” is blocked.
In one example, if a cluster of servers houses a critical application and only certain users are allowed to access it, Illumio’s software would block access requests from any additional users or the internet. So in the case of ransomware or a hack, anyone inside the main network would still be blocked from joining that trusted group.
Even if a hacker can harvest credentials for a critical account, Illumio can still stop them from moving laterally, Glenn said.
“Illumio has multiple customers that figured out that they had been breached by the SolarWinds hack because we blocked lateral movement and even breached systems connecting to C&C servers within Amazon,” he said.
For the price of $300 per server workload, with volume discounts, Illumio’s solution is also cheaper than a lot of cybersecurity tools.
It’s not the only zero trust solution in a fast-growing and changing market, but with customers like Morgan Stanley and Salesforce and triple-digit growth, Illumio is getting noticed.
Restrict physical access too
Lionel Jacobs, a senior security architect with the Palo Alto Networks ICS and SCADA solutions team, noted in an article for eSecurity Planet that oil and gas physical facilities are even more vulnerable than networks and need to be considered in a zero trust implementation too.
Microsegmentation can help there also, Jacobs said.
“Segmentation is not just breaking apart the network based on the IP-Address space,” he wrote. “True segmentation requires identifying and grouping devices into Zones or Enclaves based on meaningful business criteria to protect better vulnerable devices found within the address space. Access to devices in the zone needs to be restricted by users, groups, protocols, networks, and devices. In some instances, you may even consider restricting access by time of day.”
IoT devices and sensors are other things contributing to the unique vulnerability of critical infrastructure in the energy industry.
“With proper zoning enforcement, you can limit and isolate the damage to a region or just that location,” Jacobs wrote. “Zones in a Zero Trust network also serve as an inspection point for traffic entering and exiting the enclave. The enabling of IPS, IDS, and virtual sandboxing technology can be applied on a per-zone basis, allowing for customized protection for the vulnerable devices contained within.”