The Colonial Pipeline Ransomware: Why It’s Hard To Be Protected

After every major cyberattack, security vendors like LogSentinel are expected to write something on preventing future similar incidents, probably involving their technology. And yes, we do have a ransomware prevention page that outlines the key features of LogSentinel SIEM to fight against ransomware. But it’s much more complex than that.

What everyone in the industry knows is that in order to not be affected significantly, you have to have a proper off-site backup. And backups can be done without any tools, or with general-purpose backup tools that are not directly related to security. Is a backup enough? It’s enough to not go out of business, yes. But it’s not enough to prevent disruptions.

That’s what is so “brilliant” about ransomware – it’s a simple concept that is very hard to counter. (Of course, it’s a simple concept once you get to actually run the ransomware, but getting there relies on trying every trick in the book).

There are so many ways to get ransomware inside an organization, then to let it spread, to have it encrypt data. A combination of phishing, abusing zero-days, abusing unprotected remote access, password spraying, finding weak or leaked credentials. Protecting against all of that is hard.

It requires people, tools, and processes (as always). And they are scarce. So while there’s a ransomware pandemic, there is no vaccine. There are only “best practices” you have to follow, and some tools allow you to follow them more easily and with less human-intensive tasks. Below is a list of “features” that can be useful in fending off ransomware:

  • Vulnerability scanning – that’s the bare minimum – many attacks are successful because they rely on unpatched infrastructure. A vulnerability scan can let the organization see and prioritize what requires patching.
  • Password spraying and brute force detection correlation rules – and the ability to apply them to remote access (e.g. VPN, accidentally publicly visible RDPs, etc). It’s important to know when those attempts happen and to automatically or semi-automatically block the source IP. If they can’t try for long enough, they can’t break-in.
  • Leaked credentials monitoring – too often employees reuse credentials. Leaked credentials on one seemingly irrelevant website can mean a compromised corporate account, and therefore remote access for malicious actors
  • Phishing detection – phishing emails are the number one entry for many hacks – an organization should have at least one way of detecting and blocking phishing
  • Threat intelligence – ransomware works with several components whose identifiers can be shared among organizations through threat intelligence feeds – files hashes, malicious email addresses, malicious URLs, and domains. Seeing any of these known malicious indicators within the IT infrastructure is a sign of an ongoing ransomware attack that can help timely response.
  • Suspicious process alerting – ransomware executables spawn processes that you’ve never seen before in your IT ecosystem. Never-seen-before suspicious activity and processes alerting is useful to let you react
  • Rootkit detection – ransomware may use standard rootkits which can be detected by a knowledgeable endpoint agent.
  • File integrity monitoring – monitor changes in files (and excessive changes at that) via an endpoint agent
  • Windows file audit events monitoring – if windows file auditing is enabled, you can spot a spike in activity during an ongoing ransomware attack. That may allow an organization to isolate the threat.
  • Honeypot – honeypots can be used to detect lateral movements. If ransomware tries to spread across the network, you may be able to catch it while it spreads, if it lands on your honeypot as well.

SIEM Features for Ransomware Protection

LogSentinel SIEM has all of those features, of course, and tries to make them as easy to use as possible. But they still require people to understand and use. People need to glance through the list above and nod in understanding. Whether these people are internal or outsourced at a managed security service provider, doesn’t matter.

And that’s why it’s so hard to be protected. Because you need to proactively set up a complicated set of measures: to attract the right people (or outsource to the right MSSP); to put proper security monitoring in place; to allow for timely response; to eventually be ready to restore from a properly handled backup.

There is no “install this magic software and you are protected”. The complexity of IT systems nowadays leads to the complexity of protecting them. And while tools like SIEM are mandatory for that, they are not going to work unattended (which is why there are so many failed SIEM projects). Organizations tend to rely on abstractions over this complexity but abstractions are never perfect. At this point, the security complexity cannot be significantly abstracted away and so we need the tools, processes, and people to handle that complexity.

In a better and simpler world, computers would have been simple, and securing them would be just putting a Firewall and an antivirus. We are not in that world, unfortunately. And in order to not suffer from disruptions like the one that happened with the Colonial pipeline, we need to realize that. We – the security vendors, we – the security professionals, we – the organization leadership.


Like this article? Share it with your network!