Three Actions To Take Based on the Colonial Pipeline Ransomware Attack

May 17, 2021
Download Case Study


Ransomware has been a thorn in the side of cybersecurity teams for the past several years. As other security threats have come and gone, this insidious threat has been a constant challenge for every organization.

This past year has proven to be especially profitable for ransomware operators, as major organizations like United Health Services, Orange and Acer have fallen victim to these attacks.

The latest victim is Colonial Pipeline, the owner of the largest pipeline system in the U.S., which was forced to halt its operations and pay $5 million in ransom. Early reports cite numerous architecture and security missteps including having a weak VPN, unpatched Microsoft Exchange servers with critical vulnerabilities, and publicly exposed network protocols that can be exploited.

Ransomware groups now operate like businesses. There is more evidence of organized groups carrying out scalable campaigns that increase their success rate and enable them to reinvest in new tools and procedures. Regardless of where or how we work, these groups continue to take advantage of vulnerable architecture to extort money from victims.

The remote environment is primed for ransomware

As organizations continue to support remote or hybrid work, they no longer have the visibility and control they once had inside their perimeter. Attackers are exploiting this weakness and profiting. Here are three reasons they’re able to do so:

Visibility and control have changed.

Most organizations now have employees working from anywhere. These employees expect seamless access to all resources from unmanaged and personal devices on networks outside the traditional perimeter. This greatly reduces the visibility and control that security teams have and can make it difficult to understand risks posed by users and the devices they’re working from.

Mobile devices make it easier for attackers to phish credentials.

Attackers are always looking for discreet ways into your infrastructure. Compromising an employee’s credentials enables them to gain legitimate access and remain undetected.

Their primary tactic for stealing credentials is to phish employees on mobile devices. Because smartphones and tablets are used for both work and personal reasons, employees can be targeted through multiple apps such as SMS, social media platforms, and third party messaging apps. The simplified user interfaces of a phone or tablet hides signs of phishing and makes them ripe targets for socially engineered phishing campaigns.

VPNs enable lateral movement.

Organizations rely on VPNs to give their employees remote access to resources, but this approach has a number of security shortcomings. First, VPN gives unlimited access to whoever connects, meaning anyone who gets in can freely get to any app in your infrastructure. Second, VPNs don’t evaluate the context under which users or devices connect. Context is necessary to detect anomalous activity that’s indicative of a compromised account or device.

Three things you can do to protect against ransomware

Ransomware attacks aren’t going anywhere. If anything these threat actors have made their operations an enterprise, creating scalable, repeatable and profitable campaigns. While there is no silver bullet to ransomware-proof your organization, there are a number of Zero Trust approaches that can mitigate the risk.

Continuously assess risk.

The first step to mitigating against ransomware is visibility into the risk level of devices and users to ensure they aren’t compromised. By continuously assessing the risk level of your employees mobile devices, you minimize the possibility of them being compromised by a phishing attack. To ensure your employees accounts aren’t compromised, you also need to monitor their behavior so you can identify malicious activities.

Implement granular and dynamic access controls.

You need to move away from the all-or-nothing approach of VPNs. Instead of providing unlimited access, provide access only to the specific apps and data each employee needs. As a result, if an attacker compromises their device or account, their movement is restricted.

Modernize your on-premises applications.

Many organizations still have software that is hosted in data centers and accessible from the internet. To ensure they are secure, update them with cloud access policies that cloak the app - hiding them from the public internet but still enabling authorized users to access them from anywhere. Not only does this provide granular access controls, it also extends strong authentication security benefits that SaaS applications have and ensures no unauthorized users can discover and access your infrastructure.

To learn more about how you can implement these steps, check out the Lookout Zero Trust Network Access (ZTNA) solution.


Discover how Lookout can protect your data