Pipeline Ransomware Attack Underscores Urgent Need for Risk-Based, Automated Decision Support

Colonial Pipeline ransomware

The ransomware attack on Saturday against the Colonial Pipeline company not only shut down operations across one of the nation’s most important 5,500-mile energy infrastructures but it exposed a major weakness in the national cybersecurity strategy that has been 20 years in the making: Critical infrastructure cybersecurity must adopt a risk-led security strategy backed by a real-time decision and operational support system.

Yet, one doesn’t need to go back 20 years to understand the inevitability of this attack. The warning lights have been blinking red since the Russian threat group known as Sandworm took down the Ukrainian power grid in 2016. A year later, the NotPetya ransomware attack cost shipping company Maersk and FedEx $300 million each. We knew an incident like the one targeting Colonial Pipeline was coming.

This latest incident should be a red line for U.S. critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during the last decade, they remain vulnerable to a wide variety of cyber threats because of connections between business and operational networks. These interconnections lay bare the networks that power our economy and way of life — networks that now face cyber attacks and adversaries that are increasing in sophistication.

Meanwhile, owners and operators of critical infrastructure have something in common with the larger business community: Their security leaders have been unable to command a conversation with business executives about cyber risk. The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritize cyber risks within the context of our individual businesses an urgent priority.

Risk, Threat, Response

President Barack Obama put the nation on course to adopt a risk-led cybersecurity strategy in 2013 when he issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity. That was followed by additional measures put in place during the Trump administration. But it was the 2013 order that produced what became known as the NIST Cybersecurity Framework. The vision for the Framework was to produce “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

Today, the Framework remains a “living” document. But even living documents are not sufficient to address the cyber risk prioritization needs of critical infrastructures and they are incapable of turning threat intelligence into action. At ThreatConnect, we believe the first step in defending our nation’s critical infrastructure starts with understanding the strategic advantages of shifting to a risk-led security program. Without understanding that risk is a business issue, not a technical issue, critical infrastructure owners and operators will likely not focus their resources on the right things.

That’s why we developed the Risk-Threat-Response strategy. Business leaders who understand the risk, threat, response paradigm are better equipped to understand prioritization and resource allocation.

In a statement released Monday on its website, the ransomware group DarkSide claimed responsibility for the attack on Colonial Pipeline. https://www.nytimes.com/2021/05/10/us/politics/dark-side-hack.html

Keeping pace with today’s advanced adversaries – and specifically with the adversaries that matter most to your particular organization – also requires a focus on cyber threat intelligence. Without this focus, this core security concern will remain for years to come. But to develop an effective cyber threat intelligence (CTI) program, you need to constantly harvest and process knowledge about threat actors, not just specific incidents that impact your network. Knowing the who, what, where, how, and when of the adversaries’ actions is the only way to decrease their chances of success. But the volume of intelligence is so massive that tracking and understanding adversarial actions can be overwhelming. A Threat Intelligence Platform (TIP) is the only way to manage the flood of data.

However, the difference between a good CTI program and a great CTI program is in its ability to communicate value to the business in terms of risk. This is a realization that many have come to within the threat intelligence community and a core reason why the discussion around cyber risk quantification is heating up in these circles. It factors heavily into ThreatConnect’s decision to acquire one of the pioneers in cyber risk quantification in late 2020.

By adding context and enriching our understanding of threats and vulnerabilities, a great CTI program helps inform an organization’s risk quantification platform and aligns the entire business to the threats that matter most based on primary (initial response) and secondary loss (the damage that comes to the business as a result of the breach) magnitude.

Threat data also feeds your security orchestration, automation, and response (SOAR) platform — all of which should be accessible through a single dashboard. Businesses and organizations today tend to be in a constant state of reacting to threats, vulnerabilities, and incidents. That’s a recipe for disaster in a world of highly sophisticated criminal and state-sponsored adversaries, like the group suspected of carrying out the Colonial Pipeline ransomware attack.

While some organizations do not have a formally defined intelligence function on their team, the concept of using what you know about the threat-space to inform your operations exists in all organizations. Regardless of whether an explicitly named threat intelligence analyst employee is on staff, the relationship between intelligence and operations is fundamental and present in all security teams.

As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

ThreatConnect was the first company to bring intelligence-driven SOAR to market…making it possible to drive this collaboration between intelligence and operations.

Bridging the gap between cybersecurity and the business, however, remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space.

Having a living Cybersecurity Framework is important. But what’s more important is having a risk-informed decision and operational support platform that can help critical infrastructure owners prioritize and focus on the risks that matter most, and can leverage threat intelligence to drive orchestrated response.

Dan Verton
About the Author
Dan Verton

Dan Verton is ThreatConnect's Director of Content Marketing. Dan is an award-winning journalist and a former intelligence officer in the U.S. Marine Corps. He has authored several books on cybersecurity, including the 2003 groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill) and The Hacker Diaries: Confessions of Teenage Hackers (McGraw-Hill). He has a Master of Arts in Journalism from American University in Washington, D.C.

Share

Subscribe