Of Rogues, Fear and Chicanery: The Colonial Pipeline Dilemma and CISO/CSO Priorities

The Backup.png
Hair Loss.png
Disaster Recovery Plan.png
Cloud For Dummies.png
The Manuscript.png

The Colonial Pipeline Dilemma

The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with access to the latest technology, top hackers, financing and often, nation-state backing. What is a company’s Chief Information Security Officer (CISO) to do when facing off against a well-armed adversary who comes prepared for battle and has advanced, precision weaponry and intelligence capabilities? How should CISO/CSOs respond to ransomware demands when the alternative may be data breach, compromise, leakage or worse — critical infrastructure asset impairment? CISO/CSOs of mid-large cap global industrial and financial services companies are particularly vulnerable, so it’s important to analyze how their thought processes – and actions taken pre and post event – may help knock nefarious actors off their stride.

Without Warning

Live Hacking Map cyberattack

This attack came without warning, trace or fingerprint. The government had no idea about how the cyberattack occurred or where it came from, nor did it attempt to intervene — as the recent SolarWinds data compromise and US Administration transition have our G-men in reactive mode. Following the initial ransomware demand delivered to Colonial Pipeline leadership, one may safely assume that DarkSide lurked prominently in the picture. This may – or may not – be the case, as DarkSide operates through proxies and loosely-defined ‘affiliate’ relationships with extortion-focused cybersleuths operating from their bedrooms — or the local Costa Café. DarkSide is the equivalent of a sophisticated terrorist network leveraging fear, anarchy and commercial loss as its weapons of choice. DarkSide requires payment in bitcoin, further clouding individuals’ identity, domiciliary and formal association. Combating DarkSide requires global coordination, intestinal fortitude and genuine resolve – elements very much in absence as the world hesitatingly emerges from the Covid crisis.

Leadership Responsibility

It’s easy to see why today’s security leadership elects to ante up what is the typical ‘ask’ by DarkSide and others of similar orientation – $5-10 million- to decrypt encrypted files and prevent dissemination of the company’s (or Government Agency) crown jewels to the public. And how can you blame the CISO/CSO for taking this most logical course of action? Shareholders don’t want to see a company go bankrupt, Directors and the CEO have a fiduciary responsibility for continuity of operations, and employees don’t want to lose their jobs. But that may be the easy, band-aid solution and will only solve today’s most pressing operational assault. The bad guys have a narrow attack window, but that attack window is now and can be devastating if a company does not take immediate action to address the breach.

Security War

Simply stated, this is a war, and you don’t let your opponents know your battle plan. Cyber companies often jump out in front of hacks and phishing attempts to promote their solutions and business models. Earlier this year, Propublica published a Darkweb post by DarkSide, in which the ransomware gang thanks BitDefender, a Romania based anti-malware solutions private company, for making known to the public their development of a decryption utility capable of parrying DarkSide attacks. DarkSide now knew that it had to address the issue and quickly returned to the driver’s seat, regaining the upper hand. Is it better that security solutions purveyors share real-time developments with the broader public, or perhaps vendors should instead sensitively alert select customers (and partners) to breaches and phishing efforts so that CISO/CSOs can decide for themselves and their companies how to respond?

Negotiating With Bad Actors

CISO/CSOs are exposed, have proscribed budgets, and are the ‘neck to choke’ when a company’s data or technology operations are compromised. It is no wonder that the average tenure of a CISO with $1B+ companies in the US is 26 months. They have to be in front of the car crash, anticipate the terrorist/hacker and keep the engines running. It’s also required to be nimble, quick decision makers, and work across the company without direct reporting lines, liaising closely with their colleagues running Risk & Compliance, Data Security, Investor Relations and of course, the General Counsel. While the buck stops with the CISO-CSO, the final decision and eventual expenditure – however that may be manifested – lies with the CFO and CEO. The CISO-CSO can shut down operations, as Colonial Pipeline did, affecting millions of East Coast consumers and raising the ire of public and private sector constituents alike. S/he can engage in ransomware negotiations, or simply reject paying the bad actors and hope that they (and the attacks) go away. Security leadership wants the issue to disappear as quickly as possible, but there are no guarantees that DarkSide and others will return under a different guise and operation, and increase their demands the next time. Pay the mob once, and you may owe them forever.

So how should CISO-CSO’s address this emerging, highly profitable and unregulated business model known as “Ransomware as a Service?” Recruiting and collaborating with the right talent is key.

  • First and most importantly –be prepared. Assess continuity of operations together with key internal stakeholders, and do a dry run for a potential major attack on technology assets and infrastructure.
  • Next, together with the GC and Head of Risk & Compliance, review the cyber insurance policy to know where gaps may exist in coverage and where fortification may be required – DarkSide knows insurance riders, focuses on areas of vulnerability, and is well aware that insurance companies do not cover all elements of breach and intrusion.
  • Form an internal rapid response SWAT team which is deployed immediately upon discovery of a successful phishing attempt or attack. This group is diversely-skilled, and ideally comprised by ex hackers, individuals familiar with Dark Web activity, and mid-career professionals who have consulting experience working across a broad industry clientele. At the same time, this SWAT team would establish policies and procedures regarding responsibilities and actions to take, sequencing operations, reporting structures and chains of command. This would be the equivalent of a Special Ops cyber team which is battle tested and can face off against the adversary knowing how the adversary thinks and reacts. The team is a mobile terrorist combatant with all of the technology, know-how and experience that the terrorist has, and much more skin in the game.
  • Closely monitor all employee work from home arrangements and the company’s VPN access points.
  • Brief the CEO and key internal stakeholders on a regular basis, which these days may be as frequent as every few weeks, to listen, learn and educate. Raise the topic via the CEO to the Board level, so that Board Directors understand the risks and exposures faced, and no less important, their personal liability in the event of a major event.
  • Ensure that you have on staff individuals steeped in the latest cyber solutions, penetration testing and RAT (remote access trojans) malware programs. Battle scars are gained through experience, and individuals who have been through cyber attacks are in increasing demand in today’s highly competitive war for cyber talent.
  • An idea gaining traction in public sector circles is the formation of a CISO/CSO industry council and lobby sovereign governments to ban cryptocurrency, as this is the exclusive currency demanded by hackers, to the tune of no less than $350 million in reported cryptocurrency extortion payments made in 2020.

CISO and CSOs are the critical linchpins in effectively managing your company’s RaaS extortion policy and strategy. Insuring and protecting your assets are just two small links in the chain. DarkSide and other non-state actors know your vulnerability and are probing it on a daily and hourly basis. Vigilance is imperative.

By Martin Mendelsohn

Gary Bernstein

Most Dangerous Botnets That are Still in the Game

Most Dangerous Botnets While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate ...
Brian Rue

What’s Holding DevOps Back

What’s Holding DevOps Back And How Developers and Businesses Can Vault Forward to Improve and Succeed Developers spend a lot of valuable time – sometimes after being woken up in the middle of the night ...
James Corbishly

Addressing Teams Sprawl in the Remote Workspace

Teams Sprawl in the Remote Workspace As working from home has become the new everyday norm, with more employers embracing the remote-work model as a new and likely permanent fixture of the employment world, there ...
Yuliya Melnik

DevOps Services Outsourcing: What Is it and Why Do You Need it?

DevOps Services Outsourcing The sooner you release your unique idea to the public, the higher the chance that it will receive the lion's share of the audience's attention. Delays in development can lead competitors to ...
Gary Taylor

Addressing 5 Key Risks for the Hybrid Worker

Hybrid Worker Risks Organizations are under pressure to secure their remote workers, but they are also worried about the potential impact on user experience. Can they have it both ways without compromise? The pandemic has ...

CLOUD MONITORING

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Datadog

    DataDog

    DataDog is a startup based out of New York which secured $31 Million in series C funding. They are quickly making a name for themselves and have a truly impressive client list with the likes of Adobe, Salesforce, HP, Facebook and many others.

  • Opsview

    Opsview

    Opsview is a global privately held IT Systems Management software company whose core product, Opsview Enterprise was released in 2009. The company has offices in the UK and USA, boasting some 35,000 corporate clients. Their prominent clients include Cisco, MIT, Allianz, NewVoiceMedia, Active Network, and University of Surrey.

  • Sematext Logo

    Sematext

    Sematext bridges the gap between performance monitoring, real user monitoring, transaction tracing, and logs. Sematext all-in-one monitoring platform gives businesses full-stack visibility by exposing logs, metrics, and traces through a single Cloud or On-Premise solution. Sematext helps smart DevOps teams move faster.

  • Nagios

    Nagios

    Nagios is one of the leading vendors of IT monitoring and management tools offering cloud monitoring capabilities for AWS, EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service). Their products include infrastructure, server, and network monitoring solutions like Nagios XI, Nagios Log Server, and Nagios Network Analyzer.