{"id":114570,"date":"2021-06-10T08:06:43","date_gmt":"2021-06-10T12:06:43","guid":{"rendered":"https:\/\/cloudtweaks.com\/?p=114570"},"modified":"2024-02-15T05:51:32","modified_gmt":"2024-02-15T10:51:32","slug":"colonial-pipeline-dilemma-ciso","status":"publish","type":"post","link":"https:\/\/cloudtweaks.com\/2021\/06\/colonial-pipeline-dilemma-ciso\/","title":{"rendered":"Of Rogues, Fear and Chicanery: The Colonial Pipeline Dilemma and CISO\/CSO Priorities"},"content":{"rendered":"

The Colonial Pipeline Dilemma<\/h1>\n

The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide<\/a>, and other aspiring non-state actors, with access to the latest technology, top hackers, financing and often, nation-state backing. What is a company\u2019s Chief Information Security Officer<\/a> (CISO) to do when facing off against a well-armed adversary who comes prepared for battle and has advanced, precision weaponry and intelligence capabilities? How should CISO\/CSOs respond to ransomware demands<\/a> when the alternative may be data breach, compromise, leakage or worse — critical infrastructure asset impairment? CISO\/CSOs of mid-large cap global industrial and financial services companies are particularly vulnerable, so it\u2019s important to analyze how their thought processes \u2013 and actions taken pre and post event \u2013 may help knock nefarious actors off their stride.<\/p>\n

Without Warning<\/h2>\n

\"Live<\/a><\/p>\n

This attack came without warning, trace or fingerprint. The government had no idea about how the cyberattack occurred or where it came from, nor did it attempt to intervene — as the recent SolarWinds data compromise<\/a> and US Administration transition have our G-men in reactive mode. Following the initial ransomware demand delivered to Colonial Pipeline leadership, one may safely assume that DarkSide lurked prominently in the picture. This may \u2013 or may not \u2013 be the case, as DarkSide operates through proxies and loosely-defined \u2018affiliate\u2019 relationships with extortion-focused cybersleuths operating from their bedrooms — or the local Costa Caf\u00e9. DarkSide is the equivalent of a sophisticated terrorist network leveraging fear, anarchy and commercial loss as its weapons of choice. DarkSide requires payment in bitcoin, further clouding individuals\u2019 identity, domiciliary and formal association. Combating DarkSide requires global coordination, intestinal fortitude and genuine resolve \u2013 elements very much in absence as the world hesitatingly emerges from the Covid crisis.<\/p>\n

Leadership Responsibility<\/h2>\n

It\u2019s easy to see why today\u2019s security leadership elects to ante up what is the typical \u2018ask\u2019 by DarkSide and others of similar orientation – $5-10 million- to decrypt encrypted files and prevent dissemination of the company\u2019s (or Government Agency) crown jewels to the public. And how can you blame the CISO\/CSO for taking this most logical course of action? Shareholders don\u2019t want to see a company go bankrupt, Directors and the CEO have a fiduciary responsibility for continuity of operations, and employees don\u2019t want to lose their jobs. But that may be the easy, band-aid solution and will only solve today\u2019s most pressing operational assault. The bad guys have a narrow attack window, but that attack window is now and can be devastating if a company does not take immediate action to address the breach.<\/p>\n

Security War<\/h2>\n

Simply stated, this is a war, and you don\u2019t let your opponents know your battle plan. Cyber companies often jump out in front of hacks and phishing attempts to promote their solutions and business models. Earlier this year, Propublica published a Darkweb post by DarkSide<\/a>, in which the ransomware gang thanks BitDefender, a Romania based anti-malware solutions private company, for making known to the public their development of a decryption utility capable of parrying DarkSide attacks. DarkSide now knew that it had to address the issue and quickly returned to the driver\u2019s seat, regaining the upper hand. Is it better that security solutions purveyors share real-time developments with the broader public, or perhaps vendors should instead sensitively alert select customers (and partners) to breaches and phishing efforts so that CISO\/CSOs can decide for themselves and their companies how to respond?<\/p>\n

Negotiating With Bad Actors<\/h2>\n

CISO\/CSOs are exposed, have proscribed budgets, and are the \u2018neck to choke\u2019 when a company\u2019s data or technology operations are compromised. It is no wonder that the average tenure of a CISO with $1B+ companies in the US is 26 months. They have to be in front of the car crash, anticipate the terrorist\/hacker and keep the engines running. It\u2019s also required to be nimble, quick decision makers, and work across the company without direct reporting lines, liaising closely with their colleagues running Risk & Compliance, Data Security, Investor Relations and of course, the General Counsel. While the buck stops with the CISO-CSO, the final decision and eventual expenditure \u2013 however that may be manifested \u2013 lies with the CFO and CEO. The CISO-CSO can shut down operations, as Colonial Pipeline did, affecting millions of East Coast consumers and raising the ire of public and private sector constituents alike. S\/he can engage in ransomware negotiations, or simply reject paying the bad actors and hope that they (and the attacks) go away. Security leadership wants the issue to disappear as quickly as possible, but there are no guarantees that DarkSide and others will return under a different guise and operation, and increase their demands the next time. Pay the mob once, and you may owe them forever.<\/p>\n

So how should CISO-CSO\u2019s address this emerging, highly profitable and unregulated business model known as \u201cRansomware as a Service?\u201d Recruiting and collaborating with the right talent is key.<\/p>\n