By Bob Maley, CSO at Black Kite

Last week’s attack on Colonial Pipeline has put the spotlight back on cybersecurity. Though I’ve been asked several times if the $4.4 million ransom could have been avoided, I know the real question is whether there were signals that could have detected bad actors were targeting the U.S. oil giant.

The short answer: Yes. But as debilitating as this attack was, it isn’t the first “wake-up call” sounding alarms across the nation, nor will it be the last. As a country that’s witnessed nearly 1,000 ransomware attacks on our critical infrastructure in less than a decade, we can’t seem to get ahead when playing cybercriminals’ game.

Many of you are probably reading this and thinking, “I’m not worthwhile to bad actors, they’d never spend their time trying to infiltrate my network”, or maybe even, “My cyber rating says I’m in good health and therefore I have nothing to worry about.” Enter: A few of the worst assumptions you can make as a risk professional.

#1: Assuming bad actors Have a Rhyme or Reason

It’s no wonder as to why a cyber attack against a U.S. oil company would stir up some geopolitical buzz. In full transparency, I do not have the confidential information necessary to confirm whether the attack on Colonial Pipeline was influenced by a foreign entity, but I’ve been around enough to believe that’s not the case.

Instead, what does sit on top of a bad actor’s checklist is ease of access. Colonial does not have a CISO, and as recently as a few months ago, Colonial Pipeline was seeking a cyber security manager. Now, I’m no bad actor myself, but it doesn’t take one to understand why, without a CISO overseeing operations, a company of that size and influence would become a prime target for ransomware.

To make matters worse, ransomware now has an ecosystem of its own. That means that an amateur bad actor could have “tested the waters” by deploying a script to test whether they could access an open port. Once connected, elementary-level criminals can then employ the help of Ransomware as a Service (RaaS), to do the real damage.

#2: Assuming bad actors Have a Moral Compass

Ransomware groups all have one thing in common: They’re extremely financially motivated. Where that money comes from, however, doesn’t necessarily influence the decision on who to target. Case-in-point being recent attacks against the Irish health system, Scripps and, hitting a little closer to Black Kite’s homebase, Care New England.

Healthcare has become a prime target for ransomware attacks because of what’s at stake if the cybercriminals’ demands are left unfulfilled. Can you imagine, however, what would happen if, instead of an oil supply cut off,  pharmaceutical manufacturers were unable to distribute necessary drugs, or hospitals couldn’t administer life-saving treatments?

Unfortunately, these scenarios aren’t all that farfetched. In fact, our Ransomware Susceptibility Index™ revealed that more than 12% of the top 200 pharmaceutical manufacturers across the globe are likely to  fall victim to a ransomware attack, while one in 10 of the companies analyzed are highly susceptible.

For more ransomware trends in the pharmaceutical supply chain, check out the 2021 Ransomware Risk Pulse.

I’m not throwing these what-if’s out there to instill fear, but rather get you to do the exact opposite. It’s time to focus on our defensive risk gameplans, rather than prescribing reactive solutions when it’s too little, too late and a bad actor has already successfully infiltrated your network.

#3: Assuming bad actors Care About an Incident Response Plan

First things first: You should always have an incident response plan in place. There’s no way around it. On the other hand, too many organizations get tunnel vision when organizing their risk management strategy. They’re so laser-focused on maintaining a “good” cyber rating, or meeting compliance standards that they miss what’s right in front of them.

Of course it matters what the people you do business with see. Still, it’s just important to understand what your world looks like from a bad actor’s perspective. Common vulnerabilities present in ransomware attacks aren’t a mere coincidence, they’re tried-and-true hacking methods. Despite Colonial Pipeline’s “good” cyber hygiene, red flags alerts were present beneath the surface, including:

  • Open Ports
  • Leaked Credentials
  • Fraudulent Domains

With ransomware becoming the most frequent and disruptive infiltration method the world has witnessed to date, it’s a wonder as to why more enterprises have yet to adopt a proactive risk mindset. If one thing’s for sure, it’s that history repeats itself. It’s not a matter of will the next ransomware attack happen, but when.

Additional Resources