The Colonial Pipeline Attack Didn’t Have to Happen
I could have stopped the Colonial Pipeline cyberattack. The one that cost millions of dollars to the company, a huge ransom, and caused a gas shortage on the east coast. I know that might sound like an aggressive claim or a click-bait title, but it’s not what I meant it to be. It’s time to bring attention to this increasingly dangerous attack vector so we can hopefully turn the tide. No, I’m not talking about some cutting-edge cybersecurity software, AI, or counter ransomware- I’m talking about essential personal cybersecurity.
For the past few years, all I’ve thought about is the problem of individual digital security, and it’s why I founded Achilleion. But I’m not the only one. Lots of cybersecurity thought leaders have been ringing the alarm bells for years. In 2019, Martin Casado said in his fantastic speech that “The new attack surface is your life”. In Neil Daswani and Moudy Elbayadi’s book, Big Breaches, they wrote that inadvertent employee “mistakes” are one of the technical root causes of major breaches. They dedicate an entire section of the book to consumer personal security and go on to say “Whereas corporations have access to security professionals and more capital and tools, we lack those resources in our personal lives” and that this “impacts your ability to perform your duties and obligations for your organizations.” Daswani and Elbayadi quote Matthew Newfield the CISO of Unisys about post Covid work from home as saying that “when testing their own employees at home now, they’re seeing double the failure rates on their security tests than they saw pre-COVID.”
So, what happened with Colonial? According to reporting from Bloomberg, the hackers breached Colonial Pipeline using an employee’s compromised password. No phishing, no sophisticated attack on the company’s systems to gain entry. A single password was discovered inside a batch of leaked passwords on the dark web. Attackers used that password to log into the company’s VPN and compromise their systems. The VPN itself, which didn’t require multi-factor authentication, and the rest of the company’s systems were not initially compromised- an individual was compromised away from the company.
That means an individual’s compromised security led to the vulnerability of the entire company’s systems.
Where did the attackers get the compromised password and credentials? It’s unclear if anyone knows, but it likely could have been caused by poor password management on the side of the individual. It could have been a password stolen in a large data breach of some unrelated account the individual had. It could’ve been associated with another email address; it could have been a reused password. Compromised passwords happen when you don’t use proper practices to generate good unique passwords for every account and do not change them regularly. If you’re like most people, you’re reusing the same handful of passwords everywhere, and all it takes is for one random website to be breached for that password to be out there. We’re all vulnerable, and so are all the companies we’re associated with.
A breached personal password is the simplest possible way this could have happened. It may have been much more sophisticated, like a targeted malware or phishing attack on the individual away from the company infrastructure. It could have been something on their personal phone, laptop, or social media accounts. We may never know. We do know that according to Mandiant, they didn’t find any evidence of phishing for the employee’s credentials.
Of course, MFA should have been required to access their VPN, and it would have added a layer of security. But in my opinion, that wouldn’t have been enough. Suppose the attackers were able to compromise the individual’s devices or accounts like email. In that case, they likely could have found a way to gain access to the second-factor authentication like SMS or an app on the individual’s devices (probably not a physical security key). The point is, the Colonial attack probably wasn’t something that could have been prevented by merely hardening the company’s systems.
I’m not trying to single Colonial out for this. It’s not their fault. But this could be a learning moment for other companies. It’s time to start taking employee’s personal security seriously. I’ve always said that individual security isn’t just something we have to do to protect ourselves; we also have a duty to do it to protect everyone else. What I’m talking about is no different from health insurance or gym memberships; companies have a vested interest in their employee’s digital security and privacy.
So how do I think this could have been prevented aside from MFA on their VPN, by giving employees real security outside the company’s systems, as in on their personal computers, smartphones, and all the websites and apps they use in their private life. It comes down to why these attacks start with individuals in their personal life and then move to the company. It’s because individuals are easy targets. We have to change that. If individuals treat security as a process instead of a series of countermeasures, passwords might have been secured. Employees could have had dark web monitoring for all their accounts and could have used a password manager not just for their company but in their own personal lives.
The big takeaway from this attack isn’t about the proliferation of ransomware. It should be about everyone’s duty to take personal security more seriously.