080 - Implications of the Colonial Pipeline attack with Bri Andersen and Aaron Rosenmund

Two members of Pluralsight security curriculum team discuss the implications of the Colonial Pipeline ransomware attack, and what security leaders and companies can learn to protect themselves against similar attacks in the future. Pluralsight courses and paths mentioned in this conversation:

• Red Team Tools: https://app.pluralsight.com/paths/skill/red-team-tools 
• Blue Team Tools: https://app.pluralsight.com/paths/skill/blue-team-tools 
• Security Event Triage: https://app.pluralsight.com/paths/skill/security-event-triage-skill  
• Malware: Prevention, Detection, and Response: https://app.pluralsight.com/paths/skill/malware-prevention-detection-and-response

If you enjoy this episode, please consider leaving a review on Apple Podcasts or wherever you listen.

Please send any questions or comments to podcast@pluralsight.com.

Seth Merrill:

Hello, and welcome to all hands on tech conversations with top voices in software development, machine learning, cloud security and leadership. I'm Seth Merrill. For today's episode, I reached out to two members of Pluralsight security curriculum team to discuss the implications of the recent Colonial Pipeline ransomware attack, including the takeaways for companies and leaders of security organizations and the technology skills that are necessary to prevent similar attacks in the future.

Today, we're going to be talking to Bri Anderson, who's the Curriculum Manager for Information in cybersecurity at Pluralsight. And we'll also be talking to Aaron Rosenmund, the Director for Security Research and Curriculum at Pluralsight. And so what we're talking about today is the Colonial Pipeline attack. Today, we really want to dig into, the security aspect of this attack, how it happened and what the implications are for technology leaders. So with that said, Bri, maybe you could give us an overview of what happened. How did it happen and what the impact has been?

Bri Anderson:

Yeah, definitely.

So Colonial Pipeline is a gas company. If you don't know they contain one of like the largest pipelines that delivers gas and oil along the East Coast. I think it's like 5,000 miles or something like that, a pipeline. So their IT Network was hit with ransomware. We'll discuss later, it's called DarkSide. So kudos to the name of the ransomware, honestly, but it did help their operations because the hack was on the IT Network. They lost like connection to their email servers. Their internal communications caused some of those resources to be gone. However, because the hack was on their IT Network, it was not actually connected to the controls system that control the pipeline.

So that's like a really good point to make is as a security recommendation, anything that does like industrial control or infrastructure companies like that, it's a good recommendation to keep those systems separate in case an event like this happens. It doesn't actually like stop the control systems that controls the critical infrastructure. So Colonial did pay the ransom. I think I saw was $5 million ransom, DarkSide, in itself is a well known ransomware as a service group. And they have, I think come out and said that, sorry, this is not politically affiliated. We're mostly just here for monetary gain.

Seth Merrill:

Yeah, it's fascinating. You talk about ransomware as a service and me, I don't come from a technical background and this was the first time I've kind of heard that term and it almost sounds, innocuous in the context of something that is actually pretty terrifying and pretty scary. I think for a lot of people, I wonder. Bri and Aaron, can you talk a little bit about what ransomware as a service means and maybe provide some context for, why that ransom would have been paid.

Aaron Rosenmund:

I see what you mean about like, as a service, you mean like nice and fluffy, right? I use like email as a service and like Netflix is basically like childcare as a service.

Seth Merrill:

Exactly.

Aaron Rosenmund:

But like how could ransomware as a service be bad, they're providing the service to the community. Right?

Seth Merrill:

Exactly.

Aaron Rosenmund:

Man, there's this weird. I don't know if it's a dichotomy kind of like how ransomware criminal organizations view themselves and like how everybody else views them. Right. And it would be a perfect time to have an awesome meme for that, but the great thing is that they think, they at least act as though they truly think they're doing everyone a service. This is just like the most expensive pin test that Colonial Pipelines ever paid for. Right. Like that's how they view it.

We provide this as a service. Bri mentioned it. I think you saw it too. They had like rules about people who use our ransomware aren't allowed to, for one, hit any former Soviet Union States, so that's one thing. Right. And they want to deal mainly with Russian speaking individuals. So that's, one piece of that, take that as you will.

But the other piece of it is like, they won't hit anyone that's supplying, covid vaccines or you're not allowed to like Government Entities. And then I said like, non-government organizations, I'm pretty sure like between those two things, that's like everything. But it's just like weirdly written. And really this is a organization saying, we'll take 10% of your profit if you use our software to perform a ransomware attack.

So when we say it's DarkSide, ransomware as a service. It doesn't necessarily mean that as the organization behind DarkSide that performed this attack on Colonial, that's just the software that was used. Right. So that's kind of, the difference is the same way. It's like, if I used Gmail to encrypt Colonial Pipeline stuff, it wouldn't be Google's fault. It'd be my fault. But I happen to use Gmail. Right.

Seth Merrill:

Right. I Was just going to say like, is that also an easy way for them to be like, hands off, it wasn't us, it was an affiliate of ours. Right.

Aaron Rosenmund:

Yeah.

Bri Anderson:

So they actually have to be attributed to the tech.

Aaron Rosenmund:

Yeah. It could be right. It's really hard to tell. I think there'll probably be some good Intel coming out, like soon on, actual attribution. But I have seen that and I've heard other people talking about that a lot recently as like, oh, well it's obviously, Russia or whatever. And we just got over SolarWinds, which had its own bits of attribution, but well, not necessarily. Right.

It was a group that sells this as a service quote on quote. Right. And it could have been anybody, really. So it's kind of like, Hey, I have access to something. I'm pretty sure I could extort them for money, which I don't know. That's probably not like a common thing, but that's what groups do. Right. Someone clicked the wrong email and now I could totally exploit this company for money because I haven't been Colonial Pipeline. But what do I do? I don't have my own ransomware. And then they're like, well, let me go look on the dark web. And they're like, oh, sweet. Ransomware is a service. That's awesome. I'll totally give you 10% and I'll use your stuff. And then they pay for you and everything. The whole deal. It's like eBay of ransomware.

Seth Merrill:

Yeah. It's so fascinating, as I was reading about it, Robin Hood came up a lot in terms of having some kind of honor about not hitting those who are underprivileged or in vulnerable communities, but it's so fascinating to me to dig in, maybe a little bit more about the ransom. My kind of context around paying ransoms is Hollywood heist movies, where whenever there's, a hostage situation, they always bring in someone ... The action hero or whoever it is always yells, we don't negotiate, we don't pay ransoms and things like that. So when I see a 5 million ransom being paid for something like this, my question is, how do they make that consideration? Does that race concerns over whether it then incentivizes further attacks like this? And I wonder if you can kind of give me a peek into the mind of a company like this and how they would make that consideration to pay that ransom versus the cost of not paying it and what happens if they don't pay it?

Aaron Rosenmund:

We talked about this a lot, but one thing that's interesting that you just asked is like, does this incentivize to continue to happen? I mean, this has been happening for a long time. We're just all talking about ... When I say all of us, I've talked about it forever. Bri's talked about it all the time. But I mean, this isn't like a new thing and the ... It really comes down to money, right. So it is 5 million cheaper than keeping the pipeline shut down. I don't know.

Seth Merrill:

Yeah.

Aaron Rosenmund:

Like that's their money decision. Like I hate to make it that simple, because that makes it like a short answer to the question. But that's just been the case across every other organization too. It's like, will my insurance cover it? Awesome. What's the deductible? Sweet. That's like way cheaper than three more days and not having my data. End of decision.

Bri Anderson:

Yeah. It's going to be interesting to see what happens down the line because as I was kind of reading and digging into this as well, I know like, it's basically an insurance company thing, right? The insurance companies fork out the money or decide to, or not to, but I think it's becoming more and more prevalent that insurances are kind of drawing the line in the sand and saying we're not going to cover ransomwares, ransoms anymore for ransomware attacks. So, to kind of see how that's going to change attackers mindset is going to be interesting.

Aaron Rosenmund:

You brought up a good point, Bri about them not paying more recently. And also that ends up when you say like, back to the ... Oh it was Russia. Because they talked about the FSU or former Soviet Union States, like as soon as you make it a state actor, a lot of that ... There's a clause in most of the cyber insurance that says now we don't pay anymore. Because, this is a quo active war. It's like active war in God. Right. It's like any other insurance writer and so there's a part there, where a lot of insurance companies have been like, oh you said it was some nation state, were out. Right. And now you're on your own.

Seth Merrill:

It seems like attacks like this one, it crosses over from just being a cyber attack into affecting infrastructure and people's ability to get gasoline, for example, that it becomes more top of mind for a lot of people. So Bri, I wanted to maybe ask you a little bit, what's the takeaway or learning from something like this for companies, for security professionals for everyday people.

Bri Anderson:

Right. No, I love kind of what you said, this is kind of being more visible to the public and because everyone is reliant on oil and gas, they care. Aaron and I were just talking about the state of Oklahoma, also got hit by ransomware, but you don't hear that in the press because it doesn't affect the public. Right. So I mean the takeaways of learning for companies, it kind of always is the same, the answer, it comes down to money, right?

Cybersecurity is expensive, getting a team of well trained cybersecurity professionals is expensive and that's kind of what the risk managers are there for. And more and more often those risk managers see profit gain over cyber risk. So that's kind of the takeaway from companies and we're coming off the back of SolarWinds and exchange breach and all these different critical infrastructure attacks. I kind of just really like what you said that it's becoming much well known, in the public that this is something we really have to rely on and invest in.

Seth Merrill:

So Aaaron, we touched on this a little bit at the start of this conversation, but I wonder if you can kind of walk us through the particulars of the attack just based on ... I know that the info we have is really limited, but kind of based on what we have, if you could maybe talk through, what was the vulnerability, how common is that vulnerability? Is it something that other companies should be worried about?

Aaron Rosenmund:

Yeah. I think that the interesting part is that from all the indicators I've seen so far, it really seems like a generic ransomware attack. So it makes it even more ... Funny is not the right word, but it makes it even more interesting to watch the world react like, oh my goodness, I can't believe we got hit, but I didn't really realize we were this vulnerable. I'm like this happens all the time.

This is like very run of the mill ransomware attack. Most likely if you look at groups that view DarkSide as a service, it's most likely like phishing or it's going where they click the link they shouldn't have. There's indicators that I've seen have come out from different sources that show like PowerShell scripts that pull down stagers that run cobalt strike beacons, right? Cobalt strikes a tool.

It's a framework that's used for managing Red Team Operations are just managing infected machines and pivoting through those machines to gain access to other machines and hiding with a implant that's called a beacon, that sits in memory as opposed to on the disc, just kind of occupies space in the memory. It was also used for the SolarWinds, to drop malware and in the solar burst malware and is also used for like a bunch of other stuff, right? It's the commodity way to maintain these connections. Now I think Bri also was telling me she saw some stuff that referenced exchange. Right, Bri?

Bri Anderson:

You know, I saw that and then like in the same breath I saw like Microsoft. It said Microsoft nor FireEye. FireEye's incident response team, that's handling this incident, they did not confirm or believe that they exchanged like the outdated version of exchange that Colonial was using, had anything to do with the attack, but it's possible.

Aaron Rosenmund:

But they were using the outdated version.

Bri Anderson:

Yep.

Aaron Rosenmund:

Yeah. So maybe from like a threat actor motivation regional perspective, it might be a little weird for more a Asian Pacific threat actor or supposed threat actor kind of vector, mostly being used with exchange. Now it could have been anybody that got used by a lot of people, but that was kind of vector, versus a group using Eastern European, threat actor group. Maybe they collide. That's fine. So it could have been any of those things, but very likely it's one of the things that it's always been. It's phishing, it's RDP with bad credentials, credentials that they stole from LinkedIn, right.

Bri Anderson:

Or just Outdated infrastructure. Right?

Aaron Rosenmund:

Yeah.

Bri Anderson:

I think I saw the CEO like had a plan to put a good security and IT governance plan in place like that was on the docket. It just ... That kind of stuff gets pushed aside.

Seth Merrill:

Kind of, to me, I think the interesting perspective that you two have on this is you're both, heavily involved with the Pluralsight skills product and I'm kind of curious as you look at this attack and you kind of think of the skills necessary to prevent something like this. I think, obviously it's a lot of education around, helping employees, especially those with non-technical backgrounds recognize, Phishing attacks and things like that. But I'm kind of curious what other hard technical skills come to mind as, really prevalent and important when attacks like this come into the news.

Bri Anderson:

Yeah. I mean you're a hundred percent, right. I mean the first step is always security awareness and good security awareness programs. And, they're hard to find for good companies, that are engaging and that make people show interest. And obviously incidents like this, like I said, that affects the whole general public, just making everyone more security aware, whether you're in tech or not, is important in the same aspect. There's just such a gap in the industry for security professionals in general. And that's kind of what like Aaron and I do, day-to-day is try to build curriculum to try to bridge that gap. I mean, we talk about this often, but there's so much assumed knowledge that you need to have to work in security and you look at general Higher Education Programs or like colleges around the area. Everyone has an IT program or an IT major or a CS major. It's a little bit harder to find a cybersecurity focus.

Aaron Rosenmund:

Yeah. To add to that, the interesting part about ... Even in the particulars of the tag is like I mentioned, cobalt strike, right. But from there they downloaded stuff like called Advanced IP Scanner called Net Scan, called PC Hunter, called AD Recon and used it while it was named that thing. Right. These are like known tools that I don't want to say bad guys, but I mean, you used to enumerate networks internally and it wasn't caught, right?

This wasn't like they wrote everything custom and it's crazy. It wasn't even like SolarWinds level. That's still really difficult even though that could have been prevented too. And then I saw some reference, I don't know if it's fully come out about this yet that they were using a tour proxy. So you make a service on a box that will connect to the ... It's the dark net, it's the onion web, right.

Using the tour service. And then you have it, connect to RDP. And that way you can like RDP through, tour back into this network, you've compromised. Well, if you see traffic into your network from any tour node, that's bad, that should absolutely be blocked. Right? And so it's all these like basic things that you can go into Splunk and look for. You can go into Splunk and look for advanced IP scanner.exe, and see if that's ran on any of the processes.

You can do that in elastic and whatever your theme is, you can leverage a lot of the tools that we teach in our red team and blue team tools, capabilities to go find this stuff in your network with really simple searches, as well as more advanced stuff, if you want to get there, but this stuff wasn't even caused by something extremely advanced. It was standard criminal organization level Tradecraft, known Tradecraft. So that's all the stuff that we teach. And those skills Security Event Triage is another good one. That's for like security analysts to go take a look at that. But yeah, that's where the gap is. And when we talk about that gap, it's really more from, and I don't think they just didn't have the focus there to have those people there in the first place.

Seth Merrill:

Yeah. And we'll make sure to include the links to some of these courses that you're mentioning in the show notes, Aaron and Bri, thank you so much for taking the time to talk about this. I want to give you both an opportunity maybe to leave with kind of one final thought or takeaway, for our audience about this new story, this attack.

Bri Anderson:

Yeah. I think it's everything we kind of covered. It's just more awareness. These attacks are big, just in the last six months. We've had some of the biggest cybersecurity attacks we've seen in the last decade and they're not slowing down anytime soon, really. We have to .... As an industry, look at making it more feasible to get good cybersecurity in our infrastructure. Right. And then you mentioned specific content, if anyone wants to look at more specific content around malware, ransomware, different types, we have a specific path that is episodic and reunitive, that we're continuously putting out, it's called malware prevention, detection and response. And it hits very particular types of malware that companies can learn about and know how to protect themselves from it.

Aaron Rosenmund:

I'm going to take it a bit of a different direction because I feel like this specific instance provides a certain type of soapbox that I don't always get when I talk about malware tax, but really what we saw here and everyone's talking about is critical infrastructure being addressed like, oh no, they attacked, is our critical infrastructure really this vulnerable? Is like every other headline, right? Like what are we going to do? Knee jerk reaction.

And you mentioned it at the very beginning, this was a standard ransomware attack on standard IT systems that happened to be adjacent and mainly run a company that runs what we call OT or operational technology or ICS, SCADA. If you haven't heard the OT term that runs the pipeline. So yes, if that threat actor had the motivation to then continue to access that OT stuff and like turn like a valve off and then keep the pump up on the other side of the pressure and then like blow stuff up.

Could that happen maybe, but that wasn't ... This shut down because the stuff was adjacent to it. They didn't directly attack the pipeline. If, that they attacked the company's IT systems. I just kind of want to make that the point. But what's interesting about that is that really makes the line between what's IT and OT very wide, right? That's a really thin line. It's like, oh, well, if it's the same, it's the same defenses. If you look at the top vulnerabilities for OT and the top vulnerabilities for IT, they're pretty much like exactly the same because you access OT through IT. That's kind of something that got highlighted here and they're like, yeah. So anything that's remotely associated with the IT system is just as vulnerable as the IT systems. It shouldn't be a new revelation, but it seems like it is based off this story kind of maybe to the broader public. And that would be what I want to leave with.

Seth Merrill:

That's it for today's episode, please check the show notes for links to some of the Pluralsight security courses and learning paths mentioned in this conversation to listen to past episodes of all hands on tech, visit pluralsight.com/podcast.