Of Rogues, Fear and Chicanery: The Colonial Pipeline Dilemma and CISO/CSO Priorities

The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with access to the latest technology, top hackers, financing and often, nation-state backing. What is a company’s Chief Information Security Officer (CISO) to do when facing off against a well-armed adversary who comes prepared for battle and has advanced, precision weaponry and intelligence capabilities? How should CISO/CSOs respond to ransomware demands when the alternative may be data breach, compromise, leakage or worse — critical infrastructure asset impairment? CISO/CSOs of mid-large cap global industrial and financial services companies are particularly vulnerable, so it’s important to analyze how their thought processes – and actions taken pre and post event – may help knock nefarious actors off their stride.

Without Warning

Live Hacking Map cyberattack

This attack came without warning, trace or fingerprint. The government had no idea about how the cyberattack occurred or where it came from, nor did it attempt to intervene — as the recent SolarWinds data compromise and US Administration transition have our G-men in reactive mode. Following the initial ransomware demand delivered to Colonial Pipeline leadership, one may safely assume that DarkSide lurked prominently in the picture. This may – or may not – be the case, as DarkSide operates through proxies and loosely-defined ‘affiliate’ relationships with extortion-focused cybersleuths operating from their bedrooms — or the local Costa Café. DarkSide is the equivalent of a sophisticated terrorist network leveraging fear, anarchy and commercial loss as its weapons of choice. DarkSide requires payment in bitcoin, further clouding individuals’ identity, domiciliary and formal association. Combating DarkSide requires global coordination, intestinal fortitude and genuine resolve – elements very much in absence as the world hesitatingly emerges from the Covid crisis.

Leadership Responsibility

It’s easy to see why today’s security leadership elects to ante up what is the typical ‘ask’ by DarkSide and others of similar orientation – $5-10 million- to decrypt encrypted files and prevent dissemination of the company’s (or Government Agency) crown jewels to the public. And how can you blame the CISO/CSO for taking this most logical course of action? Shareholders don’t want to see a company go bankrupt, Directors and the CEO have a fiduciary responsibility for continuity of operations, and employees don’t want to lose their jobs. But that may be the easy, band-aid solution and will only solve today’s most pressing operational assault. The bad guys have a narrow attack window, but that attack window is now and can be devastating if a company does not take immediate action to address the breach.

Security War

Simply stated, this is a war, and you don’t let your opponents know your battle plan. Cyber companies often jump out in front of hacks and phishing attempts to promote their solutions and business models. Earlier this year, Propublica published a Darkweb post by DarkSide, in which the ransomware gang thanks BitDefender, a Romania based anti-malware solutions private company, for making known to the public their development of a decryption utility capable of parrying DarkSide attacks. DarkSide now knew that it had to address the issue and quickly returned to the driver’s seat, regaining the upper hand. Is it better that security solutions purveyors share real-time developments with the broader public, or perhaps vendors should instead sensitively alert select customers (and partners) to breaches and phishing efforts so that CISO/CSOs can decide for themselves and their companies how to respond?

Negotiating With Bad Actors

CISO/CSOs are exposed, have proscribed budgets, and are the ‘neck to choke’ when a company’s data or technology operations are compromised. It is no wonder that the average tenure of a CISO with $1B+ companies in the US is 26 months. They haves to be in front of the car crash, anticipate the terrorist/hacker and keep the engines running. It’s also required to be nimble, quick decision makers, and work across the company without direct reporting lines, liaising closely with their colleagues running Risk & Compliance, Data Security, Investor Relations and of course, the General Counsel. While the buck stops with the CISO-CSO, the final decision and eventual expenditure – however that may be manifested – lies with the CFO and CEO. The CISO-CSO can shut down operations, as Colonial Pipeline did, affecting millions of East Coast consumers and raising the ire of public and private sector constituents alike. S/he can engage in ransomware negotiations, or simply reject paying the bad actors and hope that they (and the attacks) go away. Security leadership wants the issue to disappear as quickly as possible, but there are no guarantees that DarkSide and others will return under a different guise and operation, and increase their demands the next time. Pay the mob once, and you may owe them forever.

So how should CISO-CSO’s address this emerging, highly profitable and unregulated business model known as “Ransomware as a Service?” Recruiting and collaborating with the right talent is key.

  • First and most importantly –be prepared. Assess continuity of operations together with key internal stakeholders, and do a dry run for a potential major attack on technology assets and infrastructure.
  • Next, together with the GC and Head of Risk & Compliance, review the cyber insurance policy to know where gaps may exist in coverage and where fortification may be required – DarkSide knows insurance riders, focuses on areas of vulnerability, and is well aware that insurance companies do not cover all elements of breach and intrusion.
  • Form an internal rapid response SWAT team which is deployed immediately upon discovery of a successful phishing attempt or attack. This group is diversely-skilled, and ideally comprised by ex hackers, individuals familiar with Dark Web activity, and mid-career professionals who have consulting experience working across a broad industry clientele. At the same time, this SWAT team would establish policies and procedures regarding responsibilities and actions to take, sequencing operations, reporting structures and chains of command. This would be the equivalent of a Special Ops cyber team which is battle tested and can face off against the adversary knowing how the adversary thinks and reacts. The team is a mobile terrorist combatant with all of the technology, know-how and experience that the terrorist has, and much more skin in the game.
  • Closely monitor all employee work from home arrangements and the company’s VPN access points.
  • Brief the CEO and key internal stakeholders on a regular basis, which these days may be as frequent as every few weeks, to listen, learn and educate. Raise the topic via the CEO to the Board level, so that Board Directors understand the risks and exposurs faced, and no less important, their personal liability in the event of a major event.
  • Ensure that you have on staff individuals steeped in the latest cyber solutions, penetration testing and RAT (remote access trojans) malware programs. Battle scars are gained through experience, and individuals who have been through cyber attacks are in increasing demand in today’s highly competitive war for cyber talent.
  • One long term idea is to form a CISO/CSO industry council and lobby sovereign governments to ban cryptocurrency, as this is the exclusive currency demanded by hackers, to the tune of no less than $350 million in reported cryptocurrency extortion payments made in 2020.

CISO and CSOs are the critical linchpins in effectively managing your company’s RaaS extortion policy and strategy. Insuring and protecting your assets are just two small links in the chain. DarkSide and other non-state actors know your vulnerability and are probing it on a daily and hourly basis. Vigilance is imperative.

By Martin Mendelsohn