This is some text inside of a div block.
Glitch effect

One Year Later: Lessons Learned from the Colonial Pipeline Cyberattack


Download Your

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Glitch effectGlitch effectGlitch effectGlitch effectGlitch effect

One Year Later: Lessons Learned from the Colonial Pipeline Cyberattack

Glitch effectGlitch effectGlitch effect
Glitch banner

It’s hard to believe, but it’s been a year since the Colonial Pipeline ransomware attack. In case your memory’s fuzzy, this was the incident that completely shut down the largest fuel pipeline in the United States, causing gas shortages across the East Coast.

It was the perfect demonstration that cybersecurity doesn’t merely exist somewhere between strings of binary code. It has real-world implications.

Although the gas shortage was brief and the ransom payment recovered, major incidents like this should serve as teaching tools to learn how to develop a better cybersecurity posture and harden defenses.

I asked Roger Koehler, our VP of ThreatOps, what he thought the top lessons we should have learned from this incident are. Here’s what he had to say.

Need a refresher on ransomware? Check out our Ransomware article from The Defender's Handbook.

Lesson #1: It doesn't matter if you're a small business or enterprise. You are a target.

One of the biggest mistakes that businesses–and individuals!–make is assuming that threat actors won’t waste their time chasing them. Typically, small businesses and individuals have less money than larger enterprises; therefore, folks at these smaller organizations believe that hackers will follow the money.

The reality is quite the opposite.

Those large enterprises usually do have more money, meaning they can invest in fancier and better cybersecurity tools to keep their assets safe. They can afford to hire experts to monitor their environments. So while a hacker might need to spin a few cycles to make her way into the environments of these large enterprises, it might only take a few clicks to take down Charlotte’s Ice Cream Shop up the street.

Whether you operate a meat factory, a university or a small business, you are a potential target. Sometimes, an attack is just a crime of opportunity, much like we saw with log4j, where attackers were scanning and hacking any vulnerable devices they found. Other times, attacks are targeted, as we saw with VMware Horizon. Point is, no one is immune–not even a gas pipeline.

And if you’re on the hunt for love, heed our solid advice, courtesy of a Spongebob meme:


Lesson #2: Attackers will find (and exploit) the weakest link.

The culprit of the Colonial Pipeline ransomware attack? A single password to a virtual private network (VPN) account. The real knife twister is that the account in question wasn’t even being used at the time of the attack–but it could still access the network.

The point here is closely related to our first lesson learned: hackers are lazy but efficient. They’re fans of targeting the weakest link. Sure, they could consistently go after an organization’s most critical assets (such as their servers), but why go through all that hassle when there’s a much easier route to gain entry?

And sometimes, that route is as simple as sending a phishing email.

This is why layered security is such an important component of any modern cybersecurity stack. It’s harder to detect an attacker moving laterally within a network once she gains access. A stack that features detection and response features to find and evict hackers can make all the difference in how detrimental an attack is.

You can learn more about layered security in our eBook:


Lesson #3: Attackers are agile. Defenders need to be, too.

Oh, to be as ambitious an employee as an attacker.

Their success correlates to constantly leveling up their cyber knowledge. They study their adversaries (that’s us) and the tools we use, learning how to circumvent them.

And they’re good at it.

They’re masters at defense evasion. They embrace that they’ll be lifelong learners as long as defenders keep defending.

And that’s why we defenders can’t just keep pace with today’s hackers.

We have to think ahead, continue to upskill and question to improve the status quo. We have to be on the lookout for new threats and actively learn how to combat them.

That also means we should pressure our vendors to keep their products up to speed to combat not today’s but tomorrow’s threats. 

Learn More

If you’re reading this and you work at a small business, I hope your takeaway from this reflective piece is simply to exercise caution. You’re not too small or too unknown to be a dangling carrot for today’s threat actors. 

Take reasonable steps, such as implementing multi-factor authentication (MFA) and using (never reusing!) strong passwords. If attackers target you and realize you’re going to present more of a challenge than they’d anticipated, they’ll likely move on to the next “weakest link.”

But perhaps the most important takeaway for us all is that we’ll never really win the cybersecurity battle. Cybersecurity is more of a goal than anything–and it’s a goal that we as defenders have to work toward every day. 

And we’re here to help you do that.

Check out our cybersecurity education resources. And for a monthly, timely discussion of the latest hacker tradecraft and techniques, check out Tradecraft Tuesday.

* Special thanks to Roger Koehler for his help with writing this blog.

Blurry glitch effect

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

Huntress at work