The Colonial Pipeline ransomware attack has prompted a response from the FBI and the Cybersecurity and Infrastructure Security Agency. Now, the FBI and CISA are sharing tips to prevent other organizations from experiencing similar disruption.
"CISA and the FBI are aware of a ransomware attack affecting a critical infrastructure entity — a pipeline company — in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company's IT network," the federal agencies said in a May 12 news release.
The FBI and CISA gave 10 tips to prevent disruption from a ransomware attack:
- Require multifactor authentication for remote access to operational technology and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching users.
- Implement a user training program with simulated attacks for spearphishing.
- Filter network traffic to prohibit communications with known malicious IP addresses. Implement blocklists to prevent users from accessing these websites.
- Update software in a timely manner and consider using a centralized patch system. Use a risk-based assessment strategy to determine which OT networks should participate in a patch management program.
- Limit access to devices on networks and restrict remote desktop protocol. After assessing risks, if RDP is operationally necessary, restrict originating sources and require multifactor authentication.
- Set antivirus and antimalware programs to conduct regular IT scans.
- Disable macro scripts from Microsoft Office files transmitted over email.
- Implement allowlisting, which only allows systems to execute permitted programs.
- Monitor and/or block inbound connections from anonymized IP addresses or ports.