Every second, ​​$190,000 is lost to cybercrime and the situation has only gotten more dire during the COVID-19 pandemic. According to the FBI, since the start of the pandemic, the number of reported cybercrimes has increased by 300%, and by 2025, the anticipated cost of global cybercrime will amount to $10.5 trillion.

Recently, there have been multiple cyberattacks — most notably Colonial Pipeline, Kaseya, and SolarWinds — that made their way into national headlines due to the hefty financial losses and far-reaching consequences they caused. Despite some being complex attacks, they all could have been prevented, or at least weakened, through data-driven threat intelligence and proper security precautions. Read on to learn what could have been done differently and what we can learn from these past mistakes to thwart cyberattacks in the future.

Colonial Pipeline

“You’re only as strong as your weakest link,” is something of an axiom among cybersecurity professionals, and the ransomware attack on Colonial Pipeline showed the world exactly why.

On April 29, 2021, the Russian cybercrime group, DarkSide, attacked oil pipeline company Colonial Pipeline, demanding a ransom of $4.4 million in exchange for 100 gigabytes of stolen data. The ransom note wasn’t discovered until early in the morning on May 7, and it took only a few hours for the company to shut down the entire pipeline, ultimately resulting in rising gas prices and oil shortages.

Allan Liska, an intelligence analyst at international security firm Recorded Future

By the magnitude of its ramifications, you’d suspect that hacking the system was a highly complex operation, but in reality, DarkSide gained access the same way an employee would — by typing the password into the VPN. Allan Liska, senior security architect at cybersecurity firm Recorded Future, explains that a former employee had reused their VPN password for another platform and those login credentials had been shared in an underground forum, giving the hackers access to everything on Colonial Pipeline’s network.

This is a clear example of why a company needs a strong identity management process, Liska explains. With identity-focused intelligence, companies can receive real-time updates on identity compromises like the one that led to the Colonial Pipeline attack, allowing IT teams to detect threats and create new workflows to mitigate them before it’s too late.

For example, Liska says, had Colonial Pipeline utilized intelligence to detect identity compromises such as leaked passwords prior to a breach, the company could have enforced password changes among all its employees, making the circulating passwords useless.

According to data from Recorded Future, 65% of the world’s top companies have exposed credentials. However, because security teams are already stretched thin and face an ever-evolving list of priorities, they do not have the bandwidth to scrape dark web forums for password leaks. But with an automated, intelligence-led security strategy, security teams can focus on tasks that demand human expertise, like creating patches for system vulnerabilities, without sacrificing time to threat detection and analysis.

Kaseya

In July 2021, Russia-linked ransomware group, REvil, attacked the Florida-based software company Kaseya, setting off a frenzied dash among its employees to repair the damage and warn customers of potential infections. The ransomware attack was executed through exploiting a zero-day vulnerability, a previously unknown or unresolved flaw in the system. However, according to Liska, “the exploit used in the attack was widely known,” and had Kaseya employed a firm like Recorded Future which provides clients with a means to automatically identify and interrupt an attack, the company could have stopped the ransomware group in its tracks.

“Within a few minutes of the attack being reported on Reddit, Recorded Future had imported the information into our platform and within an hour we had an analyst note written up and distributed to our clients, which included actionable steps,” says Liska, like shutting down their platforms and looking for indications of a breach. “Clients who weren’t hit in the first wave of the Kaseya attacks now had everything they needed to put protections in place,” he says.

SolarWinds

Few among us haven’t encountered a software update alert on our phones or computers, a ‘ding ding’ that announces a new and improved version of an app or entire operating system. And because of their ubiquity not to mention their easy, one-click-and-forget-it execution, they make a genius vehicle for hackers to gain access to information on a massive scale, as is what happened with the SolarWinds attack in late 2020. By rewriting the code for what would have seemed like standard software updates issued by the information technology firm for its Orion software system, Russian hackers were able to disseminate malware and gain access to SolarWinds’ client roster of government agencies and Fortune 500 companies without immediate detection.

It was a highly complex operation, one that could only have been accomplished through teamwork. Unfortunately, many companies and government agencies don’t operate with the same level of cohesion.

Hanan Hibshi, assistant teaching professor at Carnegie Mellon University’s Information Networking Institute

“Attackers are teaming up better and that’s why we’re seeing more sophisticated attacks taking place,” says Hanan Hibshi, assistant teaching professor at Carnegie Mellon University’s Information Networking Institute. “We need to start moving into this mindset that security is a team effort.”

The need for better teamwork is often clear in the aftermath of such attacks, when leaders finger-point blame at a single employee or small group. In the case of SolarWinds, during a congressional hearing, the former CEO attributed a weak password that may or may not have been involved in the breach to an intern. (He later stated doing so was a mistake.)

According to a 2020 study conducted by professor Jeff Hancock from Stanford University and the security firm Tessian, only 23% of the 2,000 non-security field professionals surveyed think about cybersecurity frequently. As Hibshi explains, complete participation and prioritization of cybersecurity measures from employees throughout a business is fundamental to protecting company data. Because no matter how advanced the security software is or how qualified the analysts are, if one employee veers from the protocol, it can be chaos. And hackers know how to use that to their advantage.

Between these three attacks, the importance of using actionable data in conjunction with strong safety practices is clear. Without data-driven intelligence, it is impossible to effectively focus attention. And without thoughtful human analysis and development of proactive security postures, data cannot be used to its full potential. But when used together, machine and human intelligence is a powerful force against today’s cyber threats.

Intelligence-led security strategies can reduce the risk of all types of cyberattacks. Learn more about how to implement an intelligence platform that harnesses big data, machine learning, and human analysis to provide visibility across the risk landscape at https://www.recordedfuture.com/.