In May this year, many publications reported that a major pipeline between Texas and New York had to be temporarily shut down as a result of a cyber attack. The effects were severe. Prices at gas stations rose, hoarding occurred, and smaller airports were threatened with running out of jet fuel. The attackers had encrypted and stolen data on the company’s systems. They threatened publication and demanded a high ransom.

Eventually, the affected pipeline company paid five million dollars to the blackmailers. Even the U.S. president spoke out and made it clear that operators need to better protect their critical infrastructure and invest more in the security of their computer systems.

Ransomware is a constant threat.

The attacks are similar. The campaign starts by mapping the environment and exfiltrating data, meaning that the attackers likely now have access to detailed information about the company and its operations. Then the attackers start encrypting systems, making entire portions of the infrastructure unavailable.

This two-pronged approach has become increasingly common, used in major attacks. Exfiltrating potentially sensitive data gives added leverage to attackers and makes detecting and stopping ransomware even more important.

Critical Infrastructures Are Vulnarable to Compromise.

The dependence on TCP/IP transmissions over the common standard of ethernet has left many of our critical infrastructures vulnerable. In particular, electrical power distribution, natural resources recovery, petroleum/oil/gas, chemical manufacturing, manufacturing, and distribution/logistics all use some type of distributed network to control very discrete technical or industrial processes. Those processes open and close electrical breakers, open and close valves, measure temperature, measure flow rate, measure voltage, or run automated machinery.

The endpoints which manage the distributed processes are called, broadly, industrial control systems (ICS). These controllers manage processes and collect process information. They typically function at what is known – in some industries – as the supervisory layer. This layer controls the industrial processes themselves.

What this means is that the dynamic, messy, often highly vulnerable, and critically under-monitored corporate TCP/IP network almost always has some sort of connection, like a wormhole, into the ICS environment. Ransomware that is designed to spread indiscriminately will find this wormhole in a heartbeat. This is a security hygiene problem with potentially devastating results.

ExtraHop NDR in 90 sec – click and watch!

ExtraHop detects early signs of data exfiltration and encryption.

The SOC Visibility Triad model has become more and more relevant in cybersecurity. Shoring up the security of the corporate IT environment that surrounds critical infrastructure requires three complementary data sources: the network, the endpoint, and activity logs.

With these monitoring solutions in place and tightly integrated, security teams have a better chance of detecting early signs of ransomware or other fast-moving malware or attack behaviors, so they can isolate and purge the threat before it impacts critical ICS systems.

In the case of ransomware, ExtraHop Reveal(x) can detect early indications of compromise such as suspicious file reads and SMB data staging. It can also detect the type of exfiltration activity common in attacks, and correlate the encryption and exfiltration detections for a more complete understanding of the attack.

ExtraHop uses the power of machine learning to help organizations detect, investigate and respond to even the most evasive threats, protecting critical workloads and infrastructure.

According to the Elite 80 Report, “through its analysis of wire data, ExtraHop is able to discover, observe, and analyze all applications, hosts, clients and infrastructure within an enterprise’s network. This information allows businesses to correlate information and make real-time decisions to move a business forward.”

© ExtraHop Networks, Inc. / ExtraHop Blog / In extracts from “colonial pipeline attack” by Mark Bowling, 10.05.2021

The Experts from NetDescribe are happy to help.

Go ? directly to more get information about ExtraHop: NDR for Midsize Enterprises, NDR for a Secure Enterprise, Splunk Integration, ExtraHop Product Page, ExtraHop Reveal(x)

Don’t forget to visit the NetDescribe Anniversary Page!  (sorry only availabe in German). There is a monthly quiz with questions from our QUIZLYBÄR and in the rear view mirror of “NetDescribeHistory” you can read what else has happened in the past years.

We are looking forward to your feedback.

Please don’t hesitate to contact our sales team for further information or an individual product demonstration or call +49 89 215 4868-0.




About NetDescribe GmbH

NetDescribe GmbH is headquartered in Oberhaching in the south of Munich. Trusted Performance by NetDescribe stands for fail-safe business processes and cloud applications. The power of NetDescribe is tailor-made technology stacks instead of off-the-shelf technology. The holistic portfolio offers data analysis, solution concepts, development, implementation and support. As a trusted advisor to corporations and public institutions, NetDescribe delivers highly scalable solutions with state-of-the-art technologies for real-time dynamic and transparent monitoring. This provides customers with insights into security, cloud, IoT and industry 4.0 at all times. They can make agile decisions, secure internal and external compliance and conduct efficient risk management.

Trusted Performance by NetDescribe.