To say that the last 18 months have been unkind to many organizations is like saying that the sun is rather warm, or that the Himalayas are somewhat hilly. Frankly, the past year-and-a-half has been brutal and traumatic for companies across all sectors and industries, as they have grappled with the pandemic’s unprecedented shocks and challenges. Now, however, it appears as though the worst-of-the-worst is behind, and organizations can safely emerge into the stable and safe “new normal.” Well…not quite.
Just as the dire scourge of COVID-19 is receding, another threat is rising — one that involves a virus of a different kind, and which can inflict an enormous amount of financial damage: supply chain attacks.
What is a Supply Chain Attack?
In a supply chain attack, hackers infiltrate a software vendor’s network and use malicious code to compromise the software before it is sent to customers — ultimately creating a backdoor to access systems and data. Hackers can compromise newly acquired software from the outset, or they can compromise existing software prior to the application of a hotfix or patch. The latter approach was used in the notorious Solorigate/Solarwinds supply chain attack, which infiltrated a roster of high-profile victims including The Pentagon, the Department of Homeland Security, Microsoft, Cisco, Intel, and many others. The breach was so complex and multifaceted that experts have hailed it as the most sophisticated hack of all time.
Supply Chain Attack Examples
While the Solorigate/Solarwinds breach continues to make headlines, there have been numerous other supply chain attacks such as:
• In April 2021 hackers compromised a software development tool that was sold by a firm called Codecov, which gave them access to hundreds of victims’ networks.
• In May 2020, researchers discovered malware called Octopus Scanner, which was designed to serve up backdoored code into the NetBeans components on GitHub repositories without the legitimate repository owners realizing it.
• From January to March 2020, the Federal Bureau of Investigation issued alerts warning the private sector of supply chain cyberattacks involving Kwampirs malware.
These are just a few of many supply chain attacks that have recently occurred — and which are expected to accelerate in the months ahead. According to research by the Identity Theft Resource Center (ITRC), in the first quarter of 2021, nearly 140 organizations said they were hit with a supply chain attack — which was a 42% spike compared to the last quarter of 2020.
Why Supply Chain Attacks are So Terrifying
While all cyber threats are alarming, supply chain attacks are particularly worrisome — or make that, flat our terrifying — for a few reasons.
The first reason is that a significant amount of third-party software products — such as IT management, remote access software, antivirus, and many others — need elevated system privileges to function properly or optimally. As the Cybersecurity and Infrastructure Security Agency points out:
Even when a product can effectively operate on a network with reduced privileges, products will oftentimes default to asking for greater privileges during installation to ensure the product’s maximum effectiveness across different types of customer networks. Customers often accept third-party software defaults without investigating further, allowing additional accessibility vectors. Additionally, because these types of products are typically present on every system within a network, including authoritative and domain management servers, vulnerabilities or malware inserted into those software products could provide malicious actors with privileged access to the most critical systems within a network.
The second reason is third-party software products rely on frequent communication between vendors and customers. The purpose is to provide updates, fix vulnerabilities, and enhance security. Ironically, however, hackers can exploit this behind-the-scene interaction and deploy malware-laden updates. They can also try and block security updates from occurring in the first place.
The third reason is that hackers use supply chain attacks to target more lucrative —and possibly better secured — organizations. Commented Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute: “Supply chain attacks are indirect. Your actual targets are not who you’re attacking. If your actual targets are hard, this might be the weakest point to let you get into them."
And the fourth reason (which is essentially an extension of the third reason but needs its own spotlight) is that compared to other types of cyber assaults, supply chain attacks can provide hackers with an attractive economy of scale. Rather than attempting to hack thousands of organizations, they can try and attack a single vendor. If successful, they can use the backdoor to penetrate a wide range of targets over a long period of time. For example, while FireEye researchers discovered the Solorigate/Solarwinds supply chain attack in December 2020, new evidence suggests that the attack began almost two years earlier in January 2019.
How to Prevent Supply Chain Attacks
When it comes to preventing supply chain attacks, there is some good news and some bad news. Keeping with tradition, we will reveal the bad news first.
There is no silver bullet that can 100% eliminate the possibility of supply chain attacks. As noted by consulting firm Booz|Allen|Hamilton: “Adversaries continually seek new ways to infiltrate organizations, finding entry points through third-party suppliers and vendors.”
The good news, though, is that organizations can — and given the potential consequences, frankly, they must — be proactive and significantly reduce their vulnerability and exposure to supply chain attacks. To that end, here are seven recommendations:
1. Assume that a breach has already happened.
Organizations cannot afford to haphazardly and inefficiently react to a breach that might happen in the future — instead, they need to assume that a breach has already happened and proactively take steps and make investments (which are covered in the remaining recommendations). As cybersecurity firm UpGuard advises: “This subtle shift in mindset encourages the deployment of active cyber defense strategies across all vulnerable attack vectors in an organization.” And consulting firm Infused Innovation adds: “An assumed breach mentality simply means to expect that your network or identity perimeter will fail at some point. Even if you have MFA enabled, and 802.1x certificate authentication on your devices, assume that a SIM swap attack will happen, or your root CA will get stolen.”
2. Perform in-depth vendor evaluation.
Organizations must demand — not request or prefer but insist! — that the vendors they partner with are continuously following security best practices. According to Nick Fuchs, the senior director of infrastructure, security, support, and controls at Springfield Clinic, these include:
- Regularly testing the strength of their cybersecurity resilience.
- Providing evidence of the latest source code scan and/or application penetration.
- Deploying application firewalls or network segmentation, which restricts access to application programs or object source code.
- Complying with relevant policies and/or regulations such as SOC 2, GDPR, CCPA, NIST, COBIT, and ISO-27001/2, and providing evidence of up-to-date certification
- Operating an employee security awareness program.
As noted by TechTarget: “If your partners have these security best practices in place and are performing them continually, then you can be a little more confident that you are getting a ’known good’ from the provider. Many vendors are not yet at this level, so it’s important to closely evaluate your third-party providers and find the ones taking these steps.”
3. Adopt a zero-trust approach.
A zero-trust approach means precisely that: nobody is automatically trusted, and all network activity is assumed by default to be malicious. As for what a “never trust, always verify” approach means in practice, organizations should focus on the following steps and strategies:
- Replace all unauthenticated legacy services and systems with prioritized cloud technologies.
- Implement zero-trust architecture in alignment with how data moved across the networks, and how apps and users access sensitive information.
- Use MFA to verify logins across the network.
- Enforce device policies by organizing users by groups and roles.
- Use automatic de-provisioning for exiting employees and contractors.
- Establish the capacity to wipe, lock, and un-enroll stolen/lost devices.
- Regularly update end-user rights based on changes to roles/jobs and changes to prevailing security policies and compliance requirements.
- Educate and coach end users to improve their overall security hygiene
4. Use privileged access management (PAM) solution.
A PAM solution can help block hackers who attempt to follow a common attack trajectory — known as the “privileged pathway” — which starts with perimeter penetration, then compromises privileged devices and endpoints, and culminates in a data breach. In order to be effective, a PAM solution should support all of the following:
- Live session monitoring
- Role-based access control
- Comprehensive reporting and logging
- MFA
- Real-time notifications
It should also be easy to use, configure and integrate with a remote connection and management platform in the environment to create a single, centralized and secure single-pane-of-glass for both identity and access management.
5. Enforce the principle of least privilege (POLP).
POLP means that end users only get the access they need to carry out their day-to-day activities. If elevated privileges are necessary for a specific project or activity, these should be temporarily granted, and then removed immediately once they are no longer required. POLP also works hand-in-hand with a PAM solution to limit, govern, and monitor the use of privileged accounts.
6. Use honeytokens.
Honeytokens are a kind of honeypot, in which a dormant privileged account is created and monitored. If hackers attempt to breach the account, an alert is triggered that indicates the environment has been breached.
7. Implement a defense-in-depth approach.
A defense-in-depth approach uses multiple layers of protection to slow hackers down, as they attempt to snake their way to the perimeter through to mission-critical assets. As pointed out by the SANS Institute:
No single security measure can adequately protect a network; there are simply too many methods available to an attacker for this to work… Implementing a strategy of defense in depth will hopefully defeat or discourage all kinds of attackers. Firewalls, intrusion detection systems, well-trained users, policies and procedures, switched networks, strong passwords and good physical security are examples of some of the things that go into an effective security plan. Each of these mechanisms by themselves are of little value but when implemented together become much more valuable as part of an overall security plan.
8. Implement segregation of duties (SoD).
Designed to reduce the risk of internal threats (a.k.a. rogue users), SoD is rooted in the view that when multiple people are involved in a sensitive workflow, there is a lower risk that an individual will manipulate or misuse organizational resources. CSOOnline suggests a simple but effective test for verifying whether a reliable SoD strategy and process is in place:
First, ask if any one person can alter or destroy your financial data without being detected. Second, ask if any one person can steal or exfiltrate sensitive information. Third, ask if any one person has influence over controls design, implementation, and reporting of the effectiveness of the controls. The answers to all these questions should be “no.” If the answer to any of them is “yes,” then you need to rethink the organization chart to align with proper SoD.
The Bottom Line
As the Cyber Risk Alliance warns: “Almost all security researchers agree that more [supply chain attacks] will happen.” Organizations that adopt the recommendations described above — especially the first one, which is to assume that they have been breached vs. wait for a breach to occur before making key investments and changes — significantly reduce their chances of being victimized. And considering that the average cost of a data breach has skyrocketed to more than $8.19 million per incident, and 60% of small and mid-sized businesses (SMBs) disappear within six months of a breach, reducing the risk of a supply chain attack is not just valuable: in the big picture, it may be essential for survival.