Supply Chain Security Ahead of the Holidays
With the 2022 US winter holidays in full swing, the digital supply chain is critically important. Most people simply want to be able to purchase goods and know that their packages will arrive in time for celebrations. For consumers, the concerns are accuracy throughout the ordering process (whether in person or online) and reliability of shipping logistics. But in today’s society, there’s a lot more riding on the digital supply chain than ensuring pretty packages make it under a tree or onto a holiday table.
Supply chain cyber attacks are becoming more prevalent due to their potential. They work by leveraging shared resources—vulnerable software or hardware widely deployed across organizations, weak access credentials and permissions between systems, cloud-based data stores with poor segmentation—to affect large-scale compromise. Supply chain attacks, also known as third-party or value-chain attacks, aim to exploit the weakest link between organizations and make it easier for the attacker to move past the initial compromise onto something juicier and more lucrative.
The SolarWinds attack, one of the most well-known, recent, and disruptive supply chain attacks to date, was executed via a backdoor malware injection on the unpatched systems of 18,000 customers. The attack allowed the cyber criminals to install additional malware and monitor the IT systems of major US government entities including the US Treasury and the Department of Defense. The result? One of the largest data breaches of all time.
Other infamous supply chain attacks include the Target breach, NotPetya, the attack on Mimecast, and Log4Shell (Log4j). This list is just a small sampling and demonstrates that digital supply chain attacks use different tactics and techniques to affect victims in a variety of ways. Because of the interconnected nature of organizations’ systems, and the dependencies created by digital transformation, supply chain security has quickly become one of cybersecurity’s hardest problems.
Threat actors looking to exploit the supply chain depend on IT infrastructure sprawl, the viral adoption of third-party software, the ubiquity of software development (especially that which relies—at least partially—on open source code), the prevalence of software vulnerabilities, staffing shortages, the expanding attack surface, and more. Supply chain attacks can be attacks on hardware, software, or firmware. They can target data stores, websites, certificates, users, or any combination of the above. They are hard to see coming because the attack surface is so vast—beyond that of any one organization or logical group of organizations—and even harder to stop once they are executed.
The complexity of supply chain attacks
Organizations today rely on hundreds (or thousands, in some cases) of suppliers, partners, and subcontractors. Each of these entities uses hardware and software—much of which is supplied by trusted (more on this later) and widely-deployed third-parties. But the long tail doesn’t stop there. The components that make up the hardware and software are also part of the supply chain, so it’s not just knowing the systems that “talk” to each other; it’s understanding the composition of everything that “talks” to everything else. It’s knowing the firmware running on devices. It’s understanding if the chips installed on millions of devices are vulnerable or have been intentionally tampered with. It’s understanding configurations and being able to identify where misconfigurations occur. It’s knowing where to look and what to look for in the first place.
Further, buyers place a certain amount of trust in their suppliers and partners, by necessity. The request for proposals (RFP) process often includes a questionnaire that covers the vendor’s security posture, implemented controls, audit results, and/or certifications, but hands-on testing and validation are rarely part of the deal. Few organizations have the time, resources, or authority to conduct those tests. Buyers must trust (at least to the extent that the vendor/supplier is vigilant and honest), for instance, that the vendor’s certificates are up to date, vulnerabilities are patched, access controls are tight, and that code is bug-free. The result is that organizations buy from other organizations trusting that the vendor has properly vetted what's being sold, and that all the systems and components that touch the product or service are free from supply chain issues.
Supply chain attacks rely on sprawl, dependencies, and an ever-expanding attack surface—all issues that are inevitable in cyberspace. And that’s why they are so popular among attackers.
Securing your supply chain
As with any cybersecurity issue, supply chain security isn't a simple task. But securing the supply chain might be even more complex than other areas because it relies on everyone’s vigilance. This goes for small, unsuspecting suppliers with few security resources just as much as it applies to major providers (that have significant targets on their backs) with huge security budgets and staff. And while there is likely sage supply chain security advice in countless corners of the internet, here are a few tips for supply chain cyber attack prevention.
Tip #1: Understand your attack surface
Attack Surface Definition: The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.
The attack surface encompasses:
The entirety of the assets your company owns or uses (whether approved and managed or not). This includes software, hardware, network environments (on-prem, cloud, virtual), devices, users, applications, data repositories, code, servers, operating systems, and so on. It also includes the communication/transport mechanisms between assets and the access controls that govern usage.
Your suppliers and partners, and any relevant assets that are used in your transactions.
Employ continuous cybersecurity asset management (like what my employer, Axonius, does), which will uncover assets in your environment and allow you to audit for shadow IT (including SaaS apps).
Tip #2: Assess your suppliers
Build robust RFPs to be completed by potential partners and suppliers. These questionnaires should:
Include a requirement to demonstrate third-party audit results, security testing, and certifications
Incorporate minimum security requirements
Be based on industry frameworks that help align the risks with expectations of security governance
If the vendor is mission- or business-critical, ask if they’ll allow commissioned third-party testing prior to purchase. This may not be viable or acceptable, in many cases, but if the dependency is critical, how your potential supplier/partner handles this request will be telling.
Further, validate supplier risk regularly, as security postures change and new threats are introduced all the time. A one-time assessment won’t cut it in today’s high security stakes environment.
Tip #3: Evaluate your access controls
Continuously audit users and their related authorizations, especially those for sensitive systems and data stores. This process applies to your own internal assets as well as the assets from third parties, such as:
SaaS applications
Suppliers’ systems that communicate with your systems and/or data stores
Whenever possible, apply least privilege access for sensitive systems and data.
Tip #4: Deploy foundational security tooling and policies
To pull the thread on the importance of hardened access controls, it’s also prudent to implement core security technologies that help security and operations teams identify, protect against, and detect security events in the early stages. Some of these foundational controls include:
Endpoint detection and response (EDR) / network detection and response (NDR)
Identity and access management (IAM), including multi-factor authentication (MFA) and zero trust-based data access controls
Network security (monitoring/analysis/SIEM/SOAR/IDPS/firewalls)
Application security / DevOps security / software development lifecycle (SDLC) security
Patch management
Code integrity policies (to prevent unauthorized apps from running in your environment)
Tip #5: Invest in a SOC
Your security operations center (SOC) staff is going to be your front line of defense, sifting through the noise to identify any potential attack signals before they turn into something more significant. Smaller organizations that may not be able to stand up an internal SOC can contract with an MSSP or SOC-as-a-service organization to ensure continuous monitoring and management.
Always start with a SOC strategy that is based on business goals. Beyond that, empower the team with best-in-class processes and technologies that achieve:
Comprehensive and continuous visibility and monitoring
The ability to swiftly remediate identified vulnerabilities and abnormalities
Planned and practiced incident response, including the proactive formation of relationships with external forensics investigators and law enforcement
The Wrap Up
Securing the digital supply chain has quickly become one of the cybersecurity industry’s hardest problems to solve. And with new vendor tools emerging constantly, with marketing teams that claim to solve it, how do organizations choose? What can individual cybersecurity practitioners do to protect the digital supply chain?
By following a systematic approach, as described above, practitioners can lay the foundation of a strong security program that stops attacks, even when they’re introduced by third-party systems that are out of their organization’s control. Just like the holiday retail frenzy, where every consumer wants to be able to confidently and securely purchase holiday presents, receive or ship them, on time, intact, and without disruption or product tampering during the entire process, the non-retail digital supply chain must be broken down to its respective parts and secured step by step. Implementing hardened controls and processes will help. Continuous monitoring and verification is necessary.