Supply Chain Attacks: Risk and Best Mitigation Practices
The Basics of Supply Chain Attacks
Supply chain attacks are an ever growing threat to organizations and enterprises. A supply chain is usually insufficiently monitored. Elements of a supply chain include third-party software used to interface with enterprise software, open source platforms, cloud services, past and present suppliers and vendors that have access to company’s data and systems. Cyberattacks are typically directed at these third-party points of contact, as these are usually the weakest security elements in an enterprise’s supply chain.
Previous High Profile Attacks
Malicious parties are continuing to develop new methods of attack, while enterprises scramble to implement tools and best practices to reduce risk of a successful attack. The use of third-party providers has outpaced the development of tools and practices by enterprises, leaving many exceptionally vulnerable.
No industry or government is safe from supply chain attacks. Even cybersecurity firms are often targeted. The SolarWinds attack of 2020, hit all three. The Solar Winds attack was ambitious and sophisticated. The attack was primarily coordinated by Russia in an attempt to attack the United States government and subvert their systems.
The attack compromised SolarWinds, Microsoft, and both Malwarebytes and FireEye, the latter of which is a high-profile security company that has contracts with the United States federal government. The SolarWinds attack accessed the U.S. Treasury department, as well as the Commerce and Justice departments. This attack was highly targeted and required operator action.
Prior to the 2020 attack, the 2017 NotPetya attack was the most high profile cyberattack on record, with total damages surpassing more than $10B. This cyberattack used a modified version of already existing ransomware, called Petya. The EternalBlue exploit, originally used by the NSA before being leaked by hackers, was employed.
The ransomware entered banks and state-operated enterprises and ministries within Ukraine. These systems used a tax accounting software called MeDoc, which had it’s automatic update system compromised. Most of the affected companies were within Ukraine, with Germany the second most affected. This attack has also been attributed to Russia. Unlike the SolarWinds attack, NotPetya was not as selective and continued without operator action. As a result, the effects were widespread and catastrophic.
Best Practices Against Supply Chain Attack
The history of attacks has educated network architects on the threat within an enterprises network. Users and assets within the network perimeter can pose a threat, either accidentally or deliberately. Network segmentation breaks up the network into smaller zones, allowing greater control over security and traffic between them.
This segmentation will prevent a malware or attacker to spread on the network by only allowing necessary traffic between zones. As such the attacker’s beachhead connections will be limited and access to more sensitive hosts will require to exploit another set of vulnerabilities.
Putting network segmentation in place should be well thought to limit the impact on production while having the desired impacts. These efforts strengthen the security of an enterprises network, even when working with third-party vendors and suppliers.
Note that this will not protect against all attacks. As an example, solutions like SolarWinds Orion typically have accesses to multiple zones in order to administer those hosts.
Principle of Least Privilege (PoLP)
The principle of least privilege is a commonly implemented practice in cybersecurity to protect valuable data and work on the basis that the system will get compromised but that attackers’ actions need to be harder to perform. Privilege access should be a priority for IT teams working to protect an enterprise network as the more privilege attackers have, the more damage they will be able to perform. Zero Trust principles should be used to remove all administrative rights from users, including third-parties. From there, IT teams can begin selectively giving only the necessary privileges back so network users can complete their work tasks.
Microsoft recommends a strategy to manage privileged credentials, by breaking users and devices into two distinct access paths. The user access path is intended for the majority of users, and allows for general productivity tasks like email and web browsing. The privileged access path is primarily IT administrators and other high-level accounts that can interface with enterprise systems and have administrative control. Users can be elevated to the privileged workflows as needed with approved access.
Quickly identifying security threats and responding to them is also very important. Attacks should be detected and stopped before privileged access data and systems can be breached. According to IBM, most enterprises take almost 197 days to even identify a security breach and another 2 months to contain it. This incredibly poor response speed allows attackers to continue to operate within a network and extract further data and cause significant harm.
ATT&CK Matrix produced by MITRE is a good source to list tactics and techniques used by attackers. A mapping on an organization’s risks and threat model will allow to prioritize the detection strategy. However, the focus should not be made on having a complete card but rather laying a mine-field for the attackers to trip-over.
This strategy should be a combination of low noise solutions like internal honeypots, broader sources like OS telemetry and events logs and specialized but probably more noisy sources like IDS, mail gateway.
Penetration Test and Red team/Blue team Exercises
With risks identified, red team/blue team exercises can attempt to simulate a real-world attack on an organization’s network and analyze the detection strategy implementation.
Enterprises often shy away from penetration tests because of the perceived risk, but it’s more important to know possible weaknesses than to stay in the dark. These tests and exercises can reveal invaluable information about the network current security status, as well as areas that should be improved and monitored closely. Organizations will vary on their security readiness and maturity level. Higher maturity level organizations should simulate attacks often, with different breach variables.
Human aspects not to be forgotten
Performing vendors sourcing and implementing security questionnaire early in projects steps. Vetting vendors and partners with security built-in is a key element and asking questions to understand their internal processes is important. Such questions include usage of Secure Software Development Lifecycle, security-based code review and pentests, follow-up on the current and emerging threats.
What Hacknowledge Can Do
Hacknowledge can help any enterprise, providing scalable security monitoring for enterprises at all security maturity levels. Our Swiss-made security company provides 24/7 infrastructure monitoring and highly-trained security engineers.
Hacknowledge wants to reduce time between breach and detection using their VISION Cyber management monitoring service. Hacknowledge has Technical Account Managers (TAM) that are trained to provide tailor-made risk assessments and derive use-cases priority. Hacknowledge can also propose red team exercises to test the strength of an enterprise’s cybersecurity status.