In December 2020, the SolarWinds hack saw nation-state hackers gain access to the data of thousands of SolarWinds customers, including several U.S. government departments through the company’s IT performance monitoring system, by injecting malicious code in a software update. Thankfully, a much smaller number were compromised "by follow-on activity on their systems" according to CISA with SolarWinds announcing in May that the actual number of customers who were hacked through Sunburst was fewer than 100.
More recently though, in July 2021, the remote monitoring and management solution from a large Managed Security Services Provider, Kaseya, was attacked impacting the company’s on-premises MSP customers and their end customers.
These incidents highlight the vulnerabilities that exist in an organization’s supply chain network. The European Union Agency for Cybersecurity has found that 66% of attacks focus on the supplier’s code. An organization may invest in the most robust cybersecurity strategy, but can they mandate its third-party vendors and suppliers to follow the same rules?
Let’s understand the implications of such attacks and what steps can be taken to minimize their risks.
Vishal Salvi is Senior Vice President, Chief Information Security Officer and Head of the Cyber Security Practice at Infosys.
The dangers of supply-chain attacks
Cyberattacks can assume dangerous proportions when they come from trusted sources. In the above examples, neither of the organizations could detect the breach for a considerable time as the attacker used trusted software and hid behind protocols. The use of AI and ML by hackers to evade detection is clever and often hard to crack. Hackers resort to obfuscation techniques or masquerade as legitimate entities to throw off detection.
There is always a time gap between the attack and the point when the attack is discovered by an organization, known as the dwell time. The FireEye Mandiant’s 2021 M-Trends reports dwell times are falling globally (from 416 days in 2011 to 24 days in 2021), but unfortunately in EMEA, the dwell time increased to 66 days in 2020 from 54 days in 2019. This delay in incident detection can cause supply chain attacks to escalate to massive proportions, and the cascading effect of its impact can last for months or years.
Here are some of the recommended countermeasures to ensure peak defense effectiveness.
Secure Software Validation Program
Organizations must relook at their software validation guidelines. Several of these software uses open source components that expose the organization to the vulnerabilities of a larger ecosystem. Organizations must have a due diligence process on the purchase and installation of software and the usage of open source and third-party components.
Contracts with third-party providers must be revised to include security mandates. For example, supply chain partners should be asked to produce compliance certificates for standards such as ISO 20001 or ISO 20000. For smaller vendors, who may not be able to afford these expensive accreditations, they must commit to immediate remediation in case of any incident. They should also be asked to adhere to the following guidelines wherever relevant - National Institute of Standards and Technology (NIST) guidelines, Center for Internet Security (CIS) Benchmarking, and other OEM recommended best practices.
Third-Party Risk Assessment
All vendors must be categorized and assessed for a security score to help determine the controls required for the risks they pose. Regular audits of the software vendor’s technical credentials as well as its security posture is an excellent practice.
Measures such as third-party static code analysis (SAST), regular security scanning of local and cloud-based environments, DevSecOps, Interactive Application Security Testing (IAST), Dynamic Application Security Testing (DAST), integrity checks can be adopted along with the latest encryption and authentication technologies. Penetration testing and threat modelling are also recommended.
Manage Access Points
When any third-party software is engaged, the organizations need to restrict local administrator and privileged access. The IT teams need to apply the principle of the least required privileges and time-bound access on a need-to-have basis to avoid any security incident. Organizations must not treat vendor employees as their employees when granting access. Misplaced trust can lead to a compromised network.
Credential management becomes an important aspect of handling access as stolen passwords can expose critical data. Often enough, supply chain hackers come from within the enterprise, having access to critical information.
Control framework
Organizations need to define a strategy that can lay out the scrutiny practices required to govern access to their internal resources. The flow of critical data must be mapped and monitored regularly to detect any unusual activity or data leakage. AI and ML-based solutions can provide predictive threat analysis to detect suspicious activities. All inbound and outbound communications must be inspected thoroughly. Using parallel networks can also safeguard supply chain attacks. Many organizations are resorting to segmenting the network or compartmentalizing it.
Overall, an organization’s cybersecurity strategy must align with its corporate goals that vary with each industry. For example, government organizations have a much greater need for critical access management and have multiple third-party vendors to manage, thus requiring broader security controls.
Lastly, creating a security-first culture within the organization can help employees act as the guardians of the company assets. Awareness sessions, training programs, and a top-down approach to implementing cybersecurity practices can go a long way in preventing supply chain attacks.
