Many government agencies, Fortune 500 companies, and security teams will never forget a landmark event in December 2020. This was when the world discovered one of the most devastating cyber attacks in history — delivered through the modern supply chain.
The widespread intrusion campaign exploited SolarWinds, an IT services business, and its Orion infrastructure monitoring platform used by organizations worldwide. Malicious threat actors exploited security lapses in that software to create dangerous backdoors, install trojans, and distribute malware (dubbed “SUNBURST”).
This malware infected the critical infrastructure of hundreds of companies and government institutions worldwide. The theft of data was immense, and the full scope of damage may never be known.
Such supply chain attacks could happen to any organization. This is why modern-day companies should focus on detecting supply chain threats and implementing robust and real-time incident response and prevention measures.
This article highlights the most common supply chain security risks. It also explores some best practices for detecting and mitigating supply chain attacks.
What Are Supply Chain Threats and Attacks?
Supply chain threats refer to cybersecurity threats delivered through organizations’ trusted partnerships with third parties. These parties can be suppliers, vendors, and resellers; and they usually have access to the company’s systems and sensitive data.
To perpetrate such attacks, threat actors slip malicious code into a trusted piece of software the outside partner uses. The criminals can compromise the software at the source, which lets them attack all organizations that work with that vendor simultaneously.
The SolarWinds SUNBURST supply chain attack is an example of the severe consequences of such an assault on critical infrastructure.
Key Supply Chain Security Risks
Supply chain attacks are dangerous because they allow threat actors to scale up their attacks quickly, and with minimal effort.
A single piece of malicious code inserted into a vendor’s software platform makes all the organizations that work with the vendor vulnerable to data breaches, malware/ransomware attacks, phishing attacks, and intellectual property theft.
To protect themselves from such attacks, organizations should be more aware of the various supply chain risks.
Vendors may inadvertently (or, in some cases, maliciously) leak sensitive customer data outside the business, making the organization vulnerable to supply chain attacks from cybercriminals, hacktivists, and even rogue nation-states.
A threat actor may deploy malicious software to encrypt an organization’s files and lock the target’s systems until it pays a ransom.
Cybercriminals may also install trojans to gain access to the organization’s systems through a back door (as happened with SolarWinds SUNBURST) or install viruses that infect the system and quickly spread across the network.
External Hardware and Software
Many organizations and their vendors now rely on external hardware and open source software to speed up delivery lifecycles and minimize costs.
This convenience, however, comes with considerable risk. Even a slight flaw in a software application opens doors for a threat actor to attack multiple organizations in one go.
Any device connected to the Internet creates supply chain risks. Internet of Things (IoT) devices and sensors are particularly vulnerable since they’re often insecure and therefore attractive to attackers.
Even an online heating, ventilation, and air conditioning (HVAC) system increases the chances of a supply chain attack if it’s not adequately secured. An insecure HVAC system led to a massive breach against retailer Target in 2014.
Data Stored on the Cloud
Vendors that store companies’ confidential data are a source of significant supply chain risk. In 2018, about 13.4 million sensitive files were leaked, at least half of which came from a single offshore legal services provider.
In the same year, Deloitte also experienced a supply chain data breach due to weak access controls on an administrative account that led to the theft of a massive amount of confidential customer data.
Best Practices for Detecting Supply Chain Threats
The risks highlighted above show that attackers can use any weak link in a supply chain to attack numerous organizations at scale. Identifying supply chain threats and preventing — or at least mitigating — them is vital in the modern cyberthreat landscape.
Here are some best practices to detect and identify supply chain threats.
Create an Asset Inventory
An asset inventory is essential for every cybersecurity plan, but especially for a supply chain security plan.
Identify all assets used within your organization and map out the various data pathways. Where do software updates come from, and when? What is the destination of each update? What constitutes “normal” traffic in your enterprise network?
Asset inventory analysis will help you identify all systems and existing gaps that may lead to a supply chain attack.
Understand the Threat Landscape
To prevent supply chain attacks, you must understand the threat landscape:
- What kind of threat, breach, data leak, or malware can most affect your supply chain?
- What is the probability of attack?
- What could cause the most devastation?
These answers will help you focus your threat detection and mitigation efforts.
Assign a Threat Actor Profile to Each Asset
Based on the asset inventory, create a threat model. Categorize each asset under different adversary categories (threat actor profiles), and create a scoring system to determine attack/attacker priority to improve attack detection.
Update Risk Scores
After assigning risk scores to each adversary type, adjust the scores based on the history of vulnerabilities within the organization’s software. Order assets from least at-risk to most at-risk, and adjust the security controls as required.
Continuously adjust the risk scores and control measures if a vendor announces a vulnerability within a specific software.
Regularly Test New Updates
Testing new updates in a test environment or sandbox can reveal potential supply chain threats before they become attacks. It’s crucial to perform testing before rolling out any updates to assure no open vulnerabilities may lead to an attack.
Malware analysis is another critical and effective way to detect this crucial supply chain threat. Ideally, follow a four-step strategy consisting of:
- Fully automated analysis to create general reports;
- Static properties analysis that gains access to executable files;
- Interactive behavior analysis where a malicious program is implemented in a sheltered environment; and
- Manual code reversing to decrypt hidden data and reveal a potential attack’s methodology.
Best Practices for Mitigating Supply Chain Threats
Detecting supply chain threats is only half the battle. It’s also essential to mitigate these threats. Consider the following best practices.
Understand the Behavior of the Digital Supply Chain
Security tools, third-party vendors, and cloud service providers all behave in a certain way that may increase the risk of supply chain attacks. Automated tools exist to identify attacker behavior and show whether a particular element on your digital supply chain creates unnecessary risks.
Vet Every Third-party in the Supply Chain
Organizations that work with multiple third-party vendors or suppliers should perform thorough due diligence on each partner and their digital assets (including software) and hold them accountable to specific standards.
Ideally, you should work with fewer suppliers who can ensure higher-quality offerings to reduce the size of your supply chain attack surface.
Leverage Standard Cybersecurity Frameworks
Some regulatory frameworks, such as PCI-DSS, CMM, and SOC-2, provide for third-party risk testing. Many also include standards for vendor compliance.
Leverage these frameworks to ensure that your vendors have implemented the best security practices and controls to protect their software from compromise and help you manage and reduce your supply chain risk.
Regularly Patch all Software
Patch and update all software in your digital supply chain ecosystem regularly. Pay special attention to third-party or open source software updates since vulnerabilities in such applications’ source code are responsible for 16 percent of all breaches.
Make ZenGRC Part of Your Supply Chain Risk Management Strategy
In the wake of severe supply chain attacks like SolarWinds, organizations must take a closer look at their suppliers, particularly those with privileged access to the company’s assets. Consider a strategy of minimal access for all vendors.
Finally, detecting supply chain threats should be part of a broader supply chain risk management strategy. ZenGRC, an integrated risk management platform, can support you with this endeavor. With ZenGRC, you can identify and prevent many supply chain risks.
Moreover, you can evaluate risks across connections and third parties using customizable risk calculations and scoring. Continuously monitor your supply chain risks with automated alerts so you can remediate them in real time.