Recent Cyber Attacks Highlight Importance of Proactive and Preventive Measures to Counter Intrusions Through Your Supply Chain
The Recent State Attack On US Companies and Government Agencies
In what has been called one of the most sophisticated cyber attacks in recent history, attackers linked to the Russian government have breached a major US cybersecurity firm, FireEye, the US Treasury and Commerce Departments, and potentially countless other targets. Reporting has focused on the penetration of a critical network management system vendor, SolarWinds, in early 2020, which allowed the hackers to add a backdoor to the vendor’s software. Once deployed through an update of the vendor’s system, this backdoor gave the hackers unfettered access to 18,000 organizations around the world that used the same network management system made by SolarWinds.
According to FireEye’s website, their customer base included many federal government agencies and all 5 branches of the military, plus over 400 firms listed in Fortune 500 is, the top 10 US telecoms, the top 5 accounting firms, and hundreds of colleges and universities in the United States. SolarWinds may have been only one of many entry points in this multi-layered cyber attack.
The nature of this recent cyber attack highlights the need for all organizations to better understand and prepare for the cybersecurity threats posed by their third-party vendors.
What Are Supply Chain Attacks?
The attack against SolarWinds falls under a growing category of cyber attacks called supply chain attacks. These cyber attacks compromise a target organization by penetrating a third party vendor or software package instead of the organization itself. This style of attack proves especially lucrative to hackers for three reasons:
- The target area is large: all organizations rely on numerous third-parties to extend limited business and engineering resources.
- The threat is overlooked: organizations tend to trust the tools they use in day to day business.
- The threat compounds: all third-parties depend on third-parties to scale their limited resources.
This makes supply chain attacks appealing to more than just Russian government hackers. In the past year, experts have warned of a 430% increase in supply chain attacks targeting open-source tools used across industries. Examples of supply chain attacks include:
- Embedding backdoors project files of a popular Java development tool to compromise entire Java projects.
- Stealing credentials from an HVAC vendor used by Target to carry out one of the largest retail breaches in history.
What Can You Do?
We can’t just drop third-party tools and rebuild the entire business and software stack. It’s neither practical nor wise. For one, organizations often adopt third-party tools because these organizations lack the core competency to develop these tools internally. To understand the danger of using internal solutions, look at all the vendors hacked because they tried to build cryptography tools. But that’s only half of the equation. Internal tools lack the added security that comes from public scrutiny. We only know about the SolarWinds exploit because their customers include organizations with the resources to detect Russian government hackers.
So, while organizations need to use third-party tools, they must recognize the growing threats posed by supply chain attacks. Instead of throwing up our arms in face of these threats, we can become smarter with Vendor Risk Management.
The Need For Vendor Risk Management
More than ever companies need to understand how third-parties affect their security posture. Vendor Risk Management processes help companies maintain a list of their dependencies, understand the risks posed by them, mitigate known threats, and prepare for breaches. Not doing any of this means flying blind in an area of increased cyber risks.
The complexity of supply chain attacks means organizations need to reassess how they evaluate risk and prepare for breaches. Organizations need to move towards a reality where breaches will focus on detection and mitigation.
Rethinking Impact and Likelihood Scoring
In vendor risk assessments, organizations determine risk scores based on the impact and likelihood of various scenarios. While this works well in many areas, with the rise of supply chain attacks, likelihood becomes harder to determine. Instead of looking at a third-party or package, any vulnerability across the chain of dependencies can cause a breach. As a result, we should give more weight to impact when scoring threats.
In classic risk scoring, breach impact measures the cost to the organization. Often this is measured in terms of quality and quantity. With quality, assessments try to determine if a third-party has access to personal data or sensitive information. With regards to quality, assessments measure how many resources a third-party can access. In other words, the impact of a breach is measured by the type of data exposed and the portion of an organization compromised.
Likelihood balances against impact by weighing the probability of a breach occurring. This helps organizations prioritize incidents. Across many areas of vendor risk, organizations can measure likelihood with SLAs and policies. For example, cloud providers offer availability guarantees and backup services let organizations quantify the probability of different data loss scenarios.
Taken together, impact and likelihood form a risk score. And the third-parties with the highest risk traditionally demand our greatest attention. The SolarWinds cyber attack demonstrates the weakness of this approach. Trust placed in a vendor can lower the overall risk score by assuming the likelihood of a breach is low.
Looking at SolarWinds, it’s clear that this third-party poses severe marks on impact; as an IT management suite SolarWinds has access to the entire network and all traffic running across it including personal and sensitive information. However, on likelihood, SolarWinds might score low; it’s a trusted third-party used by agencies like the NSA. As a result, an organization evaluating SolarWinds might decide that the likelihood of a breach from such a trusted third-party is low.
The lowered perception of likelihood causes an organization to decrease the overall risk for a third-party. However, we know in hindsight that these perceptions of likelihood were misplaced. Surely no one expects a trusted vendor to be compromised, but it happens and now many unprepared organizations are completely exposed.
As supply chain attacks increase with frequency across industries, organizations should resist lowering risk due to perceived lower likelihood. Complex chains of third-parties make it extremely difficult to gauge the likelihood of a breach. Instead, organizations need to rely more on impact to determine their critical third-parties. Once organizations have taken that step, they need to adopt a proactive stance and prepare for breach at those third-parties.
Preparing For Breaches
Organizations need to move towards a world where we anticipate breaches. Here we must do more than conduct annual assessments or install monitoring tools. Organizations need to run pre-mortems to plan for beaches and mitigate their impact.
Pre-mortems should focus on critical vendors or those with the most impact on your organization. The pre-mortem examines if the breach happens:
- What would the breach expose?
- How would your organization respond to the breach?
- What signals would indicate that a breach has occurred?
The last step represents the biggest change from traditional Vendor Risk Management in response to address supply chain attacks. Since attacks can happen across a complex chain of dependencies it’s important to plan for how to detect the attack early and respond. The worst breach is the breach you never learn about.
The recent breaches conducted by Russian government attackers highlight the real risks of supply chain attacks. While we cannot ward off every attack, diligent Vendor Risk Management can better prepare our teams to detect and mitigate breaches when they occur.