It’s an increasing certainty that, at some point, everyone will be a victim of a supply chain attack. Because systems have become interdependent on one another, this insidious form of attack causes disruption on one system or software that can spread across all interconnected systems, especially those that share data and communicate with one another. By compromising a single supplier’s distribution system, one well-placed intrusion can act as a catalyst to the networks of a supplier’s customers – sometimes numbering hundreds or even thousands of victims.
Supply chain attacks have been around for decades, but in the wake of the 2020 SolarWinds attack, they are now a major focus for threat actors and will be for the foreseeable future. The rise in these attacks may be due in part to the fact that organizations have been doing a better job protecting themselves. In response, hackers have turned to less-secure, less-obvious points of ingress. In an interconnected business world where organizations depend on dozens to hundreds of separate technologies and vendors, third-party access offers a reliably weak spot in any security posture.
Closing the Third-Party Exposure Gap
By granting third parties access to internal data and systems, companies take on a whole new level of responsibility and risk that often goes unchecked. As a result, data breaches too often trace back to compromised vendor credentials used to access an organization’s internal networks and supply chain. One of the earliest high-profile examples of this was the massive 2013 data breach at Target where credentials stolen from a third-party HVAC company were leveraged to gain access to the retailer’s computer gateway.
The 2020 SolarWinds attack, however, was the biggest wake-up call for this vulnerability. Executed via a “backdoor” into a SolarWinds update server and likely aided by a password spraying attempt, the SolarWinds compromise not only affected the initial victim, it turned the 18,000 commercial enterprises and federal agencies that used their software into Trojan horses. The impact was a widespread destabilization that IT organizations everywhere are still reeling from.
The good news is that as long as criminals use stolen credentials to access accounts, organizations can use that same data to protect themselves.
With the right solution, you can continuously check whether all user credentials, including your vendors’, show up in third-party data breaches and underground marketplaces. By identifying compromised credentials and remediating them early, you effectively strip them of any value to criminals.
There is no question that managing the extended threats of third-party partners can be a daunting task. Going forward, the ability to map the flow of information and monitor for exposed account credentials will remain critical.
The Supply Chain Needs Feedback
Beyond third-party access credentials, supply chain attack prevention mostly hinges on a basic premise: organizations are only as secure as the companies they deal with. That being said, supply chain security risk management has historically focused on vendors that are only one step removed from the organization and rarely includes the partners or suppliers of one of your vendors. Special Publication 800-161, NIST offers guidelines for establishing a more comprehensive vendor assessment that includes a simultaneous review of the critical function of each system and component along with a vulnerability analysis. For example:
Criticality
-
- Review system architecture as it relates to key business processes
- Perform a dependency analysis and assess each of the components that support key business processes
- Know the origin of each system and component, including where they are manufactured or developed
Vulnerability
-
- Identify weak spots in the supply chain where threat actors could potentially gain information about the system and introduce malicious software or firmware
- Is it easy for threat actors to be granted access somewhere deep in the supply chain that would allow them to introduce a component malfunction or failure?
- Do systems or software in your supply chain have dependencies on supporting components? Is it easier for threat actors to subvert those components that directly perform critical functions?
Many vendors are not yet at this robust level of assessment, so it’s important for leading enterprises to insist that all partners hold themselves to a higher standard – and vice versa.
Disruption Is Distraction
The impacts of successful supply chain attacks are so widespread that they are extremely difficult to control. This is the goal – chaos and destabilization followed by an erosion of consumer and shareholder trust. As these attacks continue to mount, the disruption has an even more desirable effect: it provides a valuable distraction from other more strategically important adversarial actions. When organizations and even federal law enforcement are overwhelmed with responding to these large-scale breaches, it gives criminal groups additional time to cover their tracks and plot their next disruption.
In the near future, we can expect supply chain attacks to be directed at newer strategic targets such as 5G network infrastructure. Rethinking trust, staying vigilant about credential exposures, establishing robust vendor security risk assessments, and maintaining a constructive feedback dialogue with partners are all critical steps in defending against these complex threats.