Editor's note: The following is a guest article from Peter Firstbrook, research VP at Gartner.
The recent supply chain attacks that affected nearly 18,000 SolarWinds customers left many organizations scrambling to respond to the threat and ensure continued network operations.
Yet, this attack is hardly a novelty – in fact, it's just one of many supply chain threats in varying degrees of severity that have hit organizations around the world in recent years. From the 2013 Target breach, to the 2017 NotPetya worm, to GitHub open source implants in 2020, supply chain attacks are a reality, but organizations are often unprepared to respond.
Attacks of this nature can occur at any time and through any product or vendor. Therefore, security and risk management leaders must understand how these attacks work and have a plan in place for preventing, detecting and responding to these threats.
What is a supply chain attack?
A supply chain attack is when goods, services or technology supplied by a vendor to a customer have been breached and compromised, which introduces a risk to the customer base.
Cybercriminals often choose to target corporations' supply chains because they act as "force multipliers" in gaining access to hundreds or thousands of companies or applications with a single compromise.
By attacking a widely distributed, but otherwise harmless utility program, hackers can gain a foothold in organizations. Often, these utilities are not fully supported or contain security flaws that remain unpatched.
In many cases, cybercriminals have been able to slip in malicious code that lies dormant until it can detect the presence of a target domain before activating.
There are a few different types of supply chain attacks, including:
Attacks on the supplier's technology, which implant backdoors via that technology to allow an attacker to compromise a customer once the software or hardware has been deployed.
Attacks on the supplier's IT network, which involve remote access or network connectivity between the supplier's network and the customer's network.
Attacks on the supplier's IT environment, where it is hosting or managing IT infrastructure on behalf of a customer, which is then attacked and compromised.
Attacks on supplier's email system (vendor email compromise), which is then used to facilitate attacks on customers.
Attacks on the supplier's identity management or API authentication mechanism, which is used to attack the customer's infrastructure via authenticated credentialed access.
Securing the IT supply chain
It's critical that security and risk leaders take steps to reduce the likelihood of a supply chain attack happening in the first place. If feasible, this process should be managed by a dedicated supply chain risk management function.
Those tasked with supply chain risk should work closely with procurement on supplier management to vet all vendors used to manage IT systems.
When acquiring any new software, ask the vendor for details on the last time a complete, independent code review was performed, the schedule for regular audits of code and a list of servers and ports that any software would need to communicate with. At the very least, ensure that the security team is maintaining a documented list of more privileged suppliers in the event a breach is reported.
Limit vendors' network access where possible through the use of secure remote access systems such as zero trust network access (ZTNA) or virtual desktop infrastructure (VDI). These products reduce risk by allowing access without fully connecting networks between managed service suppliers and customers.
Then, ensure only approved software has access to IT systems and is acting as intended. Good software asset inventory can limit unsanctioned applications and detective controls. Endpoint detection and response (EDR) or network detection and response (NDR) solutions can be used to detect when software is trying to connect to download additional malicious payloads.
Privileged credential monitoring and API monitoring are emerging areas that organizations will need to increasingly address. User and entity monitoring solutions, privileged access management solutions and directory monitoring solutions are useful tools for this aspect of supply chain attacks.
Prepare to respond to supply chain threats
Unfortunately, there is no perfect protection against supply chain threats. Therefore, security and risk management leaders must have tools to detect the lateral movement from the initial compromised service, and an incident response plan for attacks against the supply chain with an agreed workflow to manage a coordinated reaction.
Design a comprehensive incident response plan that will ensure an efficient response to any future supply chain attacks. This plan should be formally documented and contain clearly defined roles and responsibilities at each stage.
The process of creating this plan will ensure security teams already have the tools and human resources in place so the organization is fully prepared if the threat becomes a reality.
When facing a potential supply chain attack, security teams must first determine if the organization or a critical third-party is affected. If it's determined that the organization is affected, use known indicators of compromise and user activity logs to track lateral movements. Engage in more active monitoring to spot potentially related anomalies.
EDR, NDR and identity management tools are critical for detecting lateral movement and anomalies in the credential management system. However, if your organization does not have enough qualified security analysts for comprehensive detection, it's worth investing in managed detection and response (MDR).
It's also worth deploying tools that incorporate user behavioral analytics to examine standard access behavior of users and servers. Microsegementation tools can help reduce the spread of malware by limiting it to the systems the infected device can access. External C2 traffic monitoring tools can be used to get a proxy on supplier security quality.
Then, reach out to your security vendors to quickly learn about updates and suggested analysis workflows. Determine the balance between rebuilding or cleaning for compromised hosts and credentials.
If necessary, engage qualified incident response organizations. Consider the value of a retainer incident response service that can be engaged at the first sign of compromise without the burden of rushed contractual negotiations.
Supply chain threats are and will continue to be a reality. While they will vary in severity and reach, any such threat can have significant impact on IT resources. While there's no way to fully prevent such an attack from happening, by diligently preparing and having the right tools and processes in place, security and risk management teams can be ready to respond and limit any damage.