If you’re in charge of defending the average enterprise, your supply chain might be your least-defended attack surface. In the language of information security, your supply chain is any vendor or service provider with a password, and integration, or an application installed on your network/endpoint. If your company utilizes platforms like Oracle, Logility, E2open or SAP for example, and some even now say Zoom, are part of your supply chain.
Your supply chain is long and difficult to keep track of—and it’s more difficult now. Think of all the employees that you have working from home. If they’re using their home PCs to VPN into your network, then every application on their computer is part of your supply chain by de facto. Almost 50% of security professionals are worried about this problem, and you should probably add yourself to that 50% if you haven’t already.
As you’ll see, however, even a trusted vendor that you know about can present a real danger to your network, something that’s difficult to defend against.
Recent Events Highlight the Danger of Supply Chain Attacks
A supply chain attack might play out something like this:
First, the attacker goes after a vendor—a company with a lot of software in a lot of networks.
Next, they compromise the vendor’s development environment. They tweak the vendor’s software so that it can report home to a command-and-control server.
As soon as the developer pushes out their next update, the malicious version is installed onto all of its customer’s machines. The attacker can freely listen in to all the vendor’s customers.
This, more or less, is the chain of events that occurred during the SolarWinds attack. SolarWinds, notably, is a company that sells remote access software to governments and other institutions. When its breach was discovered late in 2020, at least 250 organizations were found to have been affected, with victims including FireEye, Microsoft, Malwarebytes, and other institutions that should have theoretically been able to detect and mitigate this kind of attack.
The problem with supply chain attacks mostly boils down to trust. You’re an information security professional—you don’t install sketchy app store apps or random solitaire games. You install and deploy software from companies that you’ve vetted. But supply chain cyber attacks show that even companies you’ve vetted and trust to be secure are vulnerable to infiltration and exploitation—or they might simply be negligent in ways that they were able to hide from you.
The SolarWinds attack, while it was by far the largest recent attack on record, is still only the tip of the iceberg. Incidents involving supply chain attacks rose 42% from January to March in the US alone. Another recent example is the firm Accellion, which shipped vulnerabilities in its File Transfer Appliance that led to breaches in customers such as Shell, Kroger, and the University of Colorado. Unlike the SolarWinds attack, Accellion wasn’t directly breached—instead, hackers took advantage of existing Zero Day vulnerabilities in a legacy application.
Information Security Professionals are Taking a Stand Against Supply Chain Attacks
Supply chain attacks are insidious. They compromise trusted software and take advantage of previously unknown vulnerabilities. As such, it can be hard to know whether you’re under attack, or if your software is simply working as intended. Incorporating a risk threat model should be the starting point, as there is not a ‘silver bullet’ or quick fix to cybersecurity, you need a phalanx of ‘silver bullets’ or multiple steps to your strategy.
Your first step is to stop the problem from getting worse—which may mean changing the way that you audit and procure software. It is important to frequently audit up and down the supply chain, as the chain is only as good as the weakest link. For example, remote access, videoconferencing, file transfer, and credit card processing software all represent big targets for supply chain attackers. Your risk assessment should include software like this. Find out if you have software like this, vet the providers for their security practices, and audit them to see if you can find any vulnerabilities of your own.
The next step is to understand if you have any actively compromised software running in your environment. Threat hunting is one method that may prove useful. Using open-source software or dedicated network hardware, you can understand which applications or appliances are communicating outside your network. There are also publicly available resources to help you understand if your application is contacting a domain or IP address that’s been linked to a criminal group or APT.
Finally, you need to harden your network against intrusions. Even if you can’t find anything, assume that at least one application on your network is compromised. Now what?
The best defense under this assumption is to prevent the attacker from moving laterally within your network, escalating their permissions, or accessing sensitive information. This might mean placing sensitive applications within virtual network segments, which means that the application can only communicate along predetermined pathways using certain kinds of traffic—preventing the attacker from exploiting many additional resources within your perimeter. It could also mean adopting privileged account management (PAM) strategy design to harden privileged accounts against compromise.
Prevent Supply Chain Attacks with Packet Visibility Tools
IT security professionals use network TAP over SPAN to provide packet visibility to their threat detection and IDS tools to help trace down malware and compromised applications.
Inline Bypass TAP solutions can also help administrators add an additional layer of resiliency managing threat prevention tools such as IPS, firewalls, web application firewalls, and SSL decryption. These not only help increase your security, they also eliminate single points of failure and reduce network downtime.
Looking to add a visibility solution to your supply chain security deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
