James Steidl - Fotolia
In addition to the many other tumultuous events that occurred in 2020, the year also brought two very significant and sophisticated IT supply chain attacks that drove headlines in the cybersecurity industry and raised questions about our national defense: GoldenSpy malware and SolarWinds attack.
A supply chain attack is when hackers infiltrate an organization's systems by compromising a third-party provider or partner with access to that organization's network and data. During the first half of the year, we saw the example of GoldenSpy malware, which was hidden in tax software required by the Chinese government for any international companies doing business in the country. More recently, nation-state actors compromised the popular IT infrastructure management tools that SolarWinds provides to thousands of organizations, including government agencies, cybersecurity leaders and tech giants. In both cases, hackers were able to penetrate deep into networks, potentially stealing sensitive corporate or government information.
What sets supply chain attacks apart from other types of cybersecurity threats like phishing or ransomware is the complexity that goes into them and the length of time it can take for an organization to detect them. Though the cybersecurity industry has become more adept in recent years at red teaming and continually testing for known vulnerabilities to identify front-end risk, supply chain attacks are more difficult to detect because they exploit an organization's established trust of its vendors and partners.
Supply chain attacks can catch even skilled security teams off guard because examining trusted partners and validated solutions is not an area that security teams typically focus on. The complexity to successfully pull off these attacks grows as vendors continue to add their own security into products, oftentimes creating a false sense of protection. Moreover, as of now, there are not many great automation solutions tailored toward detecting, flagging and responding to supply chain attacks. Quite frankly, the supply chain is one of the last places IT organizations consider securing.
Unfortunately, we will continue to see more supply chain attacks occur as organizations increasingly shift toward multi-cloud environments and provide third-party partners with greater access to their most sensitive data and critical infrastructure. But there are steps that security professionals can take to help minimize their organization's risk and to better detect supply chain attacks.
Assess your level of risk
The first step is to take a holistic look at your company's level of risk. How likely are you to be the target of a sophisticated attack? Does your organization have highly sought-after intellectual property or a customer base that nation-state adversaries would want to infiltrate? Evaluate your level of risk honestly and make sure your organization has good security hygiene first. If you're not already performing the security basics, including vulnerability scans, penetration testing, and having firewalls, antivirus and endpoint detection, then you need to focus on those before worrying about the supply chain. An attacker usually takes the path of least resistance. If your organization conducts regular vulnerability assessments, pen testing, red teaming and has threat detection and response in place, only then does supply chain risk become a more appealing attack vector to well-funded adversaries.
Evaluate your providers' security practices
Thoroughly evaluate all IT tools, providers and services to ensure that they are following security best practices. Work with the legal team to read through the terms and conditions of all contracts to make sure they detail a vendor's security practices, processes and responsibilities. Look to see if your IT supply chain partners are performing continual source code analysis. Ask what checks and processes they have in place for how they update and distribute their software. If your partners have these security best practices in place and are performing them continually, then you can be a little more confident that you are getting a "known good" from the provider. Many vendors are not yet at this level, so it's important to closely evaluate your third-party providers and find the ones taking these steps.
Proactive assessments -- explore what you don't trust
Once you've signed the agreements and integrated a third-party software or services provider into your network, it's time to really start exploring your supply chain risk. This can be done much the same way an organization proactively threat hunts for traditional cybersecurity attacks like phishing or ransomware attacks. But when it comes to a supply chain attack, it is unlikely you will be able to catch the initial activity. Supply chain attacks are typically discreet and are designed to lie in wait, perhaps quietly gathering data, until a later date. Often, security teams won't identify these needles in the haystack until the attackers begin taking next steps. That is why, when it comes to supply chain risk, proactive threat hunting is really the art of exploring everything in your network that you don't completely trust. Security teams should also regularly perform specific penetration testing and red teaming that encompasses third-party software integration, custom applications and systems throughout their network. They should also make sure they're able to detect all open source red teaming tools available on the market, as the recent attacks demonstrated that even advanced adversaries use and modify common tools in their attacks.
Know your environment and explore suspicious activity
Sometimes detecting security threats comes down not to sophisticated security tools, but simply knowing your environment and what should or shouldn't be taking place. Is there a new volume of data stream that you've never seen before? Is something happening at a certain time of day that doesn't make sense for your organization? I recently worked with a CISO at an Australian company who noticed remote desktops were logged-on to the network from Malaysia. This may not have normally raised suspicion, but because of the COVID-19 pandemic, he knew that no employees of the company were traveling at that time, so this network traffic warranted further investigation. The ability to look at your whole environment and identify what is out of place enables a security professional to separate the signal from the noise and more quickly detect and respond to suspicious activity that could be the indicator of a bigger threat.
Don't fall victim to supply chain attacks
Ultimately, the big IT supply chain attacks we saw in 2020 make it clear that any organization is vulnerable to compromise -- even those that have sophisticated security knowledge and budgetary resources. In today's increasingly cloud-reliant business environment, it's more common for CISOs to think in terms of "it is not a matter of if, but when you are breached." CISOs and security professionals should focus not on whether they are vulnerable, but rather, on how quickly they can detect a breach and remove adversaries from their systems. By holistically assessing their organization's level of risk, practicing good security hygiene, assessing their vendor's security practices and proactively threat hunting in their supply chain, organizations can reduce their risk and respond more quickly, minimizing supply chain threats before they become a bigger problem.
About the author
Mark Whitehead is the global vice president of SpiderLabs Consulting Services at Trustwave. His responsibilities include setting the strategy and directing delivery for all Trustwave's portfolio of testing services for Canada, the United States, as well as Latin and Central America. Mark possesses over 16 years of experience in the cybersecurity field with 10 years of leadership and management experience.