Supply Chain attacks continue to be a growing concern for any organization, and use of this technique as an attack vector is likely to become more frequent as companies become more interconnected and increase dependence on software. It’s a concern that can’t be ignored any longer given the high-profile successful attacks waged against high-profile targets like SolarWInds, Kaseya, and Maersk. Preparation to avoid and defend against these attacks will require cooperation from security, legal, and operations departments, and comprehension of the problem itself is paramount to build adequate defenses.
This article will provide some background on recent news and summarize some of the factors that security professionals should be aware of regarding supply chain concerns.
Traditionally when you think about supply chain, things like logistics, manufacturing, and shipping companies that make or transport physical goods come to mind.
Supply chain risk management and third-party risk management should not be separated. Two primary takeaways are:
- Start thinking about all the hidden risks your organization accepts daily—known and unknown.
- Consider where you sit in the larger ecosystem—where decisions made at your organization directly affect other businesses downstream or otherwise interconnected with you—which creates the risk of spreading more pain through the supply chain.
It took a few big names falling victim to supply chain attack in grand fashion to start this conversation with security professionals, who redefined the idea of what supply chain is—not just logistics—and brought it to the forefront of security news.
Your Supply Chain
Recent attacks have made the risk of software supply chain obvious, but some may still be wondering why they should care, especially if they’re not the traditional company that comes to mind when discussing supply chain management.
Keep these in mind when going through this article:
- What are the different risks you accept in your business, perhaps without even being aware of them?
- How does everything that happens in your business affect others?
We are all aware of the recent breaches of SolarWinds and Kaseya, where issues in their software, which is deployed at thousands of other companies, created incidents globally.
Ransomware attacks on Colonial Pipeline and Maersk caused considerable issues in gasoline delivery, shipping times, and costs passed down to thousands of downstream consumers.
Before that, Fazio was the Heating, Ventilation, and Air Conditioning (HVAC) company whose lax security practices resulted in the Target breach. Prior to this incident, vendors of physical systems were rarely evaluated for their risk to IT environments.
Back a bit further, Supermicro had malicious chips introduced into PCs in 2018, or the counterfeit Xicor chips found in 2011.
Even the adapters and chargers you pick up as “swag” at conferences can be dangerous.
Some summaries of these incidents:
The SolarWinds attack, AKA “Solarigate,” was a large global incident, and a perfect example of where errors and issues in one organization cascaded into issues at other prominent software and SaaS providers. Even companies who had never used SolarWinds and maybe had never even heard of it ended up feeling the pain that stemmed from decisions made at these other organizations.
Managed Services Providers (MSPs) felt the impact of the Kaseya incident in 2021, and those MSPs had network connections to many other businesses as their end customers. Even if those businesses weren’t using Kaseya or knew that their MSP was using it, they were still negatively impacted by upstream decisions.
Colonial Pipeline, as part of more traditional supply chains, showed the industry that cyber attacks can also cause large-scale physical disruptions. If you work in the oil or gas sectors, it’s likely your upper management has been asking what’s being done to ensure you’re not the next Colonial Pipeline.
Maersk, the shipping container and logistics giant, is another intriguing case that disrupted commerce globally. Their ransomware incident resulted from attacks targeted at a nation-state elsewhere in the world. It was a catastrophic event for many companies, and people are still paying for it. Maersk lost three hundred million dollars because of this event, and these costs were inevitably passed downstream.
If the name sounds familiar, it’s because Fazio was the HVAC vendor behind the Target data breach in 2013. The team procuring these services for Target was likely not thinking about the security practices of the vendor before the organizations were connected, and it certainly was not expecting that a vendor who serviced Target’s physical stores would cause a breach in their retail point-of-sale environment.
Super Micro, Xicor, and Conference Swag
Physical chip attacks go back as far as 2011 (Xicor), but Super Micro also had infected chips embedded into their circuit boards as recently as 2018. Even the gadgets or “swag” you pick up at conferences could be subject to this kind of supply chain attack and are not innocuous until tested and scanned for malicious code.
Many will plug these free adapters or chargers into their corporate devices without considering the data transfer risk. This tactic was even written into the television series Mr. Robot as a way to introduce malware into a target organization as part of a larger hack. How could this risk affect your organization?
The supply chain is like a large ecosystem—a system of companies who constantly interact with and depend on each other—either consuming products or services from upstream organizations, adding their own value to consume products, or producing inputs for other companies. Another way to think about the supply chain is who is in your bubble of influence.
Customers and Employees
Two groups in your bubble are your customers and employees, who will either benefit or suffer from the decisions made by your organization. The security made at your organization can directly impact these people and their personal, professional, and even kids’ lives. It has wide reach.
We deal with endpoints, network issues, and all kinds of security tasks daily. Still, the time is rarely taken to assess the risk of having an incident spread and create an exponential impact beyond the walls of your company.
Vendors and Business Partners
When you discuss vendors and business partners, any decisions they make could ultimately impact your company and vice versa. For example, if a vendor doesn’t have a policy that enforces multi-factor authentication (MFA), and they have access to one of your systems or networks, this introduces risk into your environment. If one of their credentials is compromised, they can be used to move laterally into your organization.
Upstream Providers and Downstream Consumers
Upstream providers can be hardware or software providers, such as your SaaS platform, ISP, component manufacturers, or a hosting provider hosting a website or app for your organization—but it can really be any company that provides the input necessary for company operations to flow normally.
Your downstream consumers will be ingesting anything you do. Perhaps you produce code or make a tool that someone uses to ensure their code or tools are working correctly. Perhaps you make a widget, which goes into another widget, an auto part that goes into a car, and so on.
Now, imagine there’s something bad in that auto part. That could be a problem for the car, right? So, it’s the same thing in our world.
This part is where we go beyond third-party risk and the supply chain risk ecosystem to the 4th, 5th, 6th, 7th, or 8th-party risk. This ecosystem is next to impossible to map out, leaving a lot of unknown risk exposure to a company.
Email is still a hugely popular initial vector for attacks, and acts as a common conduit to spread malicious files or links. Your business sends thousands or hundreds of thousands of emails daily to people—it’s like a river that never stops flowing. If your business partners don’t have proper security controls in place, that is a legitimate (and likely trusted) email account that can become compromised and weaponized against you. Large scale attacks have been launched this way.
Attackers don’t even need to spoof one of your domains with a look-alike. Domain DMARC isn’t going to help you here, either. So, when you think about those pieces, anyone who has ever done business with you is a potential attack vector.
Again, it’s more of a bubble or an ecosystem with interconnected nodes than a direct linear vertical supply chain.
Supply Chain Attack Vectors
As illustrated above, introducing supply chain risk into an organization can happen in many ways. Anything that deals with building software or hardware, such as the build and staging environments the virtual machines your developers are using, the facilities where components are manufactured, and so on. It also includes any third-party libraries that are being used by your code.
Those who attended the Innovate Summit 2021 may have heard a talk that discussed open-source libraries, repositories, and baking that into your code and how it can introduce all kinds of risks.
You can verify software via hash, but did you look at the code initially to establish a baseline? Do you know what the library entails? Do you know who made or maintains that library? What country are they in?
Cybercriminals can also steal code or certificates from your repositories and use this information to modify your software and impact your customers or internal operations.
Code embedded into firmware can be an issue, and we’ve seen pre-installed malware on physical devices. We can joke about swag devices being risky, but even medical devices have a history of getting shipped out with malicious code embedded in them.
Hosting Websites Externally
Externally hosted websites are assets that often get ignored. When asked if they have applications or anything hosted on a third-party infrastructure, companies often respond that they don’t need to worry about those because they host them externally, are not connected to the internal network, or don’t store sensitive data.
Unfortunately, what this means is the assets are entirely out of your control, creating a massive visibility gap. Attackers can deface or destroy a site even for web applications that don’t take payments or store sensitive information. The asset is subject to whatever security practices that third-party hosting provider uses. Organizations should ensure these details are evaluated before choosing hosting vendors. Additional risks include colocation, DNS poisoning, or site/application downtime.
Some sites or applications may be colocated on one IP/server that also hosts many other domains at the provider, and not all security teams know all external domains that may be in use. If the hosting provider’s server that is colocating all those domains becomes compromised, your site might get swept up into an attack targeting another site. Collateral damage at the co-lo.
In cases like this, your organization is subject to the risks introduced by the provider and the security of the other sites collocated with yours.
DNS hijacking can occur when an attacker obtains access to edit DNS records and the SOA record is modified. Suppose the hosting provider allows editing of DNS records through their portals, and your panel credentials are compromised? In that case, an attacker could modify these records to point to a malicious site. Or if the nameserver of the hosting provider itself is compromised, these records may be poisoned for the entire server (including all colocated domains and subdomains).
It doesn’t matter if the malicious page is delivering malware or just harvesting credentials—this attack could lead to loss of data as well as trust in your services. This is just one more risk that exists outside of your network that you may have limited ability to control.
Website defacement can happen in a multitude of ways. Many of us giggle when we think about website defacement as we think of bad WordPress sites, animated GIFs, and weird music auto-playing on a defaced page.
But this type of site attack is becoming more common in targeting enterprise sites, and ransomware actors have even started to use this as part of their extortion techniques. With limited visibility and/or controls for externally-hosted sites, organizations may not detect a defacement until outside parties report the altered content. Attackers could also use the same website access to add malicious code to your site for further nefarious objectives, such as stealing customer information.
Any of these web-based attacks could result in application downtime due to the attack itself, containing the threat, or remediating the impacted site. If the application is critical to revenue generation tasks for your business, such as for taking orders or allowing customers to access their accounts, these risks can lead to revenue and reputation loss if exploited.
Here you have an entire piece of your ecosystem that, again, you may have limited control over to prevent, detect, or respond to related attacks.
How to Prepare
Let’s consider how you can prepare and defend your business against supply chain risks. For example, it’s impossible to have contracts with every company worldwide and ensure they all use MFA. One thing that you can do is make sure you’re strengthening your own procurement, onboarding, and implementation processes to mitigate external risks that could be introduced in the course of doing business.
For businesses developing applications or software, ensure that development and staging environments are secure and that you monitor them as strictly as the rest of your network. Just because a developer uses that virtual machine for a few days doesn’t mean you shouldn’t have your EDR on it.
You want to see if they do something weird, even on the insider threat side. You should be monitoring those environments just like you’re monitoring your production environments. One thing that can’t be stressed enough, and we hope is something our industry can get its hands around, is ensuring that security is involved in all procurement discussions, even on the business side.
You should know what the dependencies for your applications are and know if you can update them. If an application is going to run on Java 7 for its entire lifecycle because the vendor refuses to update their code to work with current Java versions, you probably don’t want to buy it in the first place. Otherwise, mitigating measures must be implemented to protect these legacy applications.
Another component to tackling supply chain and third-party risk is having requirements set for your vendors. If you have some weight behind that business relationship, push on your vendors and make them commit to you that they will assist with upgrading and updating those systems and/or dependencies. You don’t want to find yourself in a 10-year contract, millions of dollars later, and learn that you cannot update an app’s dependencies because the app won’t work anymore.
As an industry, we can do much better to ensure we’re not inheriting these problems repeatedly. When it comes to contract renewals, that’s the time to say something and have a contingency plan.
Additionally, if there are systems critical to your business operations, it’s about more than just high availability and backup of server images. Having another vendor can also help diversify away some risk, much like one may diversify an investment portfolio. Getting things spread across vendors is not a bad idea. Is it expensive? Of course, it is. Still, it’s insurance that should you have a vendor issue, you can smoothly transition to another solution.
Making vendor contract clauses enforceable may seem like a dream, and it may be challenging for some. Work with your organization’s legal representatives and ask them to add a clause in your contracts that may allow for enforcement if a compromise occurs due to the vendor not updating dependencies or if their lax security practices will result in a compromise of your network, as examples.
Application and network access controls can also help protect your organization from third-party software risk. For example, when the Bank of China required a specific piece of software to run in the foreign banks it transacted with, it was found to be introducing malicious code as part of the software package. The banks that anticipated this risk and sandboxed/segmented the devices with this software faired much better than those who allowed it to be installed “normally.”
Your best bet here is always to apply a Zero Trust methodology to your environment. Don’t trust your vendors, and don’t trust your users, your employees, nor your customers. Nobody.
The reality is, everybody you know or do business with is potentially an attack vector.
Lastly, user training is always a good preventative measure to protect your organization. Educated and aware users are safer users.
If your accounting department actually understands why they can’t just buy that accounting software without security review, they will likely be more cooperative instead of considering security an unnecessary impediment. Your procurement process may take longer, but having these conversations between security, IT, and other departments is critical to building a more secure culture and network.
Enforce this education with technology controls to protect your network as best possible.
There is no way to 100% eliminate supply chain or third-party risk. By following this guide, your organization can mitigate and substantially reduce these risk exposures and limit the likelihood of being subject to a related attack (or being the vector of an attack against another target in your bubble).
Elise Manna-Browne is the Director of Advisory Services for Novacoast, specializing in cybersecurity advisory, threat operations, and incident response. This article was translated from her presentation at the 2022 Innovate Cybersecurity Summit in Scottsdale, AZ.