How organisations can minimise supply chain threats

Supply chain attacks can be difficult to detect, so what do security leaders need to do to protect their business, asks Ed Williams, EMEA Director of SpiderLabs at Trustwave

Posted 23 February 2021 by Christine Horton

Supply chain attacks – where hackers infiltrate an organisation’s systems by compromising a third-party – are on the rise. Perhaps the most high-profile attack in recent times took place in December last year, when nation state hackers compromised SolarWinds’ infrastructure management tools to breach multiple organisations and the US government.

Another notable incident took place earlier in 2020, when malware dubbed “GoldenSpy” was discovered embedded in tax payment software required by foreign companies doing business in China.

Supply chain attacks such as these can be difficult to detect, allowing adversaries to stay hidden inside systems for months. This creates a major challenge: While the cyber security industry is getting better at identifying front end risk through Red Teaming and continually testing for known vulnerabilities, supply chain attacks rely on an organisation’s established trust with its vendors and partners.

Supply chain attacks can catch even skilled security teams off guard. After all, examining trusted partners and validated solutions is not something they typically focus on.

At the same time, current automation tools are not really geared towards detecting, flagging and responding to supply chain attacks.

The shift toward multi-cloud environments elevates the risk further as firms grant third-party partners greater access to their most sensitive data and critical infrastructure. So, what steps can security professionals take to help minimise their organisation’s risk and better detect supply chain attacks?

Assess your risk and good security hygiene first

All organisations will have a different level of risk of being targeted by this type of cyber attack. It’s therefore important to assess realistically whether your organisation’s IP or customer base might be attractive to adversaries, particularly nation states.

The risk could depend on the sector you operate in: Government organisations and vendors, as well as financial firms and healthcare companies are a major target.

It might seem obvious, but every organisation also needs to start with good basic security hygiene. That means accurate and timely asset management, vulnerability scans, regular patching, penetration testing, firewalls, antivirus and endpoint detection. Adversaries will always target the weakest link in the chain, and if something basic is missing, they’ll be handed an easy foothold.

Evaluate your providers

Once the basics are in place, it’s time to evaluate IT tools, providers, and services to ensure your suppliers are following security best practices.

The contract’s Terms and Conditions are an ideal place to start. Your chosen partners should have best security practices in place and be performing them continually.

It makes sense to work collaboratively with your legal team, asking them to read through all contracts and make sure they include the vendor’s security practices, processes and responsibilities.

At the same time, IT supply chain partners should be performing continual source code analysis, so ask about the checks and processes they have in place for updating and distributing software.

How to proactively threat hunt in a supply chain

It’s important to assess your supply chain risk as you sign agreements and integrate a third-party software or services provider into your network. Proactive threat hunting is a key factor: You need to explore everything in your network that you don’t completely trust.

Extra vigilance is needed in preventing supply chain attacks, because adversaries can often remain hidden inside systems for months. In some cases – such as with the SolarWinds breach – this gives hackers the opportunity to steal valuable business IP long before they are discovered by the security team.

In addition to proactive threat hunting, security teams should regularly perform specific penetration testing and Red Teaming encompassing third-party software integration, custom applications, and systems throughout the network.

Security leaders also need to ensure they are able to detect all open-source Red Teaming tools available on the market. This is especially key now that advanced adversaries use and modify common Red Teaming tools in their attacks.

Know what looks “normal”, and what doesn’t

Sophisticated tools can be useful, but they’ll only get you so far. Mitigating supply chain attacks also requires a strong security strategy. At the heart of this is simply knowing your environment and what does and doesn’t look normal.

For example, a new volume or data stream that you’ve never seen before, or an event taking place at a certain time of day that doesn’t make sense.

One Australian company CISO was alerted to an issue when he noticed remote desktops were logged on to the network from Malaysia. This was concerning to him, because during Covid-19, none of his employees were traveling.

So, like the Australian CISO, security professionals need to look at the whole environment and identify anything that’s out of place. This should allow you to more quickly detect and respond to suspicious activity that could be the indicator of a bigger threat.

The high-profile supply chain attacks in 2020 are a wake-up call to all companies: Anyone can be breached, even those that possess sophisticated security knowledge and budgetary resources.

When the worst does happen, the most important thing is how quickly you can detect a breach and remove adversaries from your company’s systems.

In the wake of the SolarWinds hack, a zero-trust approach is key. Firms must holistically assess their organisation’s level of risk, practice good security hygiene, examine vendors’ security practices and proactively threat hunt in the supply chain.

By following these simple steps, it’s easier to reduce risk and respond more quickly, minimising supply chain threats before they become a bigger problem.

Ed Williams, EMEA Director of SpiderLabs at Trustwave