Cybersecurity: From an afterthought to a strategic asset
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreRansomware has been the talk of the cybersecurity industry for years… for good reason.
The number of recorded ransomware attacks has grown steadily for years, and it doesn’t look like it will slow down any time soon. And, with the cost of recovering from ransomware attacks rising quickly as well, it’s no surprise organizations are worried.
But ransomware isn’t a death sentence. Controls can be put in place to protect against common ransomware attacks. Even if ransomware attacks can’t be completely prevented, an effective backup and recovery program can limit the damage.
However, in the last few years, a new threat has become widespread: supply chain attacks.
In a supply chain attack, a threat group targets an organization, application, or piece of infrastructure not for its own sake, but because it provides access to the real target.
Often, the real target is an organization with strong cyber defenses. Rather than devote a huge amount of resources to breaching the target directly, it’s often easier to go after smaller, less secure suppliers, and try to abuse any legitimate connections they have with the target.
Supply chain attacks aren’t new. Two early examples of supply chain attacks include:
However, in recent years, the sophistication of supply chain attacks has risen sharply.
In 2020, SolarWinds, a supplier of network and infrastructure management solutions, was targeted by a suspected nation-state sponsored group. The company’s Orion Platform is used by roughly 30,000 public and private organizations, including U.S. federal agencies. When the attackers gained access to SolarWinds’ network, they were able to embed remote access tool malware in Orion Platform software updates, which were subsequently installed by their real targets—including U.S. federal agencies, NATO, the UK government, European Parliament, and more.
If that sounds bad, it gets worse. As part of the same campaign, the threat group also successfully exploited vulnerabilities in Microsoft and VMware infrastructure to further the attack.
Most recently, the attack on Kaseya marked the start of another new trend. Instead of using supply chain attacks to go after specific, highly-prized targets, a threat group can compromise a supplier and use it to launch widespread attacks across its customer base.
In a two-stage attack, an affiliate of the REvil ransomware gang exploited a vulnerability in Kaseya’s VSA product, which managed service providers (MSPs) use to remotely control customer networks. The group then used the software’s privileged access to infect the MSP’s customers’ networks with ransomware. The group was able to breach around 60 MSPs and 1,500 downstream businesses, and all it took was an attack on a single common supplier.
The examples above demonstrate the ‘value’ of supply chain attacks from a threat group’s perspective. By conducting a successful attack against just one organization, a group can potentially gain access to all its customers. For an especially big hit, an attacker can go after a common component that lots of organizations use.
You might have a great security program, but do all your suppliers? How about your suppliers’ suppliers? Ultimately, any organization’s defenses are only as strong as the weakest point in its supply chain.
Most organizations use software from dozens (or even hundreds) of sources—some are commercial, others are open source. Some probably have excellent security coverage, while others are more questionable. There are plenty of software components that are widely used by large organizations that are actually quite poorly protected… but they are used anyway because they are effective.
If an attacker can identify a small company or open-source software provider that:
...they have a supply chain attack opportunity on their hands.
Perhaps the most significant aspect of the SolarWinds attack was the lengths the attackers took to achieve their objectives. A timeline of the breach shows the attackers had been inside SolarWinds’ network for up to six months before they began pushing malicious software updates. During that time, the group successfully hid its presence by imitating normal traffic such that the company’s mature security operations program was unable to detect it.
Tim Brown, VP Security Architecture and CISO at SolarWinds, explains:
“It’s not that we couldn’t have done better. We could have. But we certainly didn’t have any major weaknesses. Our security hygiene and visibility were good. Our tooling was good. Our vulnerability detections were good. But in the face of a patient, dedicated, skilled adversary, they weren’t good enough.”
“In many ways, the attack was an inflection point. For years there have been theories about sophisticated groups that could bring resources to bear over months or years to compromise a target. These groups would stick to a mission without deviation, and expend a lot of resources to achieve it. Now we know these groups exist, and they aren’t just targeting government agencies.”
The group responsible for the SolarWinds, Microsoft, and VMware hacks is thoughtful and precise. It has time, resources, and expertise on its side. And, it’s just one of dozens of similar threat groups around the world in countries like Russia, China, North Korea, and Iran.
Ultimately, this has a simple implication. If these attackers want to get into a network, they are probably going to get in.
For a typical organization that could be breached via a supply chain vulnerability, there are four initial steps that can be taken to reduce risk.
Understand your supply chain
Ask harder questions of suppliers
Prioritize cyber hygiene
Prioritize based on risk
Of course, if you ARE the supplier that gets hacked—or your organization is high profile enough that it may be targeted specifically via its supply chain—the equation changes. The threat groups responsible for these attacks can be extremely sophisticated, making defense far from simple.
“It’s possible to protect against any attacker, but you have to weigh protections against your need to perform a function,” says Tim Brown. “SolarWinds is a software company. We could have avoided the hack by completely locking everything down, closing all our cloud services, removing our online trial options, and so on. But would we still have a business? Of course not. This is a problem every organization faces, they have to weigh the operational impact of their security measures.”
Striking this balance can be tough. The hygiene measures mentioned above are still essential, but they aren’t ENOUGH when a serious threat group is after you.
The approach here is to determine what level of security you need to achieve. Consider your organization’s role in the wider context of the supply chain, the importance of the assets and data you hold, and your potential value to an attacker. From there, you can start to understand what level of security you need to achieve. For instance, a simple progression might look like this:
“Not every organization should try to protect against advanced attacks—it wouldn’t make sense financially or operationally,” continues Tim Brown. “Instead, you should determine where you stand and what level of resilience you need, and adjust accordingly.”
In the end, breaches are inevitable. Resilient organizations will be breached again in the near future purely because they provide attackers with access to high-profile targets. So, what can affected organizations do?
Based on his learnings from the SolarWinds hack, Tim Brown explains it like this:
“The way you handle your response to an incident like this is critical. If you’re breached and it could affect other organizations, I’d recommend being as transparent as possible. At SolarWinds, we shared as much information as we could as soon as we had it because we knew it could help our customers. It’s tempting to be conservative when you’re asked about the numbers of customers that could be affected, but we went the other way. We didn’t want to downplay the incident, we wanted customers to investigate the incident and satisfy themselves that it was contained.”
“Since the attack, we’ve continued to be open about what happened, why it happened, and how it could be prevented next time. This is critical. I think most people understand that it’s not possible to be completely secure against these advanced threat groups. They will judge you based on your response to an incident like this, and your post-incident actions will weigh on you in the future, either for better or worse.”
Join the newsletter to receive the latest updates in your inbox.
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreFind out why CISOs and investors are investing in AI-powered integrated cybersecurity platforms.
Read MoreCybersecurity education in schools could empower a new generation of skilled, engaged cybersecurity professionals, and solve the cyber workforce shortage.
Read More