Defenseless: Why Supply Chain Attacks are Scarier than Ransomware

Ransomware has been the talk of the cybersecurity industry for years… for good reason.

The number of recorded ransomware attacks has grown steadily for years, and it doesn’t look like it will slow down any time soon. And, with the cost of recovering from ransomware attacks rising quickly as well, it’s no surprise organizations are worried.

But ransomware isn’t a death sentence. Controls can be put in place to protect against common ransomware attacks. Even if ransomware attacks can’t be completely prevented, an effective backup and recovery program can limit the damage.

However, in the last few years, a new threat has become widespread: supply chain attacks.

What is a Supply Chain Attack?

In a supply chain attack, a threat group targets an organization, application, or piece of infrastructure not for its own sake, but because it provides access to the real target.

Often, the real target is an organization with strong cyber defenses. Rather than devote a huge amount of resources to breaching the target directly, it’s often easier to go after smaller, less secure suppliers, and try to abuse any legitimate connections they have with the target.

The History of Supply Chain Attacks

Supply chain attacks aren’t new. Two early examples of supply chain attacks include:

• Lockheed Martin. In 2011, Lockheed Martin and two other U.S. military contractors were breached using multi-factor authentication codes stolen from security provider RSA.
• Target. In 2014, Target was breached using legitimate login credentials stolen from an HVAC supplier.

However, in recent years, the sophistication of supply chain attacks has risen sharply.
In 2020, SolarWinds, a supplier of network and infrastructure management solutions, was targeted by a suspected nation-state sponsored group. The company’s Orion Platform is used by roughly 30,000 public and private organizations, including U.S. federal agencies. When the attackers gained access to SolarWinds’ network, they were able to embed remote access tool malware in Orion Platform software updates, which were subsequently installed by their real targets—including U.S. federal agencies, NATO, the UK government, European Parliament, and more.

If that sounds bad, it gets worse. As part of the same campaign, the threat group also successfully exploited vulnerabilities in Microsoft and VMware infrastructure to further the attack.

Most recently, the attack on Kaseya marked the start of another new trend. Instead of using supply chain attacks to go after specific, highly-prized targets, a threat group can compromise a supplier and use it to launch widespread attacks across its customer base.

In a two-stage attack, an affiliate of the REvil ransomware gang exploited a vulnerability in Kaseya’s VSA product, which managed service providers (MSPs) use to remotely control customer networks. The group then used the software’s privileged access to infect the MSP’s customers’ networks with ransomware. The group was able to breach around 60 MSPs and 1,500 downstream businesses, and all it took was an attack on a single common supplier.

What’s the Big Deal?

The examples above demonstrate the ‘value’ of supply chain attacks from a threat group’s perspective. By conducting a successful attack against just one organization, a group can potentially gain access to all its customers. For an especially big hit, an attacker can go after a common component that lots of organizations use.

You might have a great security program, but do all your suppliers? How about your suppliers’ suppliers? Ultimately, any organization’s defenses are only as strong as the weakest point in its supply chain.

Most organizations use software from dozens (or even hundreds) of sources—some are commercial, others are open source. Some probably have excellent security coverage, while others are more questionable. There are plenty of software components that are widely used by large organizations that are actually quite poorly protected… but they are used anyway because they are effective.

If an attacker can identify a small company or open-source software provider that:

1. Has limited security; and,
2. Has one or more desirable targets among its customers

...they have a supply chain attack opportunity on their hands.

Rise of the “Patient” Threat Group

Perhaps the most significant aspect of the SolarWinds attack was the lengths the attackers took to achieve their objectives. A timeline of the breach shows the attackers had been inside SolarWinds’ network for up to six months before they began pushing malicious software updates. During that time, the group successfully hid its presence by imitating normal traffic such that the company’s mature security operations program was unable to detect it.

Tim Brown, VP Security Architecture and CISO at SolarWinds, explains:

“It’s not that we couldn’t have done better. We could have. But we certainly didn’t have any major weaknesses. Our security hygiene and visibility were good. Our tooling was good. Our vulnerability detections were good. But in the face of a patient, dedicated, skilled adversary, they weren’t good enough.”

“In many ways, the attack was an inflection point. For years there have been theories about sophisticated groups that could bring resources to bear over months or years to compromise a target. These groups would stick to a mission without deviation, and expend a lot of resources to achieve it. Now we know these groups exist, and they aren’t just targeting government agencies.”

The group responsible for the SolarWinds, Microsoft, and VMware hacks is thoughtful and precise. It has time, resources, and expertise on its side. And, it’s just one of dozens of similar threat groups around the world in countries like Russia, China, North Korea, and Iran.

Ultimately, this has a simple implication. If these attackers want to get into a network, they are probably going to get in.

Protecting Against Supply Chain Attacks

For a typical organization that could be breached via a supply chain vulnerability, there are four initial steps that can be taken to reduce risk.

Understand your supply chain

• This sounds obvious, but it’s a bit more complicated than it sounds. It requires an analysis of all externally-provided applications, tools, and infrastructure, no matter how small. Applications often have numerous sub-components, each of which is a potential intrusion vector.
• Scanning tools can be helpful, but ultimately, building a full picture of your supply chain is likely to require a significant investment of time and energy.

Ask harder questions of suppliers

• Understanding your supply chain will require plenty of conversations with vendors about where supply chain risks could lie. There are undoubtedly challenges here, and it’s by no means easy for customers to decide which vendors to trust and how to assess their security capabilities.
• In the coming years, the vendor space is likely to mature in this area, and ultimately provide more comprehensive answers to these sorts of questions.

Prioritize cyber hygiene

• While security tools can be extremely valuable, the first step in protecting your network and assets should always be to focus on cyber hygiene. This includes things like operating a least privilege access model, ensuring secure configuration of assets, encrypting stored data, and so on.
• These measures can prevent a high proportion of common attacks, and—in combination with security tooling—can limit or even prevent damage and disruption caused by a supply chain attack.

Prioritize based on risk

• Not everything in your environment is as important as everything else. Typically, a small proportion of people, assets, and infrastructure present a disproportionate amount of risk. The best approach is to identify your areas of risk and allocate most of your resources to protect these areas.
• At the same time, determine whether there is anything you are willing to ‘sacrifice’. If some of your assets are relatively unimportant, don’t waste resources trying to protect them.

What if They are After Me?!

Of course, if you ARE the supplier that gets hacked—or your organization is high profile enough that it may be targeted specifically via its supply chain—the equation changes. The threat groups responsible for these attacks can be extremely sophisticated, making defense far from simple.

“It’s possible to protect against any attacker, but you have to weigh protections against your need to perform a function,” says Tim Brown. “SolarWinds is a software company. We could have avoided the hack by completely locking everything down, closing all our cloud services, removing our online trial options, and so on. But would we still have a business? Of course not. This is a problem every organization faces, they have to weigh the operational impact of their security measures.”

Striking this balance can be tough. The hygiene measures mentioned above are still essential, but they aren’t ENOUGH when a serious threat group is after you.

The approach here is to determine what level of security you need to achieve. Consider your organization’s role in the wider context of the supply chain, the importance of the assets and data you hold, and your potential value to an attacker. From there, you can start to understand what level of security you need to achieve. For instance, a simple progression might look like this:

• Level 1: Resilience against common drive-by attacks.
• Level 2: Resilience against organized criminal groups.
• Level 3: Resilience against nation-states.

“Not every organization should try to protect against advanced attacks—it wouldn’t make sense financially or operationally,” continues Tim Brown. “Instead, you should determine where you stand and what level of resilience you need, and adjust accordingly.”

“Your Post-Incident Actions Will Weigh On You in the Future”

In the end, breaches are inevitable. Resilient organizations will be breached again in the near future purely because they provide attackers with access to high-profile targets. So, what can affected organizations do?

Based on his learnings from the SolarWinds hack, Tim Brown explains it like this:

“The way you handle your response to an incident like this is critical. If you’re breached and it could affect other organizations, I’d recommend being as transparent as possible. At SolarWinds, we shared as much information as we could as soon as we had it because we knew it could help our customers. It’s tempting to be conservative when you’re asked about the numbers of customers that could be affected, but we went the other way. We didn’t want to downplay the incident, we wanted customers to investigate the incident and satisfy themselves that it was contained.”

“Since the attack, we’ve continued to be open about what happened, why it happened, and how it could be prevented next time. This is critical. I think most people understand that it’s not possible to be completely secure against these advanced threat groups. They will judge you based on your response to an incident like this, and your post-incident actions will weigh on you in the future, either for better or worse.”