It would be comforting if the only cyber-risks organizations had to worry about were the ones that smacked up against their firewall and endpoint security solutions. But in the interconnected world in which we live, the extended enterprise has to be accounted for as well.
Supply chain security is not a simple task for companies to get their arms around. The pool of partners and vendors that are part of that ecosystem can be exceedingly deep, while visibility into threats to the supply chain is often very shallow.
In the past several months, the SolarWinds attack and the subsequent fallout have forced organizations to reexamine their supply chain security approach. Truth be told, however, the past several years are littered with examples of companies impacted by significant breaches that began outside their digital walls. From the Target breach in 2013, which occurred when a threat actor gained access to Target's network, to the Equifax data breach in 2017 caused by Equifax's use of a vulnerable version of Apache Struts, cyber supply chain attacks have taken multiple forms, including:
- Stolen credentials belonging to a third-party
- Malicious code inserted into third-party applications or hardware
- Vulnerable software-building tools used
Mitigating these kinds of threats involves a blended approach that includes secure development processes, vulnerability scanning and management, and endpoint security alongside effective vendor governance practices. However, an overlooked aspect of addressing these situations is often threat intelligence. By monitoring chatter on the cyber-underground and correlating it with information about vulnerabilities and indicators of compromise, organizations can harden themselves against attacks.
Threat Intel in Action
In its "2020 in Review: Data Breach Report," the Identity Theft Resource Center (ITRC) counted 694 supply chain attacks against U.S. organizations last year. While that number may not seem high, the impact of just one of these attacks ripples out and affects multiple organizations and consumers whose data is accessed or stored by the breached company. All totaled, those 694 attacks are estimated to have impacted more than 42 million people.
As the ITRC correctly points out, the initial targets of these attacks are often smaller and less secure than the numerous other organizations downstream that are ultimately affected. Here is the first area where a threat intelligence program is beneficial. By collecting and correlating information from the web for malicious activity impacting the vendors they work with, organizations can take steps to harden their defenses before attackers move to compromise their network.
Legacy approaches to managing supply chain risks are largely manual. Questionnaires and compliance reports, while useful for certain purposes, are not effective. Today's landscape requires having real-time visibility and being able to digest and prioritize new data in an automated fashion. Organizations need to be able to evolve their defenses quickly as new information about a threat actor's activity or the scope of an attack is uncovered.
Once news of the SolarWinds attack was made public, information about indicators of compromise (IOCs) and the adversaries' tactics was disseminated and used by organizations to assess their risk and mitigate any attacks. Think of how quickly the scope of that incident grew as more of the attackers' methodology was revealed. The ability to gather, analyze, and apply threat intelligence was critical in effectively responding to the situation vulnerable enterprises found themselves.
Effective threat intelligence solutions can comb the Dark Web, Deep Web, and Surface Web for data ranging from stolen credentials to corporate documents. Automated web crawling is essential. In the Dark Web, marketplaces can go up and down, and when taken in combination with the amount of data that exists, it makes automated web crawling essential. For example, research into Dark Web postings after the attack revealed numerous instances of SolarWinds being mentioned on English and Russian-speaking darknet forums months before the vendor publicly disclosed the attack. In another example, when British Airways was breached in 2018—due to attackers exploiting vulnerable third-party JavaScript used on its website—it was soon discovered that the login, payment card, and traveling booking information that was stolen were made available for sale in the cyber-underground.
In these types of situations, discoveries of caches of data can reveal or confirm the scope of an attack and inform decisions about what needs to be communicated to customers.
Strengthening supply chain security
Threat intelligence is only one piece of the puzzle when it comes to improving supply chain security. As part of protecting the supply chain and reducing third-party risk, organizations should start by:
- Maintaining a list of third-party hardware providers
- Identifying the devices and providers that are business-critical
- Conducting risk assessments on each provider or technology
An effective approach also includes implementing good security hygiene in the form of patch management, multi factor authentication, and network and endpoint security. Still, proactive detection intelligence provides an eye on events that can adversely impact the supply chain. Open and dark web intelligence is a key to increasing visibility into emerging supply chain risks. Collecting threat data, analyzing, and disseminating it is part of the path to a more holistic security strategy.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.