If 2020 was a challenging year for cybersecurity, 2021 has been simply exhausting. Ransomware incidents have continued to increase in both frequency and severity, and critical vulnerabilities in widely used software and operating systems are frequently discovered. Although ransomware has received the most notoriety, another key area of concern involves cyber supply chain attacks. Several high-profile events have demonstrated that attackers are well aware that the best way to infiltrate a target may be through a trusted partner.
What is a cyber supply chain attack?
This strategy is focused on an organization’s digital supply chains – suppliers that provide technology solutions or otherwise connect to the organization’s digital ecosystem. Cyber supply chain attacks encompass several unique attack types, including:
- Tampering with hardware or software production. This is perhaps the truest form of cyber supply chain attack, with the software variant being more common. Malware is injected during the manufacturing or development process before the compromised piece of hardware or software is distributed to downstream customers, who are ultimately the targets.
- Example: The 2020 SolarWinds incident was a sophisticated attack that injected malware into an otherwise legitimate software update, infecting up to 18,000 customers.
- Compromising vendor network access. As the technology landscape has evolved, an increasing number of third-party vendors have access to an organization’s network (e.g. through a web portal, VPN or vendor device directly on the network). Attackers often find the vendor to be a softer target and will use compromised credentials to gain a foothold into the target organization.
- Example: The 2013 Target breach was one of the first of these attacks to gain widespread attention. The company network was infiltrated through stolen credentials from an HVAC vendor with access to Target’s systems, ultimately exposing 41 million customer payment card records and over 60 million customers’ contact information.
- Exploiting vulnerable supplier software. To maximize the downstream impact of an attack, the bad actors will also focus on finding exploits for software that requires trusted access and is widely deployed on a target’s network.
Steps organizations can take
When a cyberattack makes headlines, business leaders may ask, “How do we prevent this from happening to us?” Unfortunately, there is no silver bullet. The only way to eliminate the risk would be to have zero relationships with outside organizations – which is not an advisable strategy. Another challenge is that supply chain attacks are designed to infiltrate the organizations through trusted and often privileged communications, making the activity appear normal.
Although prevention has proven difficult, there are three key steps organizations can take to identify exposures, reduce the risk of an attack occurring and minimize the potential impact of an attack.
1) Know your vendors. Preparation starts with a extensive enterprise-wide third-party risk management assessment. A strong assessment program should identify and assess all third-party relationships for the organization:
- Initial risk assessments should determine what the security impacts may be to the organization if the third party were to be compromised. The assessment should not only identify the most likely outcomes, but also the worst-case scenario. Recent events have taught us to expect the unexpected.
- Due diligence for all third-party relationships should address security requirements that are aligned with the organization’s standards and industry best practices. For third parties that are providing hardware or software, special attention should be paid to quality control and secure software development practices. Where security practices fall short of expectations, organizations should require the third-party to remediate gaps or consider utilizing a different third party with stronger security controls.
- Ongoing monitoring should be performed to verify that third parties continue to maintain a strong security posture. This may entail periodic audits of the third party, as well as real-time tools that provide insights into the security of their internet-facing services.
2) Secure your architecture. While “security by design” is primarily a software engineering strategy, the concept of implementing security from the start is one that all organizations should consider. As new third-party systems and accesses are introduced to the network, the following considerations can help reduce the risk of attack:
- Follow the principle of least privilege. This is easy to say, but difficult to always adhere to. When implementing new third-party user access or service accounts that support applications, organizations should ask what are the absolute minimum necessary permissions. A vendor may claim an account needs full administrative rights, but often a less-privileged account can achieve the same functionality.
- Require strong credentials and authentication methods. This includes changing default passwords to something unique and difficult to guess, and using multifactor authentication (MFA) to add an additional layer of identity verification when possible. Additionally, strong encryption should be utilized for storing credentials and protecting the authentication process.
- Implement network segmentation. Similar to least privilege, organizations should restrict communications allowed at a network level to only those necessary for a system to function. This includes not only “east/west” traffic with other systems on the internal network, but also restricting outbound access to the internet (malware often attempts to reach out to a command-and-control server to give the attacker remote access).
These principles may not block every attack, but they will add multiple layers of defense that could slow down or isolate the attack.
3) Invest in detection and response. Given the difficulties in preventing supply chain attacks, organizations should focus on advanced detection and response capabilities. This may allow for quicker containment and remediation when events do inevitably occur. To handle these sophisticated attacks, some things organizations should consider include:
- Leverage threat intelligence and perform threat hunts. By using threat intelligence to analyze the tools, techniques and procedures of real-world threat actors, organizations can better prepare their detection capabilities. Threat hunts will also proactively search for abnormalities or indicators of compromise within the environment.
- Monitor for network and user behavioral anomalies. Establishing a baseline of normal activity for given user accounts and network communications can help detect anomalies that could indicate an attack. For example, alerts should generate if a user account logs into a series of servers it has never accessed before, or a server sends traffic to an unknown IP address.
- Be prepared to use incident response, business continuity and disaster recovery plans. Thoroughly documented and tested plans will provide structure and guidance when handling an attack. Organizations should consider developing specific playbooks for handling supply chain attacks based on results of the third-party risk assessments.
Cyber supply chain attacks – and cybercrime in general – don’t appear to be going away anytime soon. In fact, the European Network and Information Security Agency (ENISA) predicts supply chain attacks will quadruple in 2021. However, organizations can mitigate their risk through a multi-pronged approach that includes prioritizing security in third-party relationships, building secure architectures to reduce the risk of attack, and developing robust detection and response capabilities.
Disclaimer: The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved.