How to Protect Your IT Environment from Supply Chain Cybersecurity Risks
Skybox Research Lab September 30th, 2020
Typically, cybersecurity risks within the supply chain have eluded security teams. Although many haven’t exactly been turning a blind eye to risks derived from third-party environments, too much confidence has been placed in the security of the networks that sit along the chain – without having full visibility into each third-party network, it’s impossible for organizations to know anything about the threats that may be lurking around the corner. As more firms lean on outsourcing to supplement the growing skills gap and help secure their distributed workforce, it’s more critical than ever for security leaders to understand supply chain risk and have the capabilities to mitigate it.
The Sophistication of Supply Chain-Derived Cybersecurity Attacks is Increasing
Attacks on the supply chain have been increasing in recent years, with threat actors deploying increasingly sophisticated commodity malware and heavily-engineered malicious tools to infiltrate their targets. One such example is Operation Skeleton Key, a segment-wide push that took place over 2018-2019 to exfiltrate proprietary information from the Taiwanese semiconductor industry. The attacks on several semiconductor vendors led to threat actors successfully compromising a substantial number of influential companies, their subsidiaries, and associates. There are other notable efforts from threat actors, not least Operation ShadowHammer which led to one of ASUS’ BIOS update utilities being coopted to install a backdoor on 660 hardcoded addresses.
These attacks can be characterized by just how organized and industrialized the threat actors behind them have become. The brains behind Operation Skeleton Key, Operation ShadowHammer and others are fully aware that the supply chain is littered with blind spots. And they’re willing and able to leverage this.
Mitigating supply chain risk is more complex than you may think
The fact that the supply chain, usually by design, has a very long tail means that it should be difficult for organizations to inherently trust the vendors that exist within it. Attackers don’t care how strong the business relationship is between two companies – all they’re looking for is access. It’s important to note that this access isn’t always used to carry out sophisticated, targeted attacks. More often than not, it’s the end-users who are most vulnerable to supply chain attacks simply because they’re at the receiving end of every link on the chain. These end-users may not be considered to be as ‘high value’ as the Taiwanese semiconductor industry, for example, but they still fall victim to successful attacks.
A 2018 attack against a popular PDF editor program is a good example of a successful attack on the end-user. Attackers were able to inject the software with a coin miner at the source by a third-party library, which was itself an unwitting victim being used as a pivot into the distribution stream of the PDF software. This attack speaks to the need for supply chain companies to consider their role as consumers, as well as producers, within the supply chain.
Ultimately, the design and the intention of attacks on the supply chain is irrelevant: if they’re able to gain access to one point in the chain, they will eventually work their way down the chain to gain as much profit and cause as much damage as they possibly can. This highlights that the strength of the relationship that exists between two organizations shouldn’t cloud security decisions. No matter how big or well known the vendor is (threat actors are known to use generic hosting services like Google Cloud Platform and Azure to obscure their activity), it’s impossible to know anything about the threats that may be lurking around the corner without having full visibility into the third-party estate.
Three steps to reducing supply chain risk
While mitigating supply chain risk is difficult, it’s far from impossible. There are steps that organizations can take to improve the security of, and reduce the threats derived from, third-party environments. Here are three of the most critical steps for security teams to take:
- Security teams need to prioritize the execution of defense-in-depth methodologies. They need to treat every point along the supply chain with suspicion to prevent malware from sneaking its way in. Tackling this problem starts with an understanding of what organizations can actually control. While they cannot be expected to be aware of the fortifications and gaps in trust along the supply chain that lead up to the devices in their control, they can be kept aware of the fact that those devices may be running, sending, and receiving all manner of unintended material. And they should know that these third-party vendors form part of their attack surface.
- Security teams need to enact policies for app authorization and verification that can be enacted to minimize the chances of its being installed. Such policies can be coupled with advanced detection methods to catch malicious apps, but whose behavior or traffic exhibits suspicious patterns.
- They also need to put in the work to ensure that any new vendor environment is properly configured. To avoid improper configuration, businesses need to enforce strict multi-factor authentication and be stringent with the authorization of managed policies. They need to know where all ingress and egress points are, who has access to them, and have the ability to proactively respond to any potential attack vectors like misconfigurations.
Supply chain attacks are often so successful because threat actors plan for their exploits to take place outside the scope of dangerous software or hardware. These are attacks that are designed to go unnoticed until it’s too late. To tackle these threats head-on, organizations need to gain full visibility of every asset and vulnerability that enters their wider environment – and create powerful access controls that will stop attackers in their tracks.