All businesses operate on the principle that a certain level of trust is necessary between the business itself and the IT components that comprise its supporting infrastructure. These components include hardware and software, as well as the vendors who provide services to the infrastructure. Securing a business supply chain is a big challenge, not only from a technical standpoint, but also in terms of internal politics and relations with the vendors who provide the components and services.
Supply Chain Attacks in the Wild
Supply chain attacks are not new, and there are plenty of historical examples. In 2017, CCleaner, a popular utility written and distributed by Avast, was breached. The infection exposed the data of five (5) million users a week, and it was not the first time Avast’s software was hacked. Another example from 2017 is the NotPetya attack, which crippled Ukraine’s supply chain and impacted global shipping. The worm was distributed through an update to the popular accounting software MEDoc, and other companies that used MEDoc were also infected. In 2014, Edward Snowden made public that the National Security Agency (NSA) was implanting hardware on Dell and Cisco devices. This is just a small list of the most publicized examples.
Many other supply chain attacks have originated via code added to libraries, which are then consumed by other code applications. Supply chain attacks are also found in malicious, fake apps in app stores for mobile platforms. And many other breaches go unnoticed amidst the continual new attacks we seem to face.
No Such Thing as Zero Risk
The biggest issue with supply chain attacks is that a business cannot completely prevent a supply chain attack, regardless of steps it might take in validation. A more layered security approach will mitigate risk, but there is no way to eliminate the risk of a supply chain attack unless one builds their own hardware, codes their own software, and services it all, too. Even some of the global superpowers with their giant budgets and resources cannot achieve zero risk. Therefore, management must view supply chain attacks as a risk that can only be partially mitigated.
To tackle this issue, a business must take a validation approach with supply chain providers and implement security measures that are adequate for the company’s risk tolerance. Ensuring that a provider follows industry best practices and prioritizing security as an integral part of the business process can help safeguard the company’s long-term success.
When it comes to hiring a vendor and purchasing hardware and services, a business should ask for information about the vendor’s internal processes for securing their environments. For example, it’s important to ask what third-party audits the vendor has passed. In a previous job, I had to fill out questionaries on similar matters and work with our IT team on those issues. That company provided services to the Department of Defense (DOD), and we were required to provide such evidence. Of course, imposing requirements like this on suppliers reduces the pool of available suppliers, as most either don’t secure their environment and processes as they should, or they simply don’t want to share that information with a third-party, out of fear that it will be used against them competitively.
Suppliers need to assure companies that they are providing protection from external attacks and following secure internal processes for the development and servicing of a product. I remember a case where a security product company got sensitive information from their customers who opened support tickets. One of the customer support technicians they hired from a third-party provider was arrested for being part of a hacking scheme. Because of examples like this, it’s imperative to examine your hiring practices. A totally compliant supply chain, where every step meets secure acquisition and development requirements, is impossible. But partial compliance does raise the bar.
Monitoring Your Own
Suppliers are not the only aspect of a business that needs to be secured. An individual corporation needs to secure their own assets properly and monitor the behavior within their environment. There are several frameworks with a lot in common in terms of how to securely operate IT infrastructure, such as the NIST Cybersecurity Framework and the Cybersecurity Capability Maturity Model (C2M2) from the Department of Energy (DOE). Many other vendors recommend best practices on how to harden systems as well.
Even with all of this information freely available, the problem is managing buy-in. Once there is an understanding that a risk that will not be tolerated, management has to go through the process of making it known across the organization. Management needs to establish strategies to mitigate risk as well as develop proper metrics to assess the mitigation. In the military, this is called ‘Commanders Intent’—all the subordinates understand and know the importance of what is being done and why.
The controls for defending a supply chain attack are the same as those for denying access and detecting and containing any other attacker in the infrastructure. The tactics, techniques, and procedures to employ once attackers gain access are the same as when an attacker gains access via other means. The biggest change is that we can no longer simply whitelist suspicious behavior from components, because the components come from the vendor. A trusted product could become infected due to a supply chain attack after an update. Vetted products should not be blindly trusted against all other metrics. This means that segmentation of the network, control of traffic between the segments, and monitoring for anomalies becomes more important in a network where a low-trust approach is taken.
Supply chain attacks have existed for a long time, both inside and outside of the IT realm, and they will continue to happen. As complexity grows, and the speed of change and adoption becomes faster and faster, this type of attack will be even more common. The recent attacks from nation states are what have made IT infrastructure a priority for most CIOs/CSOs. The fear of an IT attack is not just about the abuse of a supply chain for access, but that attackers will use this vector to cripple different supply chains that provide basic necessities for citizens’ day-to-day lives. These occurrences are more prevalent with the rise of better equipped and more organized ransomware groups. Hopefully we start to learn from the events in the past and become better at managing IT infrastructure risk.