Supply chain attacks are at the forefront of cybersecurity, from the notorious SolarWinds SUNBURST supply chain attack to the ransomware attack on Kaseya, which disrupted over 1,500 businesses and forced 800 grocery stores across Sweden to shut down for more than a week.
Cybercriminals’ growing success in locating vulnerabilities and launching sophisticated attacks requires infosec professionals to continually assess their supply chain. It’s critical to dig out blind spots that could harbour cybercriminals waiting to launch a fatal attack. But where to start digging?
Know your suppliers
Knowing your suppliers is key when it comes to understanding and assessing the supply chain to isolate blind spots and protect against looming threats. To ensure infosec can protect IT ecosystems, for example, it’s important to know whether your suppliers are asynchronous, synchronous or a technology or service provider.
Synchronous suppliers are often preferred within supply chains, providing a vibrant and connected ecosystem where information can be collected, analysed and utilised in real-time. While this provides accurate visibility, it can also be highly dangerous, as it’s connected to core applications within the network. For instance, financial service organisations have extranets and demilitarised zones where they exchange valuable data with third-party partners. This opens additional risks if connected to other critical systems.
Synchronous supply chain areas need to be segmented so only the exposed parts of the networks are visible, without enabling access to critical systems that aren’t needed for the zones. This drastically minimises risk, closing the once wide-open door to cybercriminals.
Asynchronous suppliers, where there is space to share information via emails or collaboration tools in a shared and synchronous zone, limit the wider network exposure but still pose risks. This risk is limited as internal IT systems aren’t connected, though these zones are a prime vector for phishing emails and malware in documents.
Risk also differs between technology partners and service providers. Companies spend hours ensuring they pick the right technology partner, and security should be a key consideration. If a technology partner doesn’t have security processes in place to match the rest of the supply chain, it quickly becomes the weakest link and thus the most attractive option for bad actors. Similarly, it’s important that service providers within the supply chain are regularly updated to resolve lurking vulnerabilities and maintain a strong security posture.
Strive for equilibrium in the supplier structure
It’s important to agree on similar systems and standards, especially when it comes to data exchange and core infrastructure. Every organisation has its own proprietary way of operating and it’s vital there’s a common standard across suppliers to minimise friction.
A bigger area of concern is the different levels of risk assessment that will sit across the supply chain. Agreement on the minimal viable security posture is critical. Even more pressing is making sure suppliers implement this security posture. Often, customers will have extranets and will prioritise the operations side to ensure information can be shared. In turn, this makes security a second priority, which isn’t addressed until an audit is required.
All sides of the business need to align on both when and how to implement security measures. Partners should frequently test and audit shared IT infrastructure to uncover any potential vulnerabilities or leaks. Infosec professionals cannot implicitly trust partners – they need eyes on their extended supply chain as often as possible.
Previous supply chain attacks serve as a stark reminder that vendors and suppliers should check their IT systems often, never assuming that certain controls are in place.
The bare minimum for security won’t cut it
It doesn’t stop with agreeing on standards and contracts in place. Significant resources need to be allocated toward maintaining the security of the supply chain. Be sure to review the agreement with a fine-tooth comb. Often the reviews undertaken are not rigorous enough to be effective, which can have major repercussions down the line. The threat is dynamic and security teams need to be outpacing cybercriminals. CISOs should rank suppliers on how critical they are and what risk they could pose.
If there’s limited visibility into a key supplier’s infrastructure, security professionals need to plan for worst-case scenarios such as supply chain leaks or backdoors. This practice is common for internal risks but less so for external suppliers. Understanding both types of risks is essential to counteract the continued threat.
Alongside understanding supply chain environments, from how critical they are to what measures they need to implement, businesses need to detect lateral movement within their network. Without this, organisations are blind against cybercriminals silently moving around their infrastructure.
Having network detection and response tools in place to track and record all network activity can prove vital to preventing or eliminating a supply chain attack. A full picture of movement within the network enables quick action to uncover attacks, understand the current extent of damage and rapidly remediate vulnerabilities to stop and prevent further problems.
The velocity of supply chain attacks has significantly escalated over the past 12 months and security teams can’t afford to be left behind by the dynamic and advanced threats against the supply chain. It’s important infosec professionals assess and eliminate their blind spots to reduce security risks to a minimum.
By Mike Campfield, VP, GM of International and Global Security Programs, Extrahop