Supply chain attacks insights
- Traditional cyberattacks are a one-to-one relationship between adversary and target. With the supply chain, it becomes a force multiplier because a single attack can be the access point to multiple targets.
- Validation is becoming an important point. Especially with off-the-shelf software, most companies assumed the provider did their due diligence. Secondary validation now needs to be happening.
- Protecting organizations from supply chain attacks needs to be more of a shared responsibility, where all the stakeholders in the chain work well together.
The SolarWinds attack, which impacted everyone from Fortune 500 companies to government agencies, may have been the most high-profile example of a supply chain cyberattack, but they’re far from the only recent victim. Hackers are eager to go after supply chain networks because they know that a single third-party vendor with subpar cybersecurity can be the path to accessing hundreds of companies, including major ones. These types of attacks are especially insidious in the software industry because most companies don’t know which components go into making their commercial software packages.
John Deskurakis, chief product security officer at Carrier, and Tony Turner, vice president of Fortress Labs with Fortress Information Security, discussed how to protect against supply chain attacks and offered viewpoints from two very different perspectives — manufacturing and security — in this partial transcript from the May 6, 2022, RCEP PDH webcast (archived for one year), “How to Protect Against Supply Chain Attacks.”
In this discussion, they will tackle some major questions, such as why are supply chain attacks so appealing to threat actors, why are ransomware and supply chain a toxic mix, which strategies can protect your business from supply chain attacks and how can software bill of materials (SBOMs) help with risk management? This has been edited for clarity.
A target-rich environment
John Deskurakis: Let’s talk about the appeal to threat actors. [Tony], in your opinion, what is the appeal or what are the appeals to threat actors in terms of the supply chain? Why are we finding that they’re constantly going after the supply chain and targeting it more and more frequently as of late?
Tony Turner: It’s such a target-rich environment in that traditional attacks are a one-to-one relationship between adversary and target. With the supply chain, it becomes a force multiplier. For instance, service providers [and] product security related issues. Many of us use the same products [and] same services. A managed service provider (MSP) is a great example of a prime target. When you looked at the Kaseya attack from last year, there were so many organizations, especially small [and] medium-sized organizations, that were using MSPs to manage their infrastructure. With a single attack, the adversary has now compromised thousands or tens of thousands or even hundreds of thousands. A lot of times, it’s not even one layer down. It may be one, two, three, four, five layers down, and it expands exponentially from a single attack and massive amount of coverage across organizations.
Deskurakis: When you say a force multiplier from the manufacturer perspective, I also like to think about the idea that there are target-rich outcomes for the attacker. In other words, I do a lot less work if I’m an attacker, and the outcomes are going to be exponentially better for me. That is, if I’m attacking the supply chain of a manufacturer and letting them do the course of their normal business, [they] push out their wares to the market. I only need to be successful landing it in one spot in that supply chain, and then it’s going to inevitably end up in many places, and my outcomes are going to be greater. This is a common toolset used in manufacturing that impacted a lot of folks.
When we think about what happened with Log4j, we’re talking about a ubiquitous software library that is everywhere. It’s an open-source element that is delivered in all kinds of software. It’s a very simple thing that arguably most software packages don’t even need, but it’s there. Because there’s a vulnerability that gets nested and embedded within it, a manufacturer such as my company may unintentionally deliver that to a number of customers. That could further get proliferated again and again if [it’s] being redelivered through their chains.
Risk management and supply chain attacks
Turner: [This] is [an] interesting change of the dynamic. Supply chain attacks tend to be more of a pull versus a push. [In] the traditional, conventional attacks, the adversary is trying to overcome perimeter defenses or whatever security controls the organization has put up. That’s more of what I refer to as a push. The adversary is pushing their malicious attacks. If they can target a watering hole or software that you’re using inside your organization, organizations are almost compromising themselves. The adversary really doesn’t have to work very hard.
They stage the attacks in the right places, and organizations are using those every day. There’s [an] implicit trust where a few people are validating their trust in the software and services they use — they do some sort of third-party risk assessment when they first engage in doing business with that supplier. There’s an implicit trust in their supplier, and their supplier has an upstream relationship with that supplier, but it all just flows downhill. Typically, there’s very little validation that takes place, which makes these attack extremely successful.
Deskurakis: Validation [is] an important point, I think. This is my perspective coming from the manufacturer angle of it, traditionally, years ago, a lot of manufacturers were just focusing on the widget I’m building. Is the widget I’m building high quality? Is it meeting the standards of industry? Is my customer going to be happy with my widget that I’m manufacturing and shipping? There’s a path of least resistance in terms of the attacker’s viewpoint when it comes to those manufactured pieces, the parts of the supply chain that are going out, because traditionally many manufacturers weren’t focused as much on the things they are consuming to build their widget.
If there are commercial off-the-shelf elements or open-source elements getting baked into that, the traditional viewpoint was, “We’ll assume the provider did their due diligence.” There was no secondary validation happening traditionally. I think in some parts of the world, [it’s] still not happening the right way. What are your thoughts on it from your perspective in the industry?
Turner: Traditionally, even when we have had organizations with what we have thought of as a mature third-party risk program, it has been much more focused on the kind of traditional risk management side of the equation as opposed to the technical rigor and any connectivity with the technical controls that we really need to have in place. We need to have both sides of this. We [need] to have a secure foundation [and] good risk management practices at the core of all of this.
A lot of times, I see organizations put all their eggs in one basket on the third-party risk side of the house, or the procurement controls that are all bound up with contracting. [There’s] not a good conversation taking place with the security architecture folks and security operations folks. Half the time, they don’t even know that the procurement has happened until after it has already occurred. Then, they wind up having to figure out, “I would have had some good questions and provisions I would have to put in this contract, but it’s too late now. Cat’s out of the bag, and now I just have a mess that I have to deal with,” and security teams have to scramble to address those risks.
Deskurakis: I think things have evolved to the point where, operationally in the supply chain, things were getting built [and] pushed through the chain in a manner where I’m responsible for this [and] you’re responsible for that. It’s starting to evolve, unfortunately, due to a lot of hard lessons learned in industry. For example, [the] Colonial Pipeline, where it needs to be more of a shared responsibility, where all the stakeholders in that chain need to be working well together.