Mitigating Risk of Supply Chain Attacks

As I’ve written before, sophisticated adversaries are finding vulnerabilities wherever they can, and often that means looking to an organization’s supply chain for weaknesses in defenses. They’ll use an organization’s partner or supplier as a ‘stepping stone’ to gain access to their ultimate target.

Several supply chain attacks have made headlines in recent months, including:

• The CCleaner malware campaign that began with a compromise of a build server to infiltrate more than two million machines

• The NotPetya campaign launched through a compromised software update delivered via MeDoc (Ukrainian accounting software)

• Operation Cloud Hopper that used IT managed service providers (MSPs) as a point of access to target organizations across a wide range of industries around the world.

By analyzing these attacks and others that were reported in 2016 and 2017, we can identify three notable trends.

1. The most common motives are data and intellectual property (IP) theft. Cases such as the theft of IP from technology companies in the CCleaner malware campaign, the theft of medication procurement information in the ePrica pharmaceutical software breach and the targeting of Israeli companies in the OilRig campaign (believed to have been conducted by Iranian threat actors, though unconfirmed), indicate that threat actors are likely using supply chain attacks for competitive, political and geostrategic intelligence reasons. The fact that such attacks often involved the delivery of backdoor trojan malware that allowed for data harvesting, exfiltration or privilege escalation on victim systems reinforces this finding. Actors were able to maintain a presence on target networks, gather valuable user credentials and exfiltrate data to attacker-controlled servers.

2. Supply chain attacks are typically targeted. In contrast to mass, indiscriminate campaigns, supply chain attacks tend to be highly focused operations with predetermined targets of interest. This trend likely reflects the motives of these campaigns, which were largely conducted for intelligence gathering or cyber espionage purposes. However, the NotPetya campaign shows that in a handful of cases, where the motives were financial gain or disruption rather than espionage, the attacks were wider reaching.

3. Technology suppliers are the most popular targets for initial compromise. As demonstrated by the use of CCleaner, MeDoc and MSPs, most of the supply chain attacks over the last two years involved the compromise of a technology or software supplier. Adversaries realize that such suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers that mean compromised software versions (containing malware) will be whitelisted or overlooked by customer security teams and systems.

With these trends in mind, there are several mitigation measures and best practices that you can adopt to improve your organization’s security posture and reduce the risk of supply chain infections.

1. Understand, manage and monitor the digital risk your suppliers present. Many suppliers don’t have adequate security maturity levels so you need to be proactive. The SANS Institute recommends a range of measures that include: due diligence and external auditing of potential suppliers; defining a supplier management policy that classifies vendors and identifies appropriate controls based on access granted to sensitive data; and integrating suppliers with your assessment and audit practices to outline both internal best practices and those required from vendors and partners. Each of these measures should be reviewed regularly throughout the year.

2. Use technology to limit suppliers’ unnecessary access to company systems. Suppliers are often given much broader access to company networks than internal users are offered. Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs. In addition, network isolation and segmentation can keep supply chain traffic separate from other internal traffic and prevent attacks, like NotPetya and Cloud Hopper, from moving laterally across the network to reach their intended target.

3. Prepare for unintended targeting. The NotPetya attack showed that not all supply chain attacks are targeted. Implementing foundational security principals can mitigate risk from bad actors that prey on the weakness that result from interconnectivity of systems and ubiquity of applications. Best practices include backing-up critical data and systems on a regular basis and implementing a ‘defense in depth’ strategy that includes: host-based firewalls and IP-whitelisting; network segmentation and restricting workstation-to-workstation communication; patching, monitoring for known security vulnerabilities, and disabling unneeded legacy features; and access control.

Activity over the last two years shows that no industry is safe from what has become a steady stream of supply chain attacks. But by analyzing the motives of these bad actors and the tactics, techniques and procedures they use, there’s a lot we can learn to mitigate our digital risk.