Connect with us

Hi, what are you looking for?


Risk Management

Shields Up: How to Tackle Supply Chain Risk Hazards

Organizations Need to Monitor and Manage IT Security Risks Downstream in the Supply Chain

Organizations Need to Monitor and Manage IT Security Risks Downstream in the Supply Chain

On December 13th, FireEye disclosed a global supply chain attack allegedly carried out by a nation-state actor. According to the firm’s threat research, the cyber adversary added a backdoor to commonly used SolarWinds Orion IT management software, apparently by infiltrating the vendor’s software development pipeline. Subsequently, any customer that installed the trojanized software update was exposed to the malware which connects to an attacker-controlled command-and-control server. Once installed, the backdoor enables the threat actor to download additional malware, move laterally within the victim’s environment, exfiltrate data, and conceal tools for remote access in the future. In addition, the nation-state actor behind the attack is believed to be using the intrusions as a beachhead for attacking an organization’s business partners as well. While this is not the first supply chain attack to make headlines, its sophistication and blast radius is forcing organizations to consider how they can minimize their exposure to these types of threats in the future.

While SolarWinds might not be a household brand, its IT management software is being used by more than 300,000 customers around the globe, making this cyber-attack one of the biggest in recent history. According to initial forensic analysis, nearly 18,000 companies may have been caught up in the initial wave of the attack and it’s unknown whether the SolarWinds software was the only access vector used in the campaign. Additional National Security Agency (NSA) cybersecurity advisories about the exploitation of vulnerabilities in VMware Workspace ONE as well as the Abuse of Authentication Mechanisms seem to indicate that other access vectors might have been in play. 

While the list of victims remains incomplete; the organizations affected to date include FireEye (which broke the news about the attack), Microsoft, the US Treasury Department, the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Health’s National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), and the US Department of State.

Common Supply Chain Risk Hazard

Based on the media hype, it might appear that a supply chain attack that leverages a backdoor, is a newly emerging attack tactic. However, cyber adversaries have long focused on exploiting third-party related control failures. Data breaches at Adobe, Target, Home Depot, and Neiman Marcus are only a few examples, in which hackers have mounted targeted attacks against an organization’s supply chain. 

One of the most damaging and memorable supply chain attacks to date remains the RSA SecureID token breach. Using stolen data about the company’s SecurID authentication system, criminals were able to compromise RSA customers including Lockheed Martin that relied on SecureID tokens to protect their most sensitive data and networks.

Advertisement. Scroll to continue reading.

As companies improved their defenses against direct network attacks, hackers shifted their focus to the weakest link by exploiting the supply chain to gain backdoor access to IT systems. As a result, organizations need to monitor and manage IT security risks downstream in the supply chain.

Lessons Learned

The SolarWinds data breach is a stark reminder that systems and process failures by third parties can have catastrophic reputational and operational consequences for an organization. As a result, it is no longer sufficient to simply implement procedures for managing vendors and the risk they may expose to the organization. Instead, organizations need to also safeguard against third-party related control failures. So, how can this be achieved?

• Advanced Supplier Risk Management – Based on the uptick in cyber-attacks on the supply chain, some companies are mandating that suppliers use independent verification services to test software applications prior to procurement and deployment. Test results are required for any new release, product enhancement, or upgrade – imposing continuous diagnostics to minimize risk. This is a departure from the traditional approach of conducting penetration tests using internal security operations teams to assess potential vulnerabilities months or even years after deploying the technology. 

• Secure the Software Development Pipeline – To limit their exposure to supplier risk, organizations need to realize that their attack surface is no longer limited to traditional components such as servers, databases, and network devices. It now also includes microservices, Cloud, and DevOps environments. Therefore, it’s vital to secure administrative access to the tools and applications that DevOps teams use, enable elastic application configuration via secrets, as well as authenticate applications and services with high confidence. Organizations should mandate that their software suppliers certify and extend security controls into these new environments.

Regardless of how the initial compromise occurred, detecting an attack — which often coincides with authentication abuse — can help in identifying and containing the damage. The following security controls should be considered to break the threat actors cyber-attack chain:

• Harden Your Environment – There are many options available to harden an organization’s environment. At minimum, businesses should configure their cloud environments to reject authorization requests with tokens that exhibit characteristics which deviate from accepted practices. When it comes to on-premises environments, follow the National Security Agency guidelines by deploying a Federal Information Processing Standards (FIPS)-validated Hardware Security Module (HSM) to store on-premises token signing certificate private keys. An HSM makes it very difficult for threat actors who have compromised a system to steal the private keys and use them outside the network.

• Step Up Multi-Factor AuthenticationMulti-factor authentication (MFA) remains the most reliable option for augmenting an organization’s existing access controls. Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if using MFA. Replacing and/or supplementing username and password authentication with MFA significantly raises the bar and costs for carrying out cyber-attacks. 

• Enforce Least Privilege – For superusers and IT admins, least privilege access based on just enough, just-in-time privileged access management (JIT PAM) is a best practice. The concept of least privilege, whereby IT admins are only provided the needed level of access to perform a certain task for the amount of time necessary to perform it, is an antidote for many security threats. This should be paired with implementing access request and approval workflows that govern privilege elevation to capture who approved access and the context associated with the request. 

It’s unlikely we’ve seen the last major data breach that exploits supply chain vulnerabilities. To protect themselves, organizations should not continue to manage their supply chain risks the same way they have in the past. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.