Cybercriminals are surprisingly lazy. Hackers are continuously cultivating their methods to achieve maximum impact with minimal effort. The adoption of a Ransomware-as-a-Service model is one example of such an achievement.
But perhaps the apical point of cyberattack efficiency was achieved with the invention of the supply chain attack.
Supply chain attacks have been growing in prevalence, to the point of crippling critical U.S. infrastructures. To significantly dampen this trend, President Joe Biden has signed an ambitious Executive Order calling for a complete reformation of supply chain cybersecurity standards throughout government entities, and the private sector.
To learn how to secure your supply chain from these attacks, and improve compliance with this new Cybersecurity Executive Order, read on.
What is a Supply Chain Attack?
A supply chain attack is a type of cyberattack where an organization is breached though vulnerabilities in its supply chain. These vulnerabilities are usually linked to vendors with poor security postures.
Vendors require access to private data to integrate with their users, so if a vendor is breached, its users could also be compromised from this shared pool of data,
Because vendors have a vast user network, a single comprised vendor often results in multiple businesses suffering a data breach.
This is what makes supply chain attacks so efficient - instead of laboriously breaching each target individually, multiple targets can be comprised from just a single vendor.
How to Prevent Supply Chain Attacks
The SolarWinds Orion data breach not only demonstrated the devastating potential of supply chain attacks, but it also exposed concerning vulnerabilities in conventional defense methods that make such attacks possible.
Follow these 11 strategies to have the highest chances of preventing supply chain attacks.
1. Implement Honeytokens
Honeytokens act like tripwires that alert organizations of suspicious activity in their network.
They are fake resources posing as sensitive data. Attackers think these decoy resources are valuable assets and when they interact with them, a signal is activated, alerting the targeted organization of an attack attempt.
This gives organizations advanced warnings of data breach attempts while also revealing the details of each breaching method.
Armed with this intelligence, organizations can isolate the specific resources being targeted and deploy the most effective incident response efforts for each cyberattack method.
If a cyber attacker isn't operating behind a firewall, honeytokens could even reveal the location and identity of the attacker.
To be most effective at preventing supply chain attacks, honeytoken should be implemented by vendors.
2. Secure Privileged Access Management
The first thing cyberattackers do after breaching a defense is move laterally throughout the ecosystem in search of privileged accounts.
This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted.
This predictable attack sequence is known as the Privileged Pathway - it's the common attack trajectory followed by most cybercriminals. Even nation-state followed this cyber attack pathway when they breached multiple U.S federal government agencies.
By disrupting an attacker's progression along this pathway, breach attempts, and therefore supply chain attacks, could be prevented.
An effective Privileged Access Management (PAM) framework will disrupt this common attack trajectory, but to further mitigate the chances of a supply chain attack, the PAM itself needs to be protected.
A PAM should be protected by both external and internal defenses.
External PAM defenses
External defenses are proactive strategies of preventing threats from being injected into an ecosystem. A PAM framework can be defended by two proactive threat detection methodologies
Staff are the primary gateways to malicious code injections because they're usually tricked into permitting cybercriminals access into an ecosystem.
The most common form of trickery is scam emails (or phishing attacks). These emails seem like they're sent from trustworthy colleagues but upon interacting with them, malicious codes are activated and internal login details are stolen.
These login details could grant threat actors access to an ecosystem, initiating the hunt for higher privileged accounts.
To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.
Each of the following common attack methods links to a post that can be used for cybercrime awareness training:
- Phishing attacks
- Social Engineering Attacks
- DDoS attacks
- Ransomware attacks
- Malware attacks
- Clickjacking attacks
Detect vendor data leaks
Data leaks are unintentional disclosures of sensitive data. If these leaks remain unremediated, they could be exploited by cybercriminals and used to launch supply chain attacks.
Many vendors are unaware of their own data leaks and leave them exposed. By implemented a third-party data leak detection solution, vendor data leaks can be detected and remediated before they have a chance to develop into supply chain attacks.
Internal PAM defenses
If a breach attempt happens to slip past external defenses, sensitive data could still be protected if internal defenses are strong enough.
Here are two internal PAM defense strategies:
Implement an Identity Access Management (IAM)
With an IAM, multiple access privileged accounts can be managed from a single interface. This will ensure all privileged accesses are accounted for, preventing exposure risks from dormant accounts.
Encrypt all internal data
Internal data should be encrypted with the Advanced Encryption Standard (AES) algorithm. This will make it difficult for criminals to establish the backdoor required to exfiltrate data during a supply chain attack.
The AES encryption method used by the United States Government.
3. Implement a Zero Trust Architecture (ZTA)
A Zero Trust Architecture assumes all network activity is malicious by default. Only after each connection request passes a strict list of policies is it permitted to access intellectual property.
At a high level, a ZTA is powered by a Policy Engine (PE), a Policy Administrator (PA), and a Policy Enforcement Point (PEP).
The Policy Engine decides whether network traffic should be permitted by following the rules set by the Trust Algorithm. The Policy Administrator communicates the Policy Engine's decision (pass or fail) to the Policy Enforcement Point.
The Policy Enforcement Point is the final gatekeeper that either blocks or permits network requests based on the Policy Engine's decision.
The ZTA framework can be adapted to suit any ecosystem setup requirements. This solution can even secure remote endpoints - a commonly targeted attack vector since the global adoption of a remote working model.
4. Assume you will suffer a data breach
An assume breach mindset naturally leads to the implementation of a Zero Trust Architecture.
As the name suggests, with an Assume Breach mentality, an organization assumes that a data breach will happen, as opposed to hoping it won't happen.
This subtle shift in mindset encourages the deployment of active cyber defense strategies across all vulnerable attack vectors in an organization.
The three attack surfaces at the highest risk of compromise are - people, processes, and technologies.
Protecting people from compromise
The best method of preventing people from being used as gateways to cyberattacks is through cybercrime awareness training (see Point 2 above).
Protecting processes from compromise
All Internal processes can be controlled, and therefore, protected by instituting Information Security Policies (ISP). ISPs set the boundaries of all approved internal processes.
To further protect processes and enforce ISPs, all sensitive resource access should be restricted to a specific number of trustworthy staff. This can be instituted via the Principle of Least Privilege (PLOP).
The number of Privileged access accounts should be kept a minimum, to mitigate the chances of compromise.
Protecting technology from compromise
For the best results, multiple layers of defenses should be established around internal technologies. The more layers that are implemented, the fewer chances of a threat digging deep enough to penetrate critical infrastructures.
Here's a list of suggested technology defenses that should be implemented in parallel for maximum effect:
- Antivirus software - Be sure to keep your antivirus software updated so that it's aware of the latest threats.
- Multifactor authentication - Though it may sometimes be a nuisance, according to Microsoft, multi-factor authentication could block up to 99.9% of automated cybercrime. It could also identify unauthorized access attempts.
- Implement attack surface monitoring solutions - Internal technologies are not the only solutions that require protection. External vendor technologies are even more important to protect because they are the first targets in a supply chain attack. VendorRisk by UpGuard identifies all security vulnerabilities in vendor technologies that could be exploited in a supply chain attack.
5. Identify all potential insider threats
An insider threat isn't always motivated by malicious intents. In most cases, they are unaware of the risks associated with their actions.
Cyberthreat awareness training (see point 2) will filter out such innocent end-users.
Hostile insider threats are difficult to identify. They're also significantly more dangerous because they can provide threat actors with the specific access they require to facilitate a software supply chain attack.
Regular employee feedback surveys and an open and supportive work culture will address concerns before they cultivate hostile insider threats.
6. Identify and protect vulnerable resources
Identify the specific resources that are most likely to be targeted by cybercriminals. This answer isn't always intuitive. Honeytokens could help uncover the resources most coveted by criminals.
Speak to your vendors about the benefits of honeytokens and encourage their implementation. This will uncover all of the attack surfaces in your supply chain at risk of being breached.
7. Minimize access to sensitive data
First, all the sensitive data access points need to be identified. This will help you note all of the employees and vendors that are currently accessing your sensitive resources.
The higher the number of privileged access roles, the larger the privileged access attack surface, so such accounts need to be kept to a minimum.
Vendor access should be especially scrutinized given their risk of being the first targets in a supply chain attack.
Map out all of the vendors currently accessing your sensitive data and their respective access levels.
Questionnaires will help flesh out how each vendor processes and protects your sensitive data.
Once all third-party access data is acquired, the culling process can begin. Service providers should only have access to the minimal amount of sensitive data they require to offer their services.
8. Implement strict shadow IT rules
Shadow IT refers to all IT devices that are not approved by an organization's security team.
The recent global adoption of a remote-working model has resulted in many employees incorporating their own private IT devices while establishing their home office environments.
IT security departments should enforce the registration of all IT devices alongside strict guidelines about what can and cannot be connected.
All permitted devices (especially IoT devices) should be monitored to identity DDoS attacks being launched from the supply chain.
9. Send regular third-party risk assessments
The sad reality is that your vendors are unlikely to ever take cybersecurity as seriously as you do. As a result, it's up to you to ensure your supply chain is well defended.
Third-party risk assessments help disclose each vendor's security posture and any concerning vulnerabilities that need remediating.
Ideally, third-party risk management assessments should be used in harmony with a vendor security rating system, so that all cyber risk assessment responses can be verified.
10. Monitor vendor network for vulnerabilities
The third-party landscape is complex and capricious. As a result, vulnerabilities that are likely to be exploited in a supply chain attack are easily overlooked.
A third-party attack surface monitoring solution will instantly surface all hidden vulnerabilities exposing an organization to supply chain attacks.
11. Identify all vendor data leaks
Organizations have a 27.7% chance of suffering a data breach, and almost 60% of these breaches are linked to third-parties.
So by focusing on mitigating third-party breaches that lead to supply chain attacks, overall data breach incidents will be reduced.
Third-party data breaches can be significantly reduced if all vendor data leaks are remediated before they're discovered by cybercriminals.
Data leaks make it much easier for threat actors to launch supply chain attacks because they could relinquish sensitive intelligence about the state of a target ecosystem.
Data leaks, however, are often falses positive, and filtering out these superfluous leaks requires the dedication of multiple security teams.
Data leak managed services, such as CyberResearch, allow organizations to entrust all data leak monitoring and remediation efforts to a team of expert security analysts.
This flexible support network also makes scaling supply chain security efforts faster, and therefore, more efficient than ever before.
UpGuard Helps Organizations Prevent Supply Chain Attacks
UpGuard empowers organizations to take complete ownership of their third-party security by continuously monitoring for vulnerabilities and data leaks that could be exported in a supply chain attack.
UpGuard also supports compliance across a myriad of security frameworks, including the new supply chain requirements set by Biden's Cybersecurity Executive Order.
CLICK HERE for a FREE 7 day trial of UpGuard today!