Supply chain attacks are on the rise, yet few businesses are equipped to face this threat. This could be due to a growing despondency towards cybersecurity in light of the SolarWinds attack.
If the nation-state hackers were sophisticated enough to bypass highly-secure Government agency critical infrastructures, how could any organization prevent a supply chain attack?
The answer is a change of mindset - don't assume a supply chain attack might occur, assume it will occur.
What is the Assume Breach Mentality?
An assume breach mentality is a pessimistic approach to cybersecurity that assumes cyber attacks will happen, as opposed to assuming they might happen.
This simple shift in mindset transitions defense strategies from a passive to an active framework. By assuming data breaches will occur, or are presently occurring, organizations cultivate their defense solutions, and continuously monitor for vulnerabilities throughout their network
Assume breach is different to a Zero Trust Architecture in that it’s less of a framework and more of a mindset. The transition to an assume breach mentality results in the reinforcement of loose defenses which could lead to the implementation of a Zero Trust Architecture.
Can an Assume Breach Mentality Prevent Supply Chain Attacks?
No cybersecurity tactic is guaranteed to prevent supply chain attacks, however, an assume breach mentality may significantly minimize the impact of supply chain attacks.
This is because with assume breach-minded organizations are continuously scanning their ecosystem for anomalies that could be connected to a cyberattack. So all threats are detected and remediated much sooner, reducing the impact of a breach.
The faster a threat can be detected, the faster it can be isolated and the less of an impact it will have on critical resources.
The SolarWinds supply chain attack was especially disastrous because the injected threat wasn’t detected in the SolarWinds ecosystem for 15 months.
How to Implement Assume Breach
An assumed breach mentality should be implemented with a layered approach. systematically sharpening the detection capabilities of every organizational element until the entire ecosystem is one big threat detection machine.
An organization's attack surfaces can be represented by three primary elements:
By focusing on each of these elements separately, the implementation of an assume breach model is contextualized to create a multidimensional threat detection system.
Assume breach focus: People
By enforcing an assume breach mindset to this element alone, the overall chances of data breaches occurring will be significantly reduced.
The individuals that make up an organization fall into the following categories:
- Leadership team
- Third-party vendors
An assumed breach mindset should be instilled through education. All individuals need to be aware of the signs of a cyberattack attempt so they can be avoided and reported.
The following list outlines some of the most common cyberattacks against employees. Each method is linked to a blog post that can be used to educate staff about how each attack method works.
- Phishing attacks
- Social Engineering Attacks
- DDoS attacks
- Ransomware attacks
- Malware attacks
- Clickjacking attacks
Initial cyberattack attempts tend to occur via email, often through email senders posing as legitimate employees.
As a minimal measure, all emails from internal staff should be confirmed with the actual staff member prior to opening any attachments or clicking on any links.
This clarification process can be streamlined if utilizing a dedicated communication platform such as Slack.
Third-party vendors are difficult to reform because they tend to use their own third-party software. A better alternative is to implement a third-party attack surface monitoring solution to detect any potential threats in vendor software - an essential tool when assuming your vendors will suffer a supply chain attack.
Maintain a log of user activity
To measure suspicious internal events against a baseline of normality, the activity of all users should be logged.
This diary should include the specific resources being accessed, the geolocations they are accessed from, and the roles and responsibilities of each employee requesting access.
Evaluating user activity will uncover who is accessing your sensitive data. This access should be restricted to a minimal number of authorized users
Assume breach focus: Processes
Create process policies
Education equips employees with an assume breach mindset toolkit, processes enforce the application of this mindset. Information Security Policies (ISP) outline a set of security rules and procedures an organization must adhere to. The primary goal of the ISP is to control the distribution data.
By restricting access to sensitive data, the chances of this resource being compromised in a cyberattack are reduced.
The creation of assume breach policies may naturally lead to the implementation of a Zero Trust Architecture.
Restrict access to sensitive data
The Principle of Least Privilege (POLP) is a very effective framework for restricting access to sensitive data. PLOP limits the functions of users based on their specified privilege limits.
For example, by default, an organization may prevent its employees from installing software on their devices but only permit the IT manager to perform this function.
A privileged access protocol assumes most employees cannot be trusted and restricts them with hard limitations. This policy may seem paradoxical to the earlier mentioned recommendation - teach staff to avoid cyberattacks but don't trust them to do so.
However, it is this multi-layered threat restriction approach that makes the assume breach mentality so effective at preventing supply chain attacks.
Create an Incident Response Plan
An organization that has completely embraced an assume breach mentality is always prepared to rapidly remediate data breaches.
This plan of action is outlined in an Incident Response Plan. An IRP will instill calm during a high-duress data breach incident. It will teach staff how to isolate and remediate cyberattacks most efficiently.
Assume breach focus: Technology
Technological solutions should be implemented to support two categories of functions - keeping threats out of the ecosystem and remediating threats within an ecosystem.
Keeping threats out of an ecosystem
Cyber threats should be detected before they have had the opportunity for injection.
Antivirus software is a basic requirement for threat detection, but it's certainly not perfect.
Sophisticated threat actors are capable of evading antivirus detection, so this technology should never be the only layer of cybersecurity defense.
An assume breach mindset should also be applied to security solutions - assume each one fails and implements multiple layers to reduce the probability of failure.
Keep antivirus software updated
It's important to keep installing antivirus software updates so that new malware variants can be detected.
In addition to an antivirus solution, all of the attack surfaces within an organization should be protected by a network security system.
Implement network security
Network security systems are comprised of multiple solutions such as email security, firewalls, data encryption, and access protection.
Multifactor authentication is a highly potent, and under-utilized network security solution. According to Microsoft, multifactor authentication blocks 99.9% of automated cybercrime.
Implement third-party attack vector monitoring solutions
Because supply chain attackers target third parties and compromise their users through an established backdoor, a solution should be implemented to monitor the attack surface of the vendor network.
VendorRisk by UpGuard identifies all vulnerabilities in the vendor network that could be exploited in supply chain attacks. When threats are detected, preemptive remediation efforts, such as risk assessments can be deployed and tracked from the platform to secure defenses before a breach is even attempted.
With an assumed breach mindset, all vendors are expected to fall victim to a supply chain attack, so they cannot be trusted to strengthen their security posture independently. VendorRisk empowers organizations to take complete ownership of their third-party attack surface security.
Discover and remediate data leaks
The best method of threat injection prevention is to identify and remediate events that could potentially progress into data breaches.
To effectively prevent threats from entering an ecosystem, organizations should switch from a defensive mindset to a discovery mindset. This is a natural response if the assumption is that a data breach always imminent.
It's not possible to identify and intercept potential threat actors, but it is possible to identify and remediate specific events that could lead to a data breach.
By identifying and remediating data leaks throughout the vendor network before they develop into data breaches, the risk of supply chain attacks is significantly reduced.
CyberResearch by UpGuard offers a managed data leak detection service to help organizations with sizeable vendor networks efficiently scale their data leak security.
Remediating Threats Within an Ecosystem
When a threat penetrates all of the above defenses, it needs to be isolated and remediated ASAP. A clearly laid Incident Response Plan will facilitate this and a Zero Trust Architecture will help keep malicious codes isolated.
Remediation management solutions, help stakeholders assess the effectiveness of their Incident Response Plan, and cybersecurity ratings evaluate the effectiveness and speed of all remediation efforts.
UpGuard Helps Organizations Prevent Supply Chain Attacks
By also offering managed data leak and Third-Party Risk Management services, organizations can scale their security efforts faster than ever before.
UpGuard also supports compliance across a myriad of security frameworks, including the new supply chain requirements set by Biden's Cybersecurity Executive Order.
CLICK HERE for a FREE 7 day trial of UpGuard today!