The Supply Chain – What’s to lose?

Let’s start simple, what is supply chain risk, and does it even apply to you?

Supply chain risks are those risks associated with the use of third parties who provide a product or service to your organization. This is similar to Vendor Risk Management (VRM) as vendors are a key aspect of an organizations supply chain (e.g., Cisco may be a vendor but still act as part of the supply chain through providing firewalls). And to answer the question: yes it applies, no matter how big or small the organization.

It is quite alarming how far these threat actors, such as Nobelium (responsible for SolarWinds) are willing to go to gain access to sensitive information; even going as far as to wipe their digital footprints prior to initiating the compromise.

But can you blame them?

I would argue no. For the simple fact that the end far outweighs the means. Why focus in on one organization, when an attack can affect hundreds, or even thousands? This is the new mentality of many threat actors, especially Advanced-Persistent Threats (APT’s) such as Russia’s APT28 “Fancy Bear”, or China’s “Iron Huskey”. To really bring this into perspective, here are a few incidents that are more recent (2019+):

1. Barium hack of ASUS Live automatic software updates which introduced backdoors through a malicious update. The certificates used to sign the infected updates were valid as the updaters were hosted on official ASUS update servers. – Affected roughly 57,00+ Kaspersky-identified users, with expectations towards 1 million.
2. SolarWinds Orion malicious code injection into Orion Software prior to push to customers for update. Identified by FireEye in 2020 and full extent of breached information is still unknown; however access was achieved into portions of Dept. of Justice, Pentagon, and other Government Agency information systems. – Affected at least 18,000 customers, with estimates ballparking much more as additional insight is released.
3. Microsoft identified Nobelium Threats from July to October 2021. Microsoft has seen a significant increase in the number of Supply-Chain attacks (similar to SolarWinds) and have notified over 140 resellers and technology service providers. – Currently at least 14 organizations are believed to have been compromised as per Microsoft’s latest Nobelium blog (Oct 24, 2021).

If you haven’t picked up on it yet, these attacks are not carried out by the run of the mill script kiddie, or one-off hacker. They are carried out by well-funded, organized nation states, and cyber crime syndicates. As we can infer, one of the main goals is to go unnoticed as long as possible, which takes time and mounds of effort. Many Nation states even go as far as to put groups or teams together for the sole purpose of carrying out these attacks, which leaves us with time being of the essence; like we say, its not if, its when.

For additional information on Nation State attack vectors, please visit CISA by clicking here.

With APTs and Nation State supply chain attacks on the rise, how do you combat this at the organizational level?

There are quite a few ways an organization can prepare against these type of attacks. However, it requires a holistic approach and an understanding of where you are, where you are going, and who is helping to get you there (suppliers and vendors). Below I have identified some major points to address when considering your organizations cyber security posture:

• Know Your Supply Chain – Although you may have contractual agreements (MSA, SLA, etc.) in place with your vendors and suppliers, how far do those contracts allow you to go? Are your suppliers/vendors just providing you self-attestations of security control implementations, or do they provide you access to their compliance audits? Do you have a right to audit their security and information protection practices within your contract? Building a relationship with your supplier and truly doing the due diligence in ensuring security practices are up to snuff is key in knowing where YOUR shortcomings are. Remember, your only protected equal to the smallest hole in your defenses.
• Trust but Verify – Similarly to the points above, you cannot rely solely on reports/attestations on compliance. You must take everything with a grain of salt. It is key to inspect everything before it goes into your information system; whether it’s third party developed code, a simple SaaS application being purchased, or leveraging existing code, it should all be checked, and then checked again. At a minimum, if the code or tooling was tested by another trusted party, copies of the reports should be reviewed by SME’s and developers who specialize in that area.
• Vendor Risk Management Program (VRM) Establishment – This is all too commonly overlooked yet plays a direct role in the breaches we see today, such as those named previously in this blog. It is one thing to pull information and begin to understand your vendor, but what about when you have 500+ suppliers and vendors? As you grow as an organization it is imperative to have a flexible VRM program that can grow with you to allow you to stay on top of vendor/supplier risks. Such things as vendor/supplier questionnaires, categorizations based on questionnaire results, then a tiered auditing system based on risk level categorizations is always a great start. Remember, the key point here is to have a formal methodology for not only learning and understanding vendors and suppliers, but accurately managing them and their posed risks.
• Communication – This is by far one of the biggest areas where the industry struggles. Thankfully, with groups like CISA, our media platforms, and other outlets, it has become a bit easier to communicate breaches and instances of malicious activity. However, we all know, nobody wants to be the bearer of bad news, and realistically companies deal with threats weekly. So what do we do? Well, we work with our vendors, suppliers, and partner companies and we share threat and malicious activity intel; and stay current with groups like CISA and their threat feeds. The more people that know the tricks being used, the less successful the attacks become. For instance, during the SolarWinds hack, the CEO came out and gave a statement fully open about findings and cooperation with the industry. That is what the industry needs, and it starts with your organization. Once we have a clear, concise understanding of the problem, then we as an industry can pivot to address it.

About Emagine IT

Emagine IT, inc. (EIT) is an information technology services and consulting company based in the Washington, DC metropolitan area. EIT provides IT modernization, cybersecurity, and full lifecycle IT services to the public and private sectors. For more information, please visit their website at www.eit2.com.

Contact
Jared Snyder
CISSP, CCSFP Sr. Consultant, Commercial Services & Federal Cyber Security Services
jared.snyder@eit2.com · (614) 633-9130