As supply chain attacks have more wide-reaching and devastating impacts around the world, it is vital that organisations understand everything that’s happening on their network
In an increasingly technology-driven and interconnected world, businesses and society are as much digitally dependent as they are digitally enabled. Earlier this year, US president Joe Biden was inaugurated in the midst of the SolarWinds incident, which breached federal departments and thousands of businesses, while his first months in office saw even more dire revelations via attacks on tens of thousands of organisations that use Microsoft’s Exchange email server.
These incidents are just the latest in a string of software supply chain attacks that together have pulled back the curtain to reveal a large and growing landscape of exposed organisations, including household name brands and numerous powerful government agencies.
But the impact is felt even wider than that. The recent infiltration of Kaseya, a software firm that provides outsourced IT services, was a real-life scenario illustrating just how interconnected the world has become. The company acted as a vector allowing ransomware to spread not just to its own customers but to their downstream customers as well. It meant that, in an instant, grocery stores and commuter trains in Sweden stopped working, more than 100 schools in New Zealand were impacted and two city governments in the state of Maryland in the US had to shut their networks.
As a core business process, it’s crucial that information supply chains are also treated as a core business risk. Yet while high-profile supply chain attacks have ensured widespread awareness of the growing risks around information delivery and business leaders understand the lack of resilience in supply chains must be addressed, the question of how to achieve it remains elusive to many. This is especially the case given the types of risk they face are constantly evolving.
“Businesses need greater visibility into their networks to gain confidence that their own trusted vendors are not putting them in a compromising position,” says Andrew Sellers, chief technology officer at risk analytics company QOMPLX. “The key is to know what is operating within your environment. And you must be able to monitor and validate fundamental controls and protocols, including identity. In other words, ‘zero trust, but verify’.
“Why is that so important? In most sophisticated offensive cyber operations, the attackers look to disappear within the compromised environment by obtaining administrator-level credentials and access. Exploiting Active Directory and cloud identity providers is a mainstay because it allows them to fade into the background noise of credentialed, authenticated network activity. If they control authentication, they can bypass authorisation. Then, from there, they can do whatever they want: adding or modifying users, as well as accessing or changing data, services and configurations.”
To build real resilience into their supply chains, organisations of all kinds should treat information supply chain risk as a core element of their overall annual strategic planning and resource it accordingly with both budget and empowered technical leadership. Without that, no single vendor, technology or other remedy can function as a silver bullet solution.
More specifically, those that adopt a modern, layered approach to building a mature security strategy tend to be more successful, which means not just building taller walls with fancier endpoint tools but also better ID cards that provide visibility across the entire network. With a multi-pronged and mature set of tools, the goal is to make large cyber events into small ones, even in the event of a penetration by an adversary. True resilience, when embedded across supply chain operations, enables normal operations to resume as quickly and effectively as possible.
Rapid detection and response limits the damage bad actors can cause and increases their costs, while decreasing the cost for victims. QOMPLX’s team has operated and supported some of the largest Active Directory implementations in the world. Its technologies help verify that users and services are who they say they are by spotting a range of Kerberos attacks for on-premises systems, while also protecting cloud environments or complex federated environments. Deep visibility into privilege and authentication events, which may indicate an emerging attack, impede adversaries post-exploitation. But before anything else, it’s vital to get the basics right.
“Enable multi-factor authentication by default on your organisation’s devices and ensure employees are using a password manager,” says Sellers. “The initial access for the ransomware gang that breached Colonial Pipeline, for example, came from a reused password exposed in an unrelated breach. Second, make sure your organisation backs up your data and practices rehearsing from backups, which is much easier said than done. If you don’t practice, you’re unlikely to perform well when the pressure is on during a compromise and the clock is ticking.
“And lastly, every organisation needs to have a comprehensive view of all of their IT systems, with consistent periodic asset management. This is where QOMPLX’s unique technologies can help organisations by quickly mapping out which assets and accounts could be inadvertently putting them at risk, as well as identifying suspicious authentication activity in near real-time.”
Hostile actors will continue to adapt their techniques in their attempts to exploit supply chains. Modern organisations and governments already operate with an increasing interdependence on common software applications, operating platforms and security architectures, and adversaries will always respond by sharing and commoditising relevant attack vectors so that their operations can impact an ever-larger number of victims with even less effort than previously.
A leaked playbook from the ransomware gang Conti demonstrated that members of the group rapidly deploy new exploits, such as ‘Print Nightmare’, almost immediately after they are made publicly available. This trend will continue, mostly unabated, until defenders ensure that the organisations they support are implementing fixes to major vulnerabilities as soon as possible.
“Supply chains of any kind, in any domain, can generally increase their resilience with greater transparency in attribution and operation,” says Sellers. “With software and information supply chains, much of the security community is promoting identity-centric solutions that reduce reliance on problematic trust assumptions.
“Even so, consumers will rightfully demand greater transparency into the controls of their suppliers. As automated reporting and verification improves, the emerging vendor risk-rating processes will evolve to look less like a credit rating and more like a home inspection. You need to know exactly what’s happening on your network.”
To find out more about how to protect your organization from cyber attacks visit us at www.qomplx.com/cyber/
Promoted by Qomplx