Paul Mocarski, vice president and chief information security officer, Sammons Financial Group
About a year ago, the general public gave little thought to the term “supply chain”. Today it’s all we hear. IT professionals have long overseen and managed supply chain logistics. In many cases, this is the first step in enterprise-wide risk management and vulnerability assessment. For IT, protecting your supply chain often boils down to coding and/or vulnerability testing.
However, not all vulnerabilities are introduced by a coding or testing error. Some are intentionally introduced into software or firmware by malicious actors. The Kaseya ransomware event last July demonstrated the threat of a sophisticated criminal attack on a central target to compromise a large number of organizations.
Thinking about bad actors
Cyber criminals have breached Kaseya, a global managed service provider, to inject malicious code into its Virtual System/Server Administrator (VSA) software. VSA is a platform for managing customer networks, servers and workstations. Managed service providers use this platform to manage their own infrastructure and that of their customers. By compromising one company, the criminals had the potential to inject their ransomware into the environments of thousands of Kaseya customers. Supply chain attacks like this can bypass all of an organization’s protective controls.
Attacks on supply chains are not new. When I was working as a sysadmin in 1995, my employer received over 100 new floppy disks sealed in boxes of 10. All of these hard drives were infected with a boot sector virus. Luckily, Norton Antivirus caught the virus and we avoided a serious, potentially devastating incident. More recently, the US government has raised concerns about computer hardware from Chinese suppliers.
In 2020, the SolarWinds Orion software suffered a breach. The primary targets of SolarWinds’ breach were U.S. government agencies, including the Department of Treasury, Department of Homeland Security, Department of Commerce, Department of State, and Department of Energy. Considering that more than 18,000 customers have the malicious software installed, the potential for collateral damage from one of these attacks is easy to see.
Regardless of whether the compromised software or hardware is involved, what makes these attacks so dangerous is that they come from “trustworthy sources”. If a trusted source like Microsoft were to be breached, IT and cybersecurity professionals have little power to prevent malicious code from being introduced into our environments.
While supply chain attacks are difficult for organizations to prevent, there are proven ways to minimize the impact.
Response to Incidents
A documented and tested incident response plan is essential. All organizations—from healthcare to financial services—must have a response plan in place. The plan must be detailed and actionable to guide how to respond to these types of incidents. If you don’t already have an incident response plan, start now.
Software and hardware inventory
Software and hardware inventories are basic IT and security controls that are essential during response. These inventories can help triage a potential event and determine its scope and impact. For example, a good inventory could have quickly determined whether Orion was installed or not, which version and which specific systems might be affected.
Network traffic monitoring
Network traffic monitoring and intrusion detection/prevention capabilities can identify outbound beaconing or command-and-control connections used to exploit compromised software and systems. Network segmentation and limiting internal server traffic to the Internet help minimize the impact of a supply chain attack and other malicious activity.
as a guide for responding to these types of incidents
Organizations with mature vulnerability management programs can create response playbooks that align with their zero-day response and mitigation playbooks. Malicious software introduced through a supply chain attack may follow similar steps;
• determining the scope of the concern, which is made possible by good inventories;
• Apply patches, fixes, or isolate affected systems.
• Creating playbooks and a process for receiving updates or signatures for security tools, including vulnerability scanners, antivirus and endpoint detection tools, and network security tools.
Early detection, along with a well thought out and tested response plan, helps minimize the overall impact of a security incident.
Study your playbook, then practice, practice, practice
A documented and tested disaster recovery plan has never been more important. Kaseya’s breach demonstrates the real possibility of ransomware bypassing all protection controls in place. Businesses must assume they are not immune and act as if breaching is a matter of “when” not “if”.
To be prepared, assume a realistic worst-case scenario. Also, regularly and systematically review and update your disaster recovery plans. Running simulations can help key team members understand their role and help organizations move through the process faster when time is of the essence.
Planning to fail is planning to fail
Benjamin Franklin knew his stuff when he defined the importance of creating a plan and response strategy. Planning your incidence response is no different than any other project you take on. Think of it as project management – just without a defined implementation date. Each plan you adopt requires initiating the project, planning the milestones, executing the list of activities, monitoring and controlling, and finally completing the project. The difference is that incident response planning is never complete. As you review it and evaluate new technology, employee expertise, and best practices, it needs to be updated.
Over time, expect supply chain attacks to increase in frequency and impact. Commit now to assessing your processes, procedures and technology to identify gaps and opportunities for improvement. The threat landscape is – and will remain – dynamic. Supply chain attacks have proven effective and are becoming more sophisticated, especially against the unprepared. Count on cybercriminals to change and improve their tactics based on their successes and failures. You should do that too.
#tips #avoid #supply #chain #incident