Lessons Learned from Recent Supply Chain Attacks: How Can We Better Prepare for the Future?

Supply chain attacks have surged in recent years, exposing even the most secure organizations to unexpected risks. A supply chain attack occurs when hackers compromise an organization by infiltrating a third-party partner that provides essential software or services. This type of attack exploits the trust between businesses and their suppliers, enabling attackers to distribute malicious code through seemingly legitimate updates or services.

The impact can be considerable, as several organizations could be affected by the same supplier being breached.

Some attacks, such as the XZ Utils backdoor discovered in Linux distributions, highlighted that even open-source software could be weaponized. In this case, a contributor injected a backdoor into a widely used compression tool, exposing systems to remote code execution. This attack echoed incidents such as SolarWinds, emphasizing the need to secure the entire supply chain, from trusted suppliers to open-source tools.

To address these growing threats, organizations must adopt a proactive approach to secure their supply chains. Here are the key lessons learned and steps for future preparation.

1. Identify the Threats

Effective defense starts with a deep understanding of the risks within your supply chain. This starts by identifying critical assets, mapping suppliers, and assessing their security practices.

Where are the Crown Jewels?

The first step is to identify business critical assets mostly at risk and the providers that may impact them. This will guide security efforts and resource allocation.

Based on that first assessment, define a baseline of protection that suppliers must comply to, pertaining to the organization's assets and information. This must, of course, match the products or services contracted to the provider.

What are the security risks linked with the Supply Chain?

Ensure the security level of your suppliers, not only direct ones but also their partners. A vulnerability in a second level - or even third level - supplier can explose your organization to significant risks. Regular evaluations will help understanding where the weaknesses are.

2. Implement Control

Once the risks are understood, it is essential to establish control over your supply chanin by setting clear security expectations and ensuring compliance.

It is important to develop and communicate the minimum-security standards that suppliers re expected to adhere to. These standards can then be applied and enforced through contractual agreements. Collaborating with suppliers also helps raise awareness of supply chain security risks.

Clear protocols for handling security incidents should be established. It is crucial that both stakeholders - the organization and its suppliers - are prepared to collaborate quickly in the event of a security breach, with predefined steps to contain and resolve the incident.

3. Detection implementation: Critical Role of Use Cases in Supply Chain Attack

In the context of a Cyber Security Operations Center (CSOC), use cases are critical for guiding the detection and response processes. A use case defines specific scenarios or conditions under which events should trigger alerts, allowing CSOC teams to focus on relevant threats.

By creating targeted use cases based on an organization's unique environment, such as industry-specific risks or common attack vectors, security teams can minimize risk in case of breached supplier.

For example, in a supply chain risk, it could be possible to monitor unauthorized lateral movement, data exfiltration, or access attempt to information not pertaining to the supplier.

Monitoring potential lateral movement can be done by tracking unusual network traffic patterns between systems that don't usually communicate. This enables the CSOC to identify when an attacker is moving across the network in search of more valuable assets, often after compromising a supplier system. For example, after a planned ERP update, if the system hosting the solution in question starts logging into dozens of assets over the network, it could be linked with a potential issue with the update, eventually indicating a supply chain attack.

Similarly, monitoring for data exfiltration can detect the transfer of sensitive information outside the organization. Use cases that follow abnormal data transfers, such as sending large volumes of data to external domains or unexpected use of file transfer protocols, can trigger alerts before significant damage is done.

A final option to implement may be the detection of abnormal behaviour, for example, monitoring for failed and successful access over the global environment. Should a supplier's account suddenly starts interacting with far more devices than usual, this could indicate a compromised account or unauthorized activity.

Oftentimes, developing and refining use cases helps align detection strategies with evolving threat landscapes, ensuring that the CSOC remains proactive in identifying new forms of attacks and minimizing potential impact on the organization.

4. A best practice: Least privilege principle

Once of the key practices for reducing risk is to implement the principle of least privilege, particularly for account and access rarely used. Ensure that suppliers have only the access necessary to perform their functions and nothing more.

Alongside with the initial setup, regularly reviewing and adjusting these permissions will help to prevent unauthorized access or potential breaches.

5. Verify compliance

Setting the baseline is not sufficient to ensure a safe supply chain, a mandatory step is to regularly check that suppliers comply with the predefined security requirements.

To identify potential vulnerabilities, an organization can schedule regular audits, assessments, and penetration tests. The assessment and evaluation of the results is key in ensuring that security measures are respected throughout the supply chain.

6. Continuous Improvement

The security landscape is constantly evolving. It is then critical to promote continuous improvement and build trust-based relationships with suppliers. One potential implementation step could be to encourage suppliers to stay informed of emerging threats and latest technologies. The organization can support this by sharing industry information to help providers better understand security issues.

A strong and collaborative relationship is the fundamental point of a secure supply chain. Collaboration to create trust between the organization and their suppliers through open communication, ensuring that both parties remain aligned on security goals.

Conclusion

Supply chain attacks, as part of the general threat landscape, are evolving. They are becoming more sophisticated and harder to detect. However, by learning from recent incidents and adopting proactive strategies, organizations can minimize the risks and better protect themselves in the future.

The traditional cybersecurity perimeter is no longer enough, the focus must now shift to securing the entire supply chain. This is the only way to avoid the abuse of the trust relationship between an organization and their suppliers.

In summary, enhancing security in the context of supply chain requires constant vigilance and proactive collaboration. Only a collective, integrated approach will enable organizations to face the growing complexity of threats.

Additionally, organizations must not forget the importance of custom defined use cases within infrastructure. Use cases guide the detection and response efforts, focusing attention on the most critical risks to the supply chain. By developing use cases that reflect an organization's specific environment, CSOC teams can minimize the risk in case of breached supplier.