How to minimize the risks and dangers of supply chain attacks

The Solarwinds attack — news of which emerged in December — is one of the most significant security breaches in recent years. With thousands of businesses and government agencies believed to be impacted, it demonstrates the degree of risk that can be posed by supply chain attacks.

Supply chain attacks aren’t particularly new. The Target data breach of 2013 was one of the first to really grab headlines; in 2018 British Airways suffered a data breach through a similar method, with payment details of millions of customers stolen by cyber criminals.

Given the nature of the technology ecosystem, supply chain attacks will become more and more common. ArsTechnica noted 18 months ago that supply chain attacks were growing, with attacks on open source software posing particular challenges — at the start of 2021we’re in an even more precarious situation than we were then. Moreover, the Solarwinds attack also underlines that this is far from an open source problem . Enterprise software is also vulnerable.

However, the growth in supply chain attacks requires us all to be more proactive in tackling them. Attacks might be inevitable., but their damage and impact isn’t.

How do supply chain attacks work?

Before we look at some of the things that can be done to minimize the risk and impact of supply chain attacks, it’s worth taking a moment to look at how they actually work.

Once you properly understand how they can happen, you’ll be in a far better position to evaluate and manage risks.

Essentially, supply chain attacks work by attacking a piece of third party software as a way of getting to a target. By attacking software that is part of an organization’s supply chain, attackers are able to attack with greater stealth, as it can be harder for internal security teams to pick up breaches. Similarly, cyber criminals also use supply chain attacks to increase the potential scope of their attack. As noted earlier, the Solarwinds attack compromised the systems of just about all of Solarwinds customers. In a sense, attacking Solarwinds was like poisoning the water supply.

The Solarwinds supply chain attack

To illustrate how a supply chain attack happens, here’s how the Solarwinds attack is believed to have occurred.

In late 2019 attackers affiliated with Russian intelligence managed to gain a foothold into Solarwinds. They did this by modifying software updates to Orion, a Solarwinds product that helps users to monitor their infrastructure. This was done in such a way that it allowed them to evade detection — this meant that over the next few months they were able to build what is essentially a botnet army (more formally it’s called a command and control infrastructure).

This formed the foundation for a malware attack across thousands of Orion users. This attack opened up a backdoor to a huge number of users’ systems. Again, it wasn’t detected because the communication between the malware and the attackers’ servers was made to look inconspicuous, disguised as a normal part of the Solarwinds product.

Once this was in place, the attackers could perform more detailed exploits systems. In some cases, they were then able to access confidential files and emails.

As you can see, this was a sophisticated and highly planned attack that targeted Solarwinds precisely because it allowed the attackers to find a way into their targets’ systems and infrastructure.

What can be done to minimize the risks?

When faced with an adversary with the patience and technical knowledge demonstrated in the Solarwinds, it can feel like there’s no possible way to defend yourself. Indeed, one of the first lessons of the Solarwinds attacks is that we should treat supply chain threats as inevitable.

However, there are a number of practical things that can be done to give yourself a more robust security posture.

Audit the risks within your supply chain

The first step requires you to simply recognise and document any potential risks and vulnerabilities. This is something that should, of course, be done in purchasing and procurement, but it also needs to be a continuous activity — IT and engineering leadership should remain cognizant to ongoing risks.

It sounds unbelievable, but in cultures where speed and agility are everything, it’s easy to simply lose sight of your infrastructure and assets. Making sure your clear about your dependencies and supply chain — whether their open source or enterprise — is essential.

Build a close relationship with vendors — but don’t be locked in

It’s one thing to audit your supply chain. But ensuring that you have a close relationship with vendors — understanding their challenges, and what they’re trying to do — ensures that you can respond to any potential security issues quickly and proactively.

Relatedly, it’s important that contracts account for security problems and clarify liability. This can sometimes be a tough conversation to have, but good vendors will recognise that transparency and trust is in everyone’s best interests.

Data ownership needs to be defined

Supply chain attacks more often than not are built with one thing in mind: getting at your data. This means that one of the best ways to mitigate the risks of such attacks is to ensure that you have a data strategy that is well-defined with clear lines of ownership.

Of course, this is essential for more than just security reasons, but an organization that does not treat data as something to be nurtured and protected is immediately opening itself up to exploitation.

Tighten up access management and shadow IT policies and processes

Related to data ownership, it’s essential that organizations do not simply approach things as if they are only questions of management and leadership. A messy data strategy can prove fatal, but a data strategy that does not account for the realities of human action — and error — are doomed to failure.

Pay close attention to how employees and others access resources, and make sure you’re well aware of the phenomenon of shadow IT. Particularly with so many people working at home, ensure that you have processes and policies in place that ensure the anarchy of personal device use isn’t going to give a malicious actor entry to your systems and data.

Your incident response plan needs to be second to none

Just as you need to have a well-defined strategy when it comes to data, you also need a well defined incident response plan. What parts of your system will you shut down or kill? How will access rules and permissions change? How can you retrieve data? What do you need to do to perform a successful post mortem?

All of these questions need to be part of a checklist that you have already answered. If you’re waiting for an attack to happen to answer them, you’re too late.

Constant testing and vigilance through DevSecOps

Robust strategies and planning is one thing, but organizations will be even better prepared if they embed security testing within the development lifecycle. Systems and infrastructure should always be stress tested, with any potential issues documented and shared so there is full transparency.

One of the best ways of achieving this is by implementing something called DevSecOps. This is where security considerations and tests are built into the development process.

Like a number of the other points, the benefits of such an approach go far beyond mitigating the risks posed by supply chain attacks. For example, DevSecOps can ensure greater performance and software reliability, allowing engineers to ship quickly without sacrificing quality. That’s good news for the organization, good for engineers, and, most importantly, good for the users you’re trying to serve.

Conclusion: Be proactive, not fearful when it comes to security risks

Stories like the Solarwinds hack can create a climate of fear and caution. Although there are benefits to being cautious, it’s certainly not as effective as being proactive and deliberate in your security efforts. Indeed, caution won’t stop attacks from happening — they’ll only make it harder for you to respond quickly.

So, if you haven’t got one already, make sure 2021 is the year that you adopt a more proactive approach to your security posture. Supply chain attacks will continue, so give yourself the best chance of managing the risks successfully.