Authored by: Teck Wee Lim, Regional Director, ASEAN at CyberArk
Businesses have learned how to be cyber-resilient since the pandemic hit. Those who have successfully introduced innovative offerings and business models securely, have strengthened customer trust, and were able to grow with confidence. However, with low detection rates and slow recovery times, it is important to find out what the leading organisations are doing differently to achieve cyber resilience.
When protecting against supply chain infiltration, businesses have been implementing more strategies on risk mitigation through the ecosystem, and more businesses are becoming flexible and adaptable to changing market conditions. Accenture's State of Cybersecurity Report 2020 found that 40 percent of security breaches are now indirect, as threat actors target weak links in the supply chain or business ecosystem.
Recent supply chain attacks such as the SolarWinds Orion attack has catapulted supply chain security vulnerabilities into the spotlight – particularly those involving the third-party software applications and hardware components that comprise much of today’s enterprise IT environments.
The attack, which potentially impacted more than 18,000 organisations to date, stems from a compromise of third-party network management vendor SolarWind’s Orion software. A sophisticated threat actor reportedly distributed malicious source code within an Orion software update – leveraging the very means by which organisations protect themselves against potential threats. This allowed the attacker to gain a foothold into victim organisations, steal and abuse legitimate identities and credentials, escalate privileges and move laterally and vertically to access valuable assets – and then maintain persistent access using the Golden Security Assertion Markup Language (SAML) technique, never seen before in the wild.
The Evolution of Supply Chain Attacks
While the SolarWinds compromise is unprecedented in many ways, supply chain attacks are far from new. Attackers have long targeted third-party vendors across both digital and physical supply chains – from software and technology providers, to attorneys and consultants, to manufacturing and logistics companies – as backdoors to the networks of their enterprise or government business partners. Attackers prefer to target larger organisations such as Microsoft.
Gartner predicts that more than 50 percent of enterprises will have implemented endpoint detection and response (EDR) solutions that supplement prevention with detect and response capabilities by the end of 2023. In recent months, the world has seen a surge in supply chain attacks targeting healthcare companies involved in COVID-19 vaccine development and delivery. Today, the SolarWinds supply chain attack shows us just how precisely targeted threat actors have become.
A Realistic Zero Trust Approach that Won’t Hamstring Supply Chain Operations
Working with numerous third-party vendors is an inevitable part of doing business, but it also creates security blind spots that can become dangerous. To protect themselves, many companies and government agencies are embracing Zero Trust models – in which they trust nothing and verify everything.
The Singapore government has encouraged businesses to adopt a "zero-trust" posture in order to protect networks against cybersecurity attacks. To support businesses, the Singapore Computer Emergency Response Team has launched an advisory that describes common causes of attacks against cloud services and provides recommended measures for organisations to strengthen their cloud configurations.
However, as vendor ecosystems grow in complexity, a hard and fast “trust nothing” strategy down the supply chain can quickly inhibit business operations and slow innovation. A successful security strategy must be both realistic and sustainable.
Here are four takeaways for organisations to reduce the impact of a potential supply chain attack significantly.
1. Protect Privileged Access. With dramatic cloud migrations underway, and the adoption of transformative digital technologies, privileged accounts and credentials represent one of the largest attack surfaces for organisations today. Identifying and managing privileged access is paramount to disrupting the attack chain – regardless of whether the attacker infiltrated the environment via the supply chain or by other means – and maximising risk mitigation.
2. Embrace a Defence-In-Depth Approach. There is no silver bullet for cybersecurity, and no one vendor or tool can completely prevent an attack. An "assume breach" mindset calls for multiple layers of security, such as endpoint detection and response, next-gen antivirus, strong privileged access management and application and OS patching. However, cybersecurity is a journey, and it doesn’t have to happen all at once. A good starting point is to adopt a risk-based approach, investing first in the security controls that reduce the greatest amount of risk.
3. Consistently Enforce Least Privilege Everywhere. While breaches are inevitable, organisations can take steps to limit the blast radius of an attack by eliminating unnecessary privileges and permissions based on the principle of least privilege. Widespread adoption of public cloud services and SaaS application has accelerated the need for least privilege controls in cloud environments. In fact, a recent ESG survey ranked overly permissive privileges as the most common attack vector against cloud applications. Strong least privilege enforcement can help prevent all identities, whether on-premises or in the cloud, from reaching sensitive targets.
4. Monitor for Privileged Credential Theft. As the SolarWinds attack shows, sophisticated attackers go to great lengths to hide their activity and avoid detection, and it can be extremely difficult to spot a supply chain infiltration. By monitoring privileged sessions, organisations can more easily spot suspicious behaviour and patterns indicative of credential theft and better understand what critical assets are being targeted – enabling faster, more decisive response to protect the organisation.
The supply chain represents a critical attack vector, however, by leading with an “assume breach” mindset and securing access to sensitive data and systems, organisations can make it significantly more difficult for attackers to accomplish their end goals.
The vast majority of all cyber attacks involve compromisation of identity and manipulation of privileged access. Businesses that have been affected by the SolarWinds Orion attack or are simply currently focusing on strengthening their security posture.
It is important for organisations to understand the risks involved and ensure that their protocols are aligned. As traditional network security barriers dissolve, the "assume breach" mindset has never been more critical. By assuming that any identity – whether human or machine – may have been compromised, organisations can turn their attention to identifying, isolating and stopping threats and gaining privileged access and executing lateral movement, before more harm is caused.