A year or so ago, the general public thought little about the term “supply chain.” Today, it’s all we hear about. Information Technology professionals have long monitored and managed supply chain logistics. In many cases, it is the first step in enterprise risk management and vulnerabilities assessment. For IT, safeguarding your supply chain often comes down to coding and/or testing for vulnerabilities.
However, not all vulnerabilities are introduced through a failure in coding or testing. Some are deliberately introduced into software or firmware by malicious actors. The Kaseya ransomware event this past July demonstrates the danger of a sophisticated criminal attack of a central target in order to compromise a large number of organizations.
Reflecting on Bad Actors
Cybercriminals breached Kaseya, a global managed service provider, in order to inject malicious code into their Virtual System/Server Administrator (VSA) software. VSA is a platform used to manage customer networks, servers, and workstations. Managed service providers use this platform to administer their own infrastructure and the infrastructure of their customers. By compromising one company, the criminals had the potential to inject their ransomware into the environments of thousands of Kaseya customers. Supply chain attacks like this can bypass all the protective controls of an organization.
Supply chain attacks are not new. When I was working as a systems administrator in 1995, my employer received over 100 new floppy disks, sealed in boxes of ten. All of these disks were infected with a boot sector virus. Fortunately, Norton Antivirus caught the virus and we avoided a significant, potentially devastating, incident. More recently, the U.S. government identified concerns with computer hardware coming from Chinese suppliers.
In 2020, SolarWinds Orion software suffered a breach. The main targets of the SolarWinds breach were U.S. government agencies that include the Departments of Treasury, Homeland Security, Commerce, State, and Energy. Considering that more than 18,000 customers installed the malicious software,it’s easy to see the potential for collateral damage in one of these attacks.
Whether it is compromised software or hardware, what makes these attacks so dangerous is that they are coming from “trusted sources.” If a trusted source like Microsoft were to be breached, IT and cybersecurity professionals have little recourse in preventing the introduction of malicious code into our environments.
While supply chain attacks are difficult for companies to prevent, there are proven ways to minimize impact.
A documented and tested incident response plan is essential. All organizations – from health care to financial services – must have a response plan in place. The plan must be detailed and actionable in order to serve as a playbook on how to respond to these types of incidents. If you do not have an incident response plan in place, start now.
Software and Hardware Inventories
Software and hardware inventories are foundational IT and security controls that are essential during response. These inventories can help to triage a potential event, and determine its scope and impact. As an example, a good inventory could have quickly identified whether or not Orion was installed, which version, and the specific systems that may beimpacted.
Network Traffic Monitoring
Network traffic monitoring and intrusion detection/prevention capabilities can identify outbound beaconing or command-and-control connections that are used to exploit compromised software and systems. Network segmentation and limiting internal server traffic to the Internet will assist in minimizing the impact of a supply chain attack, along with other malicious activity.
Companies that have mature vulnerability management programs can build response playbooks that align with their zero-day response and mitigation playbooks. Malicious software introduced by a supply chain attack mayfollow similar steps;
- Determining the scope of the concern, which is enabled through good inventories;
- Applying patches, fixes, or isolating impacted systems.
- Establishing playbooks and a process to receive updates or signatures for security tools, including vulnerability scanners, anti-virus and end-point detection tools, and network security tools.
Early detection, along with a well-thought out and tested response plan,will help to minimize the overall impact of a security incident.
Study Your Playbook, Then Practice, Practice, Practice
A documented and tested disaster recovery plan has never been more important. The Kaseya breach demonstrates the real possibility of ransomware bypassing all protective controls that are in place. Companies need to assume they are not immune and operate as though a breach is a matter of “when” not “if.”
To be prepared, assume a realistic worst-case scenario. Also, regularly and systematically review and update your disaster recovery plans. Running simulations can help key team members understand their role and help organizations move more quickly through the process when time is of the essence.
Failing to Plan is Planning to Fail.
Benjamin Franklin knew his stuff when he defined the importance of establishing a plan and response strategy. Planning your incidence response is not unlike any other project you assume. Consider it project management – just without a defined implementation date. Every plan you take on requires initiating the project, planning the milestones, executing the punch list of activities, monitoring and controlling, and ultimately closing the project. The difference is that incidence response planning is never complete. As you review it and assess new technology, staff expertise, and best practices, it will need to be updated.
Along the way, expect supply chain attacks to increase in frequency and impact. Commit now to evaluating your processes, procedures, and technologies in order to identify gaps and opportunities to improve. The threat landscape is – and will continue to be – dynamic. Supply chain attacks have proven to be effective and will become more sophisticated, especially against the unprepared. Count on cybercriminals modifying and improving their tactics based on their successes and failures. You should do the same.