Addressing Supply-Chain Attacks
Supply-chain attacks have increased sharply over the past decade, and that trend continued in 2020 and early 2021. Supply-chain attacks have obvious appeal to attackers and will keep happening. Organizations need a broader perspective and should assume that all software and devices are vulnerable. While a compromised supply chain gives an attacker initial access to your network, what they can do next depends on whether your organization has additional controls in place to prevent movement to other devices. So, you can – and should – defend against supply-chain attacks just as you defend against any other attack: Identify and implement reasonable controls to prevent, detect, and limit what an attacker can do in your network.
Vendor Management Is Not Enough
Good vendor management will help companies avoid suppliers that fall below a baseline and comply with regulations that mandate vendor oversight. Vendors involved in recent attacks serve major multinational corporations around the globe and have already been subjected to sophisticated vendor assessments—none of which detected the issues that led to these incidents. There’s no reason to think that “better” vendor management would have prevented these incidents.
Start with Effective Risk Assessment
The starting point for strong controls against supply-chain attacks (or any other attack) is to answer three key questions:
Who is likely to target the organization?
What gaps exist in controls that may detect, prevent, or limit an attack?
Which of these threat/gap combinations is most likely to lead to a significant incident if not addressed?
That last question is the most important because it allows an organization to focus its limited resources on the most important areas. It is also hard to do without truly understanding how attacks occur and the real costs associated with those attacks.
Understanding and Using Zero-Trust Principles
As they are assessing and implementing new controls, maturing organizations should also look to implement zero-trust principles. Zero-trust is not new, but recent attacks and shifts in technology usage show the futility of defending a network with only a perimeter wall.
Zero-trust simply means you can’t implicitly trust anything or anyone. That Exchange server might be good, or it might be saddled with vulnerabilities known only to an advanced threat actor. That might be Pat from accounting, or they might be an attacker using Pat’s credentials to download the company’s customer database before launching ransomware. Zero-trust principles constantly evaluate whether the activity makes sense based on contextual factors. This mindset helps protect against external attackers, supply-chain issues, and insider threats who may use their privileged access to harm the organization or steal data. Tools that support endpoint detection and response, identity and access management, and privileged account management are part of this approach—so are tools that aggregate and analyze data to identify unexpected or anomalous behavior.
No Easy Solutions
Knowing the solution doesn’t mean these things are easily done. Practical obstacles—including limited resources and skill shortages—will limit how fast organizations can move. Cloud computing has helped somewhat, with zero-trust options available on major cloud platforms, but they still require skilled personnel to implement the solutions properly. Then there are architectural challenges. Most of today’s networks developed organically over years or decades. Rapid turnover in technology jobs means those who built critical networks or applications may have left long ago. Significant architectural changes don’t happen overnight—and when they do, that can lead to other problems.
These are long-term solutions that will take time to implement. But organizations should still develop plans and take deliberate actions to implement them. This will require investment and top-level support. While they are doing this, government action can help. Legislation should encourage organizations to investigate, document, and share information about incidents without fear that those results will be unreasonably used against the organization. This will improve information sharing, which will in turn improve assessments and collective defense. And federal legislation should provide a limited liability shield to organizations engaged in interstate commerce that have taken reasonable steps to implement security measures. This will incentivize organizations to take action while ensuring that those falling clearly below the bar may be held accountable.