How to Respond to a Supply Chain Attack

In late December, software company SolarWinds became aware of a supply chain attack on one of its software systems. The attackers added malware to signed versions of the supplier’s software, which was then used to infiltrate 18,000 private government and private organizations. The malware became active once deployed in the target environment. 

Peter Firstbrook, Gartner VP Analyst, and Jeremy D'Hoinne, Gartner VP Analyst, say that although these types of attacks are a reality, organizations are often unprepared to respond to cybersecurity attacks. We spoke with the analysts to discuss the nature of supply chain attacks and how security and risk teams can prepare for them.

Learn more: Supply Chain Planning — Your Strategic Guide to What, Why and How

What is a supply chain attack?

A supply chain attack is when goods, services or technology supplied by a vendor to a customer have been breached and compromised, which introduces a risk to the customer base. The risk to an organization will vary.

Read more: 6 Ways to Defend Against a Ransomware Attack

There are various examples of supply chain attacks, such as using a compromised email account from a supplier for social engineering or to increase the probability of a malware infection by sending it from a supplier’s email address. More elaborate attacks can compromise a supplier’s network and use its privileged access to infiltrate the target network. The most sophisticated attacks, including the SolarWinds attack, involve modifying trusted software tools. 

How do you detect this type of attack and the extent of the damage? 

It’s a short question with a very long answer. The biggest challenge is that supply chain attacks are utilized by advanced adversaries, often using new techniques and tools that are difficult to detect. In addition, anomaly detection is an imprecise art and can trigger too many alerts for security teams to address. Scaling the security operation team to respond to alerts and thus reduce detection time remains a challenge.

Supply chain attacks expand the scope further. In addition to what’s under the direct control of the organizations, security teams must:

• Inventory and monitor the third-party tools the organization uses, and learn about vulnerabilities and disclosed breaches
• Monitor remote access granted to suppliers, restrict it and strengthen it with additional layers such as multifactor authentication. 
• Monitor third-party providers that have access to corporate resources. 

Supply chain attacks might leverage multiple attack techniques. Specialized anomaly detection technologies, including endpoint detection and response (EDR), network detection and response (NDR) and user behavior analytics (UBA) can complement the broader scope covered by security analytics on centralized log management/SIEM tools. 

Read more: Gartner Top 10 Security Projects for 2020-2021

The primary target of advanced adversaries is authenticated access, which enables them to blend into normal activities. This means identity infrastructure hygiene, multifactor authentication and continuous monitoring are key defenses. Additionally, network segmentation can limit the damage of undetected attacks by making it harder to get to higher-value corporate resources.  

How should organizations respond to a supply chain attack?

Incident response playbooks for supply chain attacks are similar to any incident response, but with different time horizons to consider. The first step is the incident response workflow. This includes tracking down the extent of the compromise with a forensic analysis and restoring normal operations. For this, access to the relevant information is critical.

In the absence of internal investigation resources, or when anticipating a critical breach, organizations should engage incident response services.

Longer term, acknowledging that anyone can be breached and that there is no inside vs outside of the network (i.e., zero trust), security teams should adapt their security and risk management roadmaps to better reflect supply chain attack exposure.  

“Emerging breach and attack simulation tools can be used to continuously explore inside the network attack scenarios”

Organizations that have determined that they are not impacted by a high-profile supply chain attack should take the opportunity to test “what if” scenarios by assuming they were impacted, what mitigations or security defenses would have provided effective containment and what would not. This type of analysis may change thinking about security priorities and procedures. 

Keep in mind that this particular attack was discovered by an alert security operator wondering why an employee wanted a second phone registered for multifactor authentication. This would imply that the attacker was aiming to leverage identity, and specifically MFA as an attack vector. As such successful security organizations must scrutinize identity onboarding procedures, which includes the registration of new devices for MFA usage security procedures. 

Emerging breach and attack simulation tools can be used to continuously explore inside the network attack scenarios and implications, as well as test security defenses.  

What specific concerns have security professionals been raising since the attack?  

We received a broad set of inquiries mixing traditional post-breach questions, typically aimed at understanding the scope and direct consequences of a specific attack along with an additional set of questions related to the impact of using the compromised supplier’s product, and how to adapt to this situation. 

This seems like a good time for organizations to review security and risk plans. Where should they focus? 

It is important to avoid ad hoc responses that might be too specific and not the most preferable move to improve security overall. A broad review helps put recent events in a broader, more balanced context. The review should not be limited to preventative controls, but should also include anomaly detection and incident response. Frameworks such as Breach and Attack (BAS) can help formalize the initial review and tools, and also aid in the automation of the assessment.