Cybersecurity is hard - even once you have a grasp on the concepts and tools available, there are numerous issues that plague security teams worldwide. From users bringing unauthorized devices on the network to a lack of personnel to manage the never-ending list of logs and alerts, there is so much to track that it is no surprise we find ourselves constantly watching organizations get breached. The newest trend of cyber attacks, the difficult-to-detect supply chain attack, shows us that even if we effectively locked down our own organization it wouldn’t be good enough.
Even if your organization’s cybersecurity posture is very strong, what about those in your supply chain? An organization’s supply chain consists of any vendors that have products or services that are used within the organization. Either out of necessity or efficiency most organizations have a supply chain that offloads a burden so the organization can focus on their goals. Supply chain attacks (otherwise known as a third-party attack or a value-chain attack) attempt to gain access through third parties by first breaching their systems, then using your trust with the third party to access yours. This style of attack is both difficult to detect and highly devastating since there is a legitimate trusted source opening up the organization to vulnerability. Unfortunately, this means that its not good enough to be highly secure, you also need to worry about everyone you interact with.
Trojan vs Supply Chain Attack
To gain a better understanding of why supply chain attacks can be so devastating we can look at another widely used tactic, the Trojan horse (or simply a Trojan), and compare it to the Solarwinds hack as an example. There are numerous methods for a hacker to gain unauthorized access to networks and devices, such as using a Trojan. In the case of a Trojan, the hacker disguises malware in a legitimate way. This can be in the form of software that a user may want to install, or an attachment that the user downloads. A good antivirus program can catch malicious software that comes in the form of a Trojan and flag it for removal. Ultimately, because the software (generally) comes from an unverifiable source most security systems will know to pay special attention to it, especially when it exhibits suspicious behavior. Unfortunately, suspicious behavior is a much blurrier line when applications are from a verifiable legitimate source.
The reason a supply chain attack is so dangerous is because legitimate software is modified for malicious intent, and because the developers are verified there is a lesser chance that anti-virus programs will give it as much scrutiny. In the case of the Solarwinds hack, the attackers were able to breach Solarwinds and modify code related to the IT resource management system, Orion. Since Orion was already installed legitimately in so many organizations, it was not suspicious when an update was pushed from Solarwinds that unfortunately contained the malicious code. Once the systems were ‘patched’ with the new malicious code, the hackers were able to gain access to the networks at will.
How to Protect Yourself?
How do you prevent an attack that is delivered through legitimate software? Instead of choosing to never use third-party products or services, there are measures you can take to mitigate the risk of an attack, and reduce the negative effects of a breach if it takes place. Instead of aiming for perfect security, the goal should be to add as many layers to make it increasingly difficult to successfully perform the intended goal from a breach.
One method is to implement the Zero Trust architecture across your organization. We will post a more in-depth article detailing Zero Trust, but at an overview level its all about adding in additional authentication across an organization instead of always trusting that previously authenticated devices and users are who they say they are. Its best to remove the idea of a secured perimeter, and instead consider that an attacker may have already breached your network. Ensure that each device on the network gets reauthenticated over time. We at Phalanx also believe that Zero Trust should be taken down to the file level so that if a device is breached, the attack isn’t able to offload all the data on the device. Zero Trust data security protects against insider threats as well as outsider hacks since it takes away the assumption that just because someone has access to the data that they’re authorized to see that data. If a system is breached, then encryption for data at rest allows for an extra layer of provable security. Ultimately, this further reduces the negative impact from the breach, and is a proven way to enhance security without adding an additional burden to existing security personnel.
Another method is to create a trusted network of vendors. If a vendor’s software is going to be a critical part of your infrastructure, then you should determine if their security practices are up to the same standards that you would keep for your organization. If there are any certifications, such as having vendors that are Cybersecurity Maturity Model Certification (CMMC) or NIST SP 800-171 qualified, then you can have a standardized way to evaluate the potential organizations you’re opening yourself up to. This has the added benefit of keeping cybersecurity on the forefront of everyone’s minds. The nature of a supply chain attack targets inherent trust between organizations, so we should use that relationship to our benefit by adding our security to the conversation. The more organizations that are security conscious, the more difficult it will be to conduct attacks.
Phalanx can help if you need to add automatic encryption for your data-at-rest to implement Zero Trust at the more granular file level to enhance your endpoint security. Or, if your organization is looking to get CMMC qualified our data security platform enables you to easily check off 33 different controls, which will fast track you towards certification. With cyberattacks becoming more sophisticated every day, we need to not only reduce the chance of an attack, but reduce the effects of an attack with encryption.