Testifying before the a U.S. Senate committee in February, Kevin Mandia, president of U.S.-based cyber security firm FireEye, related how his firm had deconstructed the now-notorious SolarWinds supply chain attack that claimed some 18,000 victims, including a number of U.S. government departments.
The attackers, Mandia explained, had breached FireEye’s network through a code implant in its network management software, SolarWinds Orion. The hack was so well concealed that it took a team of 100 security analysts weeks of sifting through millions of lines of code to uncover the proverbial needle in the haystack.
Code implants of this type are a hallmark of supply chain attacks, which breach their targets by compromising a third party. Such attacks are highly complex and have been rare in comparison with widely publicized ransomware and denial of service (DOS) attacks.
What stunned the security community in this case were the attackers’ phenomenal resources and their willingness to play the long game. “The evolution of this sort of attack vector has been long in the making,” says Kevin Magee, Microsoft Canada’s chief security officer. “I think we’ve just been seeing it move to the next level over the last 12 to 18 months or so.”
Because SolarWinds is a popular tool that IT professionals use to monitor and manage entire networks, it was an ideal entry point to thousands of organizations, including the US Department of Treasury, Microsoft, and Cisco.
“You don’t deploy SolarWinds at the edge of your network,” says Charles Cooper, former cybersecurity consultant and owner-operator of Muskoka Hydrovac. “It’s deployed in the most trusted core of your network. So if it’s compromised, it now has visibility to everything else on the network.”
While the SolarWinds attack was among the most sophisticated in history, the method that originally alerted FireEye to an attack was not rocket science. In a routine check, an employee was asked if a phone just registered in his name was in fact his. When the answer was negative, the company knew there was an intruder.
Basic procedures such as these are often the key to network security, according to experts. “The movies have made it out that cybersecurity is all about the brilliant hacker,” says Magee, “but it’s often just the basic hygiene and doing the basics that can provide you with the greatest protection.”
A key lesson from the attack is that technologies such as two-factor authentication or intrusion detection can be circumvented. “There’s no technology where you can say ‘technology XYZ will protect you against a supply chain attack,’” says Yogesh Shivhare, senior analyst, security and infrastructure for technology research firm IDC Canada. “It’s a combination of risk management best practices and cybersecurity choices that you make in your own environment.”
Many of these choices can have a direct impact on the business. “Governance is the issue to a great extent,” says Magee. “Often IT is not the right place to make the decisions. It’s really coming from the business – what are the most important and critical factors that we need to protect?”
Key decisions typically revolve around the three elements of the “CIA” triad, which is based on the acronym for confidentiality, or the restriction of access to qualified individuals; integrity, or the provenance of data; and availability, or the ease of accessing the data. The challenge is that there need to be trade-offs –
a popular rule of thumb is that you can have two, but not all three.
This makes for some tough choices for supply chain operators who depend on the free flow of data for efficient operations, yet will pay a high price if confidentiality or integrity are breached. Tighter authentication, for example, ensures high confidentiality by shutting out intruders, but also reduces availability by making it more difficult for authorized users to access data. Encryption renders data useless to an attacker, but also slows the flow of data significantly.
The risk of connectedness
In connected supply chains, the probability of being attacked, and the potential consequences, are amplified. “With global supply chains really integrated in complex ways, it becomes very difficult to understand the complexity in managing that availability, integrity, and confidentiality balance,” says Magee.
A company with customers in defence or aerospace, for example, could be vulnerable. “In a supply chain, if your organization is attacked you might not be the target,” says Magee. “Maybe its someone down the line of the supply chain that you supply parts to.”
Cost also figures into the trade-off equation. Cybersecurity tools are expensive to purchase and deploy, and internal processes can be costly to maintain. A company might, for example, have a policy whereby one individual downloads and installs a software update, and another who signs off on its integrity. This might help keep infected software off the network, but consumes time and resources.
Recently, many companies have found that the traditional compliance-based approach to security, which relies on assessments at particular points in time, is not sufficient. “Because supply chains flow, we need to start rethinking how we approach this,” says Magee. “So how can you secure the lifecycle of supply chain rather than the traditional ways of compliance, which are point-in-time checks?”
The need for a more thorough approach is leading many to consider a cybersecurity model called Zero Trust, which prescribes frequent checks and verifications based on the assumption that no user can be automatically trusted. These measures make it difficult for intruders to move laterally within a network even after they have gained access.
“Zero Trust basically states that any device or person requesting access to any resource is treated as an external connection and is run through a conditional access approach,” says Magee. “This not only works for remote workers connecting, but can also work for devices connecting into the organization, such as IoT devices.”
Keeping networks safe is not just about detection, it’s important to note, but response as well – protocols for notifying stakeholders, marshalling IT resources, and minimizing damage need to be firmly established and documented. “If you can detect threats faster but it takes you ages to respond to them, then there’s no point – the damage is already done,” says Shivhare. “Most of these attacks just take a few hours to do the damage.”
Reliance on partnerships
Perhaps the most important lesson from SolarWinds is that technology vendors are essentially supply chain partners, and have to be assessed with strategic requirements in mind. Companies, therefore, need to approach vendors with a clear set of security guidelines that apply both to the technology they acquire and their internal processes.
“I think it’s better that we first talk about what end users can do to protect themselves against IT supply chain attacks,” says Shivhare. “And then we can map out how vendors can demonstrate all those things that end users need them to do to help them protect against supply chain attack.”
The conversation, therefore, has to begin with risk assessment. Given the current threats, which risks are allowable and which are not? This can lead to some tough questions for vendors. Does a software vendor ‘harden’ its platform against hackers by submitting it to third-party penetration testing on a regular basis? Does it share data from these tests? What communication timetable does the company commit to when problems or breaches are discovered? The pursuit of questions such as these is time consuming, but may be essential.
Even when vendors have committed to exacting standards, many companies exercise extreme caution when it comes to installing software. Often, for example, a new release of a software package will be run under observation in a test environment before it goes live on the company network.
Data security guidelines should apply to supply chain partners as well as tech vendors. If exchanging files with a supplier, for example, it’s legitimate to ask how the supplier is keeping its own data from being compromised. Conversely, companies involved in supply chains need to be prepared to answer similar questions from suppliers and customers.
One common mistake is asking the tough questions only at the initiation of a relationship, and then letting the issue drop. What’s needed is a documented process for reviewing security related issues on a recurring basis.
All this can be daunting for smaller companies with limited resources. In such cases, establishing a partnership with a management service provider may be a viable option.
“A lot of companies think they should do everything in-house,” says Andrew Walsh, solution developer for Toronto-based managed service provider Quartet Service. “But there are many ways in which we’ve augmented the internal IT function. We have economies of scale and infrastructure that they just don’t have, and there are things that we can do better.”
A key advantage here is response capabilities, which would otherwise require significant time and effort to develop and maintain, and might otherwise be subject to neglect. “Our role is to ensure that the communication channels are there, that there’s an alerting process, and that we have a defined cyber incident response process,” says Walsh.
While cybersecurity involves new territory for many decision makers, relationship management is a well-established discipline, particularly for companies already in complex supply chains. “It’s just common sense,” says Cooper. “Know who you’re dealing with, have a policy and process, and then have the discipline and stick to it. You don’t need someone with an advanced degree to solve these issues.”