Guest post originally published on Magalix’s blog by Bhakti Pai Vaidya
The December 2020 “supply chain attack” against SolarWinds® is considered a landmark event in cybersecurity circles. This attack, resulting from security gaps in SolarWinds’ Orion software, allowed hackers to compromise the systems of hundreds of companies worldwide.
Earlier, in 2017, hackers perpetrated the “NotPetya” supply chain attack. By planting a “backdoor” in widely-used accounting software, they were able to infect the systems of and steal data from hundreds of companies. Over the years, hackers have launched supply chain attacks by attacking PDF editor applications, third-party data aggregators, and even HVAC service vendors (the infamous Target attack of 2014).
To protect themselves from such attacks, organizations must look past the traditional, risky “trust but verify” approach of network security. Instead, they must adopt a more robust and reliable “never trust, always verify” security approach. And this is what Zero Trust is all about.
The Risk of Supply Chain Attacks
Over the past few decades, global supply chains have become increasingly interconnected and complex. Today’s organizations depend on other third parties to streamline operations, save costs, and achieve economies of scale. These benefits notwithstanding, these third parties also leave organizations vulnerable to supply chain attacks.
Many such attacks, such as SolarWinds, stem from compromised software or hardware. By adding malicious code into a vendor’s trusted software; threat actors can simultaneously attack all the vendor’s client organizations. The risk of such attacks also increases due to data leaks at the vendor’s end, their use of Internet-connected devices, and their reliance on the cloud to store data.
To prevent such attacks, organizations should take supply chain security more seriously. They must also assume that no user or third party can be trusted, and adopt Zero Trust security.
What is Zero Trust?
Traditional IT security is rarely considered “insiders”, including third-party vendors, as potential cyber threats. Between 2018 and 2020, the number of insider incidents increased by 47%, showing that this thinking is not only erroneous but also dangerous. It’s critical to acknowledge that insider threats exist and to take steps to mitigate them. Here’s where Zero Trust comes in.
Zero Trust means that organizations should not automatically trust anything or anyone trying to access their network, systems, applications or data. This principle of never trust, always verify is one of the cornerstones of Zero Trust. It suggests that every user and device should be treated as a potential threat, and their identity and access level should always be verified before they’re allowed access.
How Zero Trust Works
Zero Trust relies on a few key principles to boost enterprise network security. One, it assumes that a threat can come from anywhere, both inside and outside. In addition, Zero Trust leverages the “Principle of Least Privilege” (PoLP), where every user or device is only given the bare minimum access permissions needed to perform its intended function. By controlling the access level and type, PoLP reduces the cyber attack surface and prevents supply chain attacks.
Zero Trust also strengthens enterprise security through micro-segmentation. This method of creating smaller segments around IT assets also helps reduce the attack surface. It also supports the implementation of granular policy controls to protect the organization from breaches and restrict the lateral movement of attackers.
How Zero Trust Can Prevent Supply Chain Attacks
A report by the European Union Agency for Cybersecurity (ENISA) predicts that there will be four times more software supply chain attacks in 2021 compared to 2020. This is why ENISA suggests that organizations must implement “new protective methods that incorporate suppliers”. Zero Trust is one such effective method. It can prevent supply chain attacks in 4 key ways:
1- Securing The Provider
Software supply chain attacks take advantage of third-party providers with poor security practices. If the provider implements Zero Trust, the probability that an attacker might gain access to their network or move laterally through it – which is what happened with the SolarWinds attack – is greatly reduced.
Ideally, providers should implement robust Zero Trust by combining multiple tools and technologies, such as multi-factor authentication (MFA), identity and access management (IAM), identity protection, endpoint security, data encryption, and email security. Customer organizations should further strengthen their own networks with micro-segmentation, least privilege controls, and endpoint security.
2- Limiting Vendor Permissions
By implementing Zero Trust and limiting third-party users’ access to their network, organizations can minimize cybersecurity risk, and prevent supply chain attacks. For this, they must apply advanced security controls such as MFA and credential vaulting. Credential vaulting allows vendors to login to customer systems, while protecting credentials, maintaining internal network security, and preventing inadvertent or malicious customer network intrusions from the vendor’s end.
It’s also important to implement Vendor Least Privileged Access Management (VPAM) technology. VPAM gives vendors the granular least privilege that Zero Trust embodies, and ensures that they can access only the applications they need to function.
3- Monitoring External Software
Software supply chain attacks usually target the vendor software’s source code, update mechanisms, or build processes. The SolarWinds’ Orion attack is one such example. In some cases, they take advantage of zero-day vulnerabilities, i.e. vulnerabilities that the software vendor knows about, but has not yet developed a patch to fix the flaws. This is what happened with the supply chain attack on the Accellion File Transfer Appliance (FTA). In February 2021, nearly 100 organizations worldwide experienced data breaches due to 4 zero-day vulnerabilities in Accelion’s FTA. Ironically, such third-party software is commonly overlooked as a potential source of third-party risk. This is a dangerous mistake, as the victims of both attacks realized later.
Before onboarding any software vendor, organizations must conduct a thorough assessment of the vendor’s security processes during the software development lifecycle. It’s vital to implement strong controls to prevent threat actors from introducing malicious code into this software.
Every organization that uses third-party software assets must continuously monitor and control its access. They should implement MFA, granular controls, and Zero Trust policies that specify the criteria for authorized users, and which software resources they can access. All these actions can limit the impact of compromise via external software.
4- Preventing Lateral Movement
In supply chain attacks, the initial attack vector is rarely the attacker’s final objective. Almost always, attackers are looking to gain access to other parts of the victim organization’s network by moving laterally across it. Sometimes, their goal is to corrupt targeted systems, or steal data. The Target and SolarWinds attacks are both examples of supply chain attacks aimed to facilitate lateral movement across the victim’s network. Implementing Zero Trust can prevent attackers from moving laterally through the network and causing more damage.
Zero Trust considers trust as a vulnerability or weakness. To eliminate this weakness, it focuses on continually identifying and authenticating every user, identity and device before granting them access. It also cloaks the organization’s network to limit its visibility and prevent threat actors from moving laterally across it. With Zero Trust, organizations can also protect their networks from remote service session hijacks, limit the ability of threat actors to access resources, and prevent them from installing malware.
In addition to Zero Trust, Security-as-Code is a reliable way to secure cloud supply chains. With Magalix Security-as-Code, organizations can strengthen their cloud infrastructure with customizable policies, clear governance, and contextual visibility. They can codify cloud security, enforce it at every step, and continuously monitor their security posture to stay ahead of supply chain attackers.