What we need to learn from SolarWinds supply chain attack

December 2020 unveiled a major breach that was affecting big corporates as well as Government agencies. SolarWinds disclosed a security advisory outlining a recent malicious activity impacting SolarWinds Orion Platform resulting from a supply chain compromise. FireEye has published a report detailing the widespread campaign by a “highly evasive” actor gaining access to numerous public and private organizations around the world.

A hacker group known as, APT29(Cozy bear/Russian SVR), breached the treasury and commerce departments along with other U.S government agencies that are believed to have started in March 2020 by distributing trojonized updates to the software users. The attackers managed to modify an Orion platform plug-in that is distributed as part of the Orion platform update. The malware was deployed as an update from SolarWinds own servers and was digitally signed by a valid digital certificate bearing their name issued by Symantec. SolarWinds reported that up to 18,000 of its customers downloaded the software update that contained the malicious code.  Major firms like FireEye, Cisco, Microsoft, VMware, and US government agencies like the Department of Commerce, Treasury, National Institute of health, The Pentagon, Department of State, among others. have been affected by this breach.

With this high-profile breach, supply chain attacks have drawn more attention than earlier. An organization cannot work in silos and they depend on many third parties for subscribing services or assets. Cyber attackers target this supply chain where they exploit a less-secure element to gain access to a secured high-value target. Global supply chains are adopting digitized management systems and some of them may be prone to cyber-attacks. Hence to mitigate the risk of supply chain attacks, organizations need to maintain thorough diligence all through the process.

Let us discuss some best practices here.

1. Review third party products

Any organization planning to purchase a third-party product will need to evaluate the product, understand the reviews from current users -inbuilt security features as well the security certifications obtained by the product. With any new features in the roadmap, the product should also have a schedule for upcoming security reviews. Any vulnerability in the new features can contribute to a breach. After the installation of third-party products, threat hunting activities need to be conducted to identify any vulnerabilities and fix them early on.

2. Evaluate third parties for security standards

While procurement departments get involved in the purchase of software or services, and the Cyber Security team needs to be active throughout the process for a thorough evaluation of all the third parties involved. Self-Assessments, Audits, and Cyber Insurance must be made mandatory and a pre-requisite to be considered for contracts. Cyber practices of the third parties need to be given weightage similar to those of the technical and commercial proposals that they have submitted.

3. Restrict the use of unapproved free software

Employees often install unapproved free software for file-sharing, shortcut keys etcetera to easily do their day-to-day activities. The IT team must restrict employees from such downloads and even using USB or CDs to install the software. Periodic awareness training for employees would also be helpful.

4. Periodic review of vendor behavior within the network

Once a vendor is contracted and given access to the network for executing a project, their behavior needs to be monitored on a periodic basis to spot anomalies if any. Individual Confidentiality Declarations for all the external personnel may be imposed. If they are allowed to bring their own device for work, then that needs to comply with the organization’s security standards. It can only be allowed once the IT team reviews the devices and approves them. Review of their access to sensitive data during the contract period and revoke of access after the contract termination need to be ensured.

5. Secure all devices

The asset register must have all the asset details along with their endpoint security as well as the renewal date. The device of an employee during a sabbatical might not be properly updated and once the person is back to work this can create a weak link to cause an attack. IoT devices if in use needs to be secured as they are known for being vulnerable to attacks. There should be strict adherence to changing default passwords after installation of any new devices and periodic change of password must be enforced. Precautions need to be taken for cloud-connected devices as well.

Conclusion

As we are aware, Cybersecurity is not a one-time exercise. As threats and vulnerabilities evolve, technology needs to be updated and patched. Hence it is important to establish a process for continuous monitoring within an organization and also to enforce third parties to conduct and report on regular checks of their own systems too. This will help to keep supply chain attacks at a bay to a great extent.

Talk to our cybersecurity experts to learn more on how to better safeguard your critical assets against security threats or how to develop a strong security strategy?