The SolarWinds supply chain hack has really thrown organizations and businesses of all sorts for a loop! The scale, complexity, duration and effectiveness of the attack was awesome, and it is not over yet. On top of that, other supply chain attacks may even now be underway with all of us none the wiser. The problem lies in protecting ourselves from such attacks in the future. This, however, is a thorny problem.
Supply chain applications are designed for things like easy interoperability, connectivity and ease of use, just like the original code for what became the Internet was designed; functionality and user friendliness are the primary considerations in such applications. With these kinds of functions build into the chain, security problems are inevitable. People in the industry have known this for some time and have forwarded warnings about the vulnerabilities in the supply chain. NIST began to develop their cyber supply chain risk management (C-SCRM) program in 2008. They released a draft of NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management in February of 2020.
This risk management paradigm was developed with input from across a number of organizations and disciplines, and was open for comment from early February to early March last year. This effort (in draft) produced eight practices that include:
- Integrate C-SCRM across the organization.
- Establish a formal program.
- Know and manage your critical suppliers.
- Understand your supply chain.
- Closely collaborate with your key suppliers.
- Include key suppliers in your resilience and improvement activities.
- Assess and monitor throughout supplier relationship.
- Plan for a full life cycle.
This seems like sound advice for the risk management part of the problem, although it will have to be tested in implementation. But what can you do now to help prepare yourself for supply chain attacks? One thing you can do is deconstruct a supply chain attack, see how it works and plan controls and procedures for thwarting the attack. In military terms, this would be called disrupting the kill chain.
There are several versions of cyber kill chain phases out there, but they all have much in common. The basic steps in a supply chain attack could include:
- Reconnaissance – Mapping your organization from personnel and business functions to examining your network, the protocols you use and the security measures you have in place.
- Intrusion – Leveraging flaws found during reconnaissance, using social engineering techniques or employing zero-days to gain access to the network.
- Exploitation – Exploiting vulnerabilities you found during the reconnaissance phase to implant malware or perform other tasks.
- Lateral Movement – Exploiting weaknesses in administrator password practices or system onboarding configuration practices to move to different systems across the network.
- Privilege Escalation – exploiting weaknesses in privileged access control, configuration control, etc. to elevate your privileges on the system.
- Finding the Gold – Accessing various systems to locate valuable information.
- Exfiltration of Data – Copying and removing all that juicy data from the system.
Of these steps in the kill chain, a couple stand out to me as the easiest for most organizations to control: lateral movement across the network and privilege escalation. For years we at MSI have been harping on the dangers of taking shortcuts when administering systems on the network. Attackers are often able to move laterally across a network because a group of systems all use a common administrative password. As big a pain as it can be, each system on a network should have a unique administrative password just like each user on the network should have unique access credentials.
Another problem that allows lateral movement is system administrators using the same password for simple network access and for administrative access. If an attacker can compromise a user system and crack the password hashes, there is a good chance that they can identify and use one of these passwords to gain admin-level access on the network’
Finally, privileged access to the system is the key attackers need to fully compromise the system and exfiltrate data. There cannot be too many precautions you can take when it comes to allocating and monitoring privileged access to the system! You should employ heuristics to identify odd behavior or odd time of system access for privileged users. Addition of a new privileged user to the system should generate alerts. All privileged access and use of the system should be logged and monitored. If you are really serious about protecting your system, you may want to implement dual controls for certain privileged user functions. These are just a few of the controls that could be implemented. My advice is to do a risk assessment, determine where your vulnerabilities may lie and design and implement controls that disrupt the cyber kill chain in a way that work for you.