Imagine if everyone with a smart lock on their front door had to assume it had been compromised and thieves could sneak in for several months. How would you begin to figure out what’s missing? What if they copied your keys or your hard drives?
This is the position thousands of organizations affected by the SolarWinds supply chain attack are in right now. They’re frantically hunting for signs of compromise or setting fire to their infrastructure to be (mostly) certain the stealthy threat actor is purged from their network.
The Third Shoe Dropped
From a security perspective, this attack feels like the inevitable ending to a terrible year. In the early months of 2020, we worried about ransomware attacks that threatened the availability of data and infrastructure as they disrupted governments, schools and hospitals. Next, we worried about confidentiality as attackers threatened to leak sensitive information unless they received millions in cryptocurrency. Now, we worry about code and data integrity. By tampering with widely distributed source code, attackers inserted a backdoor into almost 18,000 organizations.
Confidentiality, integrity and availability are the commonly accepted pillars of security, comprising what’s known by security pros as the “CIA triad.” It just wouldn’t be 2020 if we didn’t get dinged on all three — and we certainly saved the worst for last.
A software company must protect the integrity of its source code (and its distribution) like an airplane manufacturer guards its engine schematics, like your doctor protects your medical records, like your bank tracks your balance. Otherwise, planes fall out of the sky. Wrong organs get removed. Everyone’s a Powerball winner, and attackers get to do whatever they want. If we can’t trust those we do business with (our supply chain), we lose the foundation of our economy.
Now that cryptocurrency allows attackers to get paid anonymously across borders, cybercriminals have unprecedented motivation to learn and adopt new, profitable techniques. Attacks that were exclusive to governments just a couple of years ago are now commonplace. Most of the world’s most powerful hacking tools have been leaked. The same groups behind ransomware and malware like Maze, Emotet and Ryuk are surely going to copy the SolarWinds playbook, and these groups were wildly successful this year even without it.
One lesson we need to embed deep in our psyche is that no one is immune from cyberattacks. With enough time and motivation — even against the best defenses we can imagine — attackers can usually get what they’re after. Most often they’re after data — whether it’s to threaten its availability, confidentiality or integrity.
After nearly a year of accelerated digital transformation, we are more dependent on data and software, and more interdependent for its security, than ever. Many organizations may be tempted to take swift action.
Keep Supply Chain Risk In Context
Reacting swiftly is important; reacting correctly is just as critical. It will be easy for organizations to overprioritize supply chain attacks while overlooking more urgent exposures. For example, even though it might seem like a good idea for a minute, blocking security updates out of fear that they might introduce more malicious backdoors would do more harm than good. One look at the long list of security holes plugged every “Patch Tuesday” will tell you how vital software updates are.
One recent article suggests that “you are strongly encouraged to review the source code, if available, of any program you plan to run on your network.” While this may be possible for some organizations, it’s unrealistic for most. Even if the source code were available — which it usually isn’t — you’d be adding a crushing burden to your processes. It’d be like asking everyone who drove a new car off the lot to hire a mechanic to inspect their brakes when they got home, just in case there was a bad actor on the manufacturing line — a huge drain on time and money, and there aren’t enough mechanics.
What You Can Do
Make sure your response actually reduces risk (turning off security updates and patches won’t). Your supply chain is a part of your risk surface area, so it makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices.
For most businesses, data is what’s most at risk — through the supply chain or any other vector. Data is rarely controlled as well as other assets, however. Organizations struggle to protect it against threat actors that are more common and far less sophisticated.
We see that far too many employees have access to data, and it is rarely monitored for abuse. This is incongruous with current security principles like least privilege and zero trust, where the idea is that no person, application or system should be able to do more than they need. Poor monitoring makes investigating incidents like these very difficult. One of the first questions we hear is, “Did they take any data?”
If you’ve identified and prioritized your important data and made sure nothing and no one has more access than they need, your risk surface area is much more manageable. To reduce risk further, you have to monitor how data is used to ensure those with access haven’t been compromised.
CISA called out the importance of behavioral modeling in its alert about this APT:
“Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyberthreat intelligence database.”
With the amount of data that businesses create and share each day, they can’t analyze data for criticality, achieve least privilege or zero trust, or detect unusual behavior without sophisticated automation. Security staff is already stretched thin. Manual cleanup projects and endless investigations are unsustainable. Threat actors grow more skilled, motivated and patient. Most businesses are outgunned when it comes to defending against last year’s attackers — to ignore new ones would be so 2020.
The post 'What Every CEO Needs to Know About Supply Chain Cyberattacks' was first published on Forbes.com written by Yaki Faitelson, CEO of Varonis.