Over the past few years there is one type of cyber-attack that has caused a lot of headaches for cybersecurity professionals and that is the Supply Chain Attack. A supply chain attack occurs when a particular element of a company’s infrastructure supply chain, such as a third-party vendor, is targeted instead of the company’s network itself. Popular examples include the Solarwinds attack in which the Solarwinds Orion platform, a tool used to manage IT infrastructure, pushed a software update to its users which included malicious code.
At the time of the attack being detected in December of 2020, Solarwinds Orion was being used by 425 of the Fortune 500 companies as well as federal agencies such as the National Security Agency (NSA). Even more recently, identity access management software firm Okta was the focus of a supply chain attack that is said to have impacted at least 366 of their customers (2.5% of their customer base).
On March 22nd, 2022, hacking group Lapsus$ published screenshots to the web alleging that they had compromised the internal system of Okta. Okta, like Solarwinds, sits at the core of not just one company’s IT infrastructure but hundreds or even thousands. As such, compromising these software providers gives the hacking groups access to multiple targets at once.
Here are 6 steps an IT security team can take to protect against these supply chain attacks:
Multi Factor Authentication – A cornerstone of a supply chain attack is exploiting escalated privilege. By enabling multi-factor authentication, a company can help protect against this type of exploit as even if user credentials and passwords are compromised the attacker would need a secondary authentication from the user in order to perform an account takeover. Some examples of Multi-factor Authentication include security fobs such as Yubikey as well as biometric fingerprint authentication which is offered by most smartphone manufacturers today.
Better Identity Access Management – Identity Access Management (IAM) was insufficient in the majority of the target companies during the Solarwinds attack. The attacker went to great lengths, such as issuing limited lifespan access tokens to avoid detection. Having IAM rules to monitor access token anomalies could have caught this activity earlier.
Web Portal for Vendors – In order to compartmentalise, companies should consider whether vendors need full network access or can operate from a web portal. A supply chain attack can propagate because networks of major companies will have plugins to the same IT vendor infrastructure.
Collect Data Ahead of Time – A challenge faced by investigators of the Solarwinds incident was that some of the targeted networks had longer logging data retention periods than others. When this data is not retained it makes root cause analysis more difficult to perform.
Sensitive System Devices – For sensitive systems and servers, secure devices should be used specifically and only for the administration of those sensitive systems.
Invest in Penetration Testing and Threat Intelligence – The Okta and Solarwinds incidents highlighted the fact that even top companies and government departments are unprepared to identify novel threats. Penetration Testing can help build preparedness but could also identify anomalous activity as a side product or gaps in the company’s cyber armour.
To learn more about Cybersecurity, why not sign up to our Cybersecurity Fundamentals Diploma starting in 27th April.
Cybersecurity Investigations Specialist, Tech Industry