Trustwave Blog

The Supply Chain is Only as Strong as its Weakest Link: How You Can Better Defend Against Third-Party Cyberattacks

Written by Dan Kaplan | Sep 19, 2018

A particularly unfair aspect of a maturing cybersecurity program is that even as your business makes strides to fortify its perimeter and deter resourceful attackers, a slip-up by one of your partners or suppliers could cost you all your gains.

Indeed, reports of growing numbers of breaches related to supply chain attacks have made the threat a top one for businesses, of which seven out of 10 admitted they don't hold their vendors to the same security accountability as they do themselves.

How does the saying go again? You are defined by the company you keep - and how well you keep it.

Or better yet: Though you may be wise, foolish friends will eventually destroy you.

Your adversaries are increasingly shifting their attention to the vendors and manufacturers on which you rely, with the understanding that they act as a brittle way station to the ultimate target: your corporate network (and potentially others that also work with that supplier or partner).

While few companies dismiss the risk posed by supply chain attacks, most operate with a certain level of trust when it comes to their third-party relationships - after all, everyone is on the same team - and they aren't sure they'll be able to improve their resilience in this area going forward. That's likely due to businesses like yours lacking the requisite experience, skills and technologies to handle the supply chain threat all on your own.

The supply chain covers a lot of ground and has been further transformed by cloud and Internet of Things (IoT) technologies. Stealing personal information that can be monetized is one motivation for attackers to target it. An expanding list of incidents have affected the retail industry and have been attributable to cyberthieves stealing login credentials from vendors (usually through phishing emails) that are then used to access the customer's point-of-sale systems. In other cases, your foes are going after those third-party companies with whom you share sensitive data, such as law firms, to plunder that information.

Miscreants may also look to the hardware supply chain as an optimal pathway toward intellectual property and proprietary data pilferage. For example, the health care vertical - which was recently the subject of targeted attacks designed for corporate espionage - must be wary of potentially life-saving medical instruments and other connected devices being tampered with during the manufacturing process.

But it is the poisoning of the software supply chain that may be the most sneaky and deceitful. Attackers may infiltrate development servers or update mechanisms - as was the case with two recent high-profile strains of tainted code, malware hiding in CCleaner and the ransomware NotPetya - where they do their damage before anything is ever passed off the public.

The vendors stand little chance to flag this subversion, as the malicious code in inserted in the development process and takes advantage of lax security. And once it is passed to the end-user, they have little hope defending against the seemingly legitimate software because, although tainted, it has already been digitally signed and approved by the vendor, meaning it avoids detection by products like whitelisting. In other words, a business is trying to do the right thing - update their software or apply anti-virus protection - and they become an unsuspecting victim.

You can see now why reducing supply chain risk has all of a sudden become a massive priority, one that has been further enabled by new mandates like the EU's General Data Protection Regulation and New York state's Department of Financial Services Cybersecurity Regulation building third-party security into their bylaws.

The good news is you don't have to be at the mercy of your partners, suppliers and contractors. Here are five steps you should take to help keep your vendor relationship trustworthy and fruitful.

1) Assess Vendor Risk

An integrated supply chain brings many advantages, including reduced costs, improved service and other hidden efficiencies. But you need to know what risks you are accepting when you engage in a third-party relationship, including the data you share with them and the security of your arrangement. Ask questions. It never hurts to go on site to vet your vendor in person. Then, help them address any vulnerabilities and gaps that were identified. If you're a smaller customer, however, you may find it hard to pull off that close of an inspection and may have to take the vendor at their word. The good news is that some IT manufacturers on which companies are particularly dependent, like Microsoft, are transparent with their security and risk assessment documentation.

2) Establish an Agreement

The best way to assure your partners and suppliers take security seriously is by getting their promise in writing via a service-level agreement as part of your vendor contract. The SLA should define the security controls they must take (vulnerability scanning, pen testing, authentication, data handling, etc.), how you measure their adherence, and consequences they face if the provisions are not met (including what happens if the contract is terminated). How granular and strict you get with your policy requirements depends on your appetite for risk.

3) Audit and Test

Reviewing vendor code can help you learn about the robustness of a particular piece of software that a third-party may be developing for your (and others') use. One thing we've learned from scanning thousands of applications is that almost all web apps have weaknesses, ranging from mostly harmless to potentially devastating, and all can and should be addressed.

4) Do the Basics Well

You may have the best intentions in requesting that your vendors become culpable for their security, but don't count on it being a 100 percent proposition. Continue to maintain your personal defense posture to cover the areas where compromised vendors can hurt you: That means patching, following the principle of least privilege, segmenting your networks, securing remote access, implementing two-factor authentication and educating employees.

5) Monitor, Detect and Respond for Threats (Keying in on Your Endpoints)  

Intruders have gotten very good at hiding their activities, so you need to counteract that acumen with greater visibility into what's happening on your network. Specifically, you need to zero in on your endpoints, which are the first place cybercriminals will set up camp if they breach your borders because of the transgression of a third-party. Shifting from a prevention-only mindset to one that embraces detection and response is more critical than ever. But monitoring for threat activity isn't easy. Most organizations lack the resources and intelligence to keep up with advanced threats on their own. If your business is less mature in this area, consider partnering with a managed security services provider to help amplify your capabilities, from event analysis/correlation and real-time visibility to threat hunting and disruption of attacker advances.

***

Remember, you have a right to choose your vendors. Be open to collaboration with them when you are discussing security and risk mitigation but remain steadfast that the protection of your data is of top importance. If a third-party does not agree with the criteria you set out to be met or your vetting process, move on. It's hard enough to defend your own network - never mind engaging in a tug-of-war over somebody else's.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.