A supply chain attack is when cybercriminals breach your network by compromising an outside vendor or partner. Often, these attacks exploit a weak link in your trusted ecosystem of third-party software, hardware, and integrations. A hacker will, for example, use a compromised vendor service account—one using the same username and password across many different client systems—to infiltrate all the third-party networks with privileged access for the vendor.
Several high-profile incidents like the SolarWinds attack and the Microsoft Exchange exploit illustrated how even the largest and most respected firms can introduce risk to your supply chain. In this post, we’ll use these examples to highlight the security challenges posed by supply chain attacks before providing supply chain security risk management best practices and solutions to protect your enterprise.
Supply chain security risk management challenges
→ SolarWinds attack uses trusted infrastructure monitoring software to compromise customer systems
In early 2020, an advanced persistent threat infiltrated a SolarWinds update server—It was a highly sophisticated group of hackers allegedly acting on behalf of a foreign state. The hackers injected malicious code into new builds of SolarWinds’ Orion platform, which thousands of customers use to monitor their critical IT infrastructure. These infected updates were unknowingly pushed out to over 18,000 customers, creating 18,000 backdoors for hackers to breach.
Once the compromised software was installed on target networks—including U.S. government agencies like the Department of Homeland Security and tech giants like Microsoft—attackers used these backdoors to steal identities and tokens to impersonate real users. Then, they were able to sidestep multi-factor authentication and spread laterally within affected networks, causing untold damage in their wake.
The full fallout and consequences of the SolarWinds attack are still unfolding more than two years later. This supply chain attack was devastating since they used the exploited software to monitor network infrastructure. That means hackers had privileged access to the most sensitive, vulnerable, and critical systems on affected networks. In addition, the advanced persistent threat used sophisticated techniques to bypass MFA and impersonate authorized users, making it extraordinarily difficult to track and prevent their movements.
The SolarWinds attack proved a few critical things about supply chain security:
- The infected software could contaminate customer systems, meaning intrusion prevention and anti-malware software weren’t advanced enough to detect the malicious code.
- The hackers were sophisticated enough to bypass MFA and other advanced authentication technologies, showing that these measures alone aren’t sufficient to prevent accounts from being compromised.
- The hackers were able to use those compromised accounts to freely move around on breached networks, illustrating the need for internal defenses and trust verification.
→ Microsoft Exchange attack exploits vulnerabilities on legacy on-premises systems
In early 2021, hackers used multiple zero day exploits to attack the on-premises version of Microsoft Exchange. They compromised servers at over 30,000 organizations in the United States, accessing email accounts and installing web shell malware. They used this malware to remotely access server functions and jump to other connected systems. In addition, hackers could use compromised email accounts as conduits to infect other organizations. They would look for a high-value contact in a compromised account’s contact list (for example, an executive at a major financial firm) and then send phishing messages and infected attachments to that target, extending their reach even further.
One of the reasons this attack was so successful is because hackers targeted on-premises Exchange implementations on legacy systems. Many organizations that still use legacy Exchange servers are less technically-savvy than those that jumped to the cloud. They may not have a large team of specialist admins and security engineers monitoring servers and applying regular updates to legacy systems. That made it easier for hackers to exploit unpatched vulnerabilities, and gave them more time to execute their endgame (infecting higher-value targets at connected organizations) before being detected.
So, what lessons have we learned from these two incidents, and how can we apply them to supply chain security risk management?
Supply chain security risk management best practices
These high-profile events illustrated a few key challenges:
- Many signature-based intrusion detection and security monitoring solutions aren’t sophisticated enough to detect zero-day exploits and novel malware.
- Cybercriminals can outsmart MFA and other advanced authentication methods, so they must be layered with other security controls.
- Organizations must not neglect internal defenses (including trust re-verification and network segmentation) because they’re crucial for preventing the spread of infections and compromised accounts.
- Organizations must have a plan for adequately monitoring, patching, and controlling legacy systems on their enterprise network.
Zero trust security
Zero trust security is a supply chain security risk management best practice due to its guiding principle of “never trust, always verify.” Zero trust creates a multi-layered defense of highly specific security policies and controls that focus on preventing breaches and limiting their damage once they’ve already occurred.
Next-generation firewalls (or NGFWs) use advanced machine learning and artificial intelligence technology to monitor network traffic for threats. Rather than relying on a signature database of known threats (which can’t account for zero-day exploits and novel malware), they use deep learning and other AI technology to analyze traffic with greater accuracy. NGFWs also enable network microsegmentation and may even include UEBA.
Microsegmentation is the zero trust practice of grouping systems and resources into small logical network segments. Microsegmentation allows you to create highly specific micro-perimeters of security policies and controls around each network segment. This ensures that all network resources are accounted for and adequately protected, and also allows you to reverify an account’s trust as they move from microsegment to microsegment.
User and Entity Behavior Analytics (or UEBA) technology monitors the behavior of entities (accounts, devices, applications, etc.) on your network. It uses machine learning to establish baselines of normal behavior, allowing it to analyze entity activity in real-time contextually. If an account or device behaves suspiciously, UEBA can block access, alert security, and/or force that entity to re-establish trust before letting it access another microsegment.
Even if the malicious code injected into the SolarWinds Orion updates made it past your NGFW’s initial defenses, zero trust security tools and practices will limit the attacker’s movement inside your enterprise network. Microsegmentation, aided by technology such as UEBA, would force a compromised account to re-establish trust before accessing additional resources while alerting security personnel to a potential breach.
Sounds scary and expensive, but it’s a critical process for securing on-premises and hybrid network environments. Obviously, the best-case scenario would be to replace your existing out-of-date hardware with newer systems or to migrate all your legacy services to the cloud, but that’s not realistic for many organizations. A more cost-effective way to modernize legacy systems is centralized infrastructure management, monitoring, and orchestration.
An infrastructure management platform that can hook into all your legacy, on-premises, data center, and cloud systems will help you ensure your entire architecture is always patched and secure. Your engineers won’t have to jump from box to box or switch between on-premises and cloud monitoring systems, increasing the efficiency they can maintain and control every piece of your infrastructure. Legacy modernization with unified infrastructure orchestration would have enabled engineers to patch on-premises Exchange vulnerabilities and detect the signs of a breach much faster.
Zero trust security and legacy modernization would have reduced the impact of these supply chain attacks and are critical for preventing similar events from occurring in the future. ZPE Systems can help you implement supply chain security risk management best practices through our Nodegrid family of secure infrastructure management solutions.
All Nodegrid hardware and software are protected by the Zero Trust Security Framework Foundation, with features like secure boot, geofencing, and up-to-date OS kernels and encryption modules. Nodegrid is vendor-neutral and supports integrations with your choice of NGFW and security software. Plus, Nodegrid supports legacy pinouts, so you can connect your on-premises infrastructure to the Nodegrid Manager or ZPE Cloud network orchestration solutions.
Learn more about supply chain security risk management best practices:
Learn how Nodegrid supports supply chain security risk management best practices.
Call 1-844-4ZPE-SYS or contact us to view a demo.