Why enterprises aren't properly addressing supply chain threats [Q&A]
Supply chain threats like the recent SolarWinds attack are becoming more of a concern as businesses are more reliant on smoothly functioning links with suppliers and customers.
A successful attack can have a devastating effect on an organization and its reputation, but by their very nature these are not easy threats to deal with.
We spoke to Gregory Cardiet, security engineering director, EMEA at cybersecurity company Vectra to find out more about what enterprises are missing when detecting and responding to these threats.
BN: Why are supply chain attacks such a problem?
GC: There are multiple types of attack, the ones that involve software vendors can provide directory information and track the environment without them knowing because of the specific partnership.
Take the recent attacks, there's a piece of software that's been added into the SolarWinds software so that when it starts is trying to reach out to a third party website that is owned by a hacker group. Once the software reaches out to that kind of structure it scans and starts taking control and uploading some additional pieces of malware, and it will try multiple times. This is difficult for most organizations that will provide software updates and packages maybe once a week or once a month. Once the hackers can get access they can access companies as an insider.
BN: Is the current drive towards digital transformation initiatives leaving companies more open to this kind of attack?
GC: There are cases of this type of attack five, six, 10 years ago, it's not something new. What is a new indicator is how complex and sophisticated the attack is. We normally expect to have an acceleration of this type of attack because there is financial motivation behind them. If you think about it though you need to get into one of the major software vendors bypass every single protection measure every single detection measure, every single security processes, being able to manage the complexity, time and energy that is required is extremely hard. But we are going to see an increase of that because I expect state sponsored groups to use these techniques in the future to get broad access to many many organizations.
So the push to digital transformation is one potential vector of acceleration. But the complexity and sophistication of these attacks, makes it very unlikely that we see them being broadly used by criminals trying to get some cryptocurrency. In many supply chain attacks there is no financial motive. The target is to get access to critical resource and gain intellectual property. It's going to be more targeted attacks that you're likely going to see the most.
BN: So these are more likely to be nation state-type attacks?
GC: The time and energy needed, bypassing these components at each stage means it has to be very, very highly skilled people that have a lot of time and are not waiting for a return on investment.
Also these groups tend to give away some false clues, so they'll write some stuff in Chinese some stuff in Russian, to make it look as if it's coming from somewhere else. They will write some poor English just to make you believe they're not native speakers. So it's very hard to know the attribution of the attack. When you're investing three to six months of engineering time you expect some sort of return of investment as an attacker. But in this case it's probably to get some sort of competitive advantage rather than money.
BN: Are attacks made easier by the COVID effect and the shift to remote working?
GC: I think it was about six years ago that Gartner predicted people will shift to zero trust networks where you cannot rely on or truly trust any sort of endpoint anymore. You have to refocus your energy and effort into finding stuff by looking into what the user does, what is the identity, what is being done with the checkout, and what he's interested in?
We see both on premises and in the cloud some critical accounts being stolen and use of the Microsoft Azure configurations. We see a very clear shift COVID is a catalyst for this transformation and it's happened already. I think, if I have one take away, outside of these very sophisticated attacks we have a very different group of hackers that try to target these assets and the identity of users. This kind of leverage of cloud based services like Azure Active Directory to get access to critical data will be happening more this year, no matter what you do. I expect to see the reuse of techniques by all sorts of groups.
BN: What sort of things can businesses be doing to ensure that they are as protected as they can be against this type of attack?
GC: What's needed is a very tight control of what software is doing inside the organization so that the attacker won't be able to get into critical areas. But there is a shift that needs to happen at the vendor level too, the user needs to be asking the vendor; what is the policy, how do you scan code and how do you ensure there is separation? That's the first thing.
The second thing, whenever you get hit because eventually that will happen, right -- just to give you a perspective in terms of numbers in 2020, that more than 40 percent of companies have had accounts stolen -- you really have to think about what happened during the attack. It's about the cloud identity and how do you detect many activities in the cloud.
The big problem is that there is a lack of protection capabilities in terms of the Azure AD application. This is really one of the things that companies need to research, how do they secure their cloud plan? Not only providing protection like two-factor authentication and so on, but also detection when something goes wrong. How would you know? I think this is really a massive gap today. It's too new for most people to know that there is a threat and until they experience it it's not going to be addressed.