The SolarWinds Sunburst incident revealed that only taking care of your own organization is not enough. Threat actors will exploit any door open to them—including third-party supply chain attacks.
Third-party software vulnerabilities were initial threat vectors in 1 in every 6 malicious breaches, according to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2020. This figure is not just made up of attacks from open source, less secure software solutions. As in the case of Solarwinds, even the most mature or trusted vendor could be the source of an adversary’s wide-ranging attack.
The Ponemon Institute Cyber Risk Report from 2018 found that third-party supply chain risk was the second biggest concern for IT professionals. Security operators have no visibility into the operations of these suppliers, forcing them to respond to incidents that they have little control over.
Attackers realize they can improve their efficiency by moving their activities upstream. By infecting a single component they can compromise hundreds of organizations downstream. A 2020 report by Sonatype found that ‘next-gen’ supply chain attacks increased by 430%.
Addressing third-party supply chain cyber risk
– Assume you are already compromised and prove otherwise. Operationalizing this concept requires continuously assessing the entire network for evidence of compromise. Putting your network metadata to work is the best way to obtain this crucial visibility. Even if you have the best defenses, the adversary could still find a way in—such as through third-party software.
– Conduct a cybersecurity evaluation of your vendors. As part of your existing risk management strategy and vendor due-diligence, verify that your chosen vendors engage in sound cybersecurity practices. As a best practice, require your vendors to measure compromise in real time.
– Maintain a vendor base that adds value. Assess your stack of tools regularly and cull tools that do not add value. Each third-party vendor could represent an unnecessary risk.
– Keep software up to date. Diligently apply the most recent patches—especially for security software. There are numerous cases where large breaches were traced back to out-of-date software.
Supply Chain Attack Remediation in Action
In January 2020, a Lumu customer in the mining sector detected numerous contacts related to the Solarwinds Sunburst attack in the Lumu Portal. Thanks to Lumu’s Continuous Compromise Assessment, they were alerted to the incident in real time. The provided Compromise Context allowed them to monitor the attack’s frequency and distribution across their network at a glance. Related Resources pointed them to external guides and reporting on the incident for their cybersecurity operators to get up to speed.
Their SOC also saw the TTPs relevant to the incident in the automated MITRE ATT&CK Matrix right in the Lumu Portal. Therefore they could understand the mechanisms used by the attackers at each stage of their attack. Their operators easily found the source of the incident and closed the door to the attackers.
They pinpointed the affected machines (not pictured) and removed all remaining traces of the compromise, ensuring that the incident was dealt with before any harm was done.
This incident happened when news about SolarWinds and the Sunburst supply chain attack was already more than a month ‘old’. It highlights that it is not enough to hunt for the most talked-about threats or test the vulnerability of the moment. The key was that they were continuously assessing their network for evidence of all types of compromise.
If you would like to experience a taste of Continuous Compromise Assessment, we invite you to open a Lumu Free account. Lumu Insights goes further with remote agents, spam collection, and much more, providing the most comprehensive compromise visibility available today.