Supply Chain Risk: After the SolarWinds Incident

Supply chain risk in cybersecurity keeps increasing with threat actors exploiting third-party vulnerabilities. Here's how you can stop them.

The SolarWinds Sunburst incident revealed that only taking care of your own organization is not enough. Threat actors will exploit any door open to them—including third-party supply chain attacks.

Third-party software vulnerabilities were initial threat vectors in 1 in every 6 malicious breaches, according to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2020. This figure is not just made up of attacks from open source, less secure software solutions. As in the case of Solarwinds, even the most mature or trusted vendor could be the source of an adversary’s wide-ranging attack.

The Ponemon Institute Cyber Risk Report from 2018 found that third-party supply chain risk was the second biggest concern for IT professionals. Security operators have no visibility into the operations of these suppliers, forcing them to respond to incidents that they have little control over.

Attackers realize they can improve their efficiency by moving their activities upstream. By infecting a single component they can compromise hundreds of organizations downstream. A 2020 report by Sonatype found that ‘next-gen’ supply chain attacks increased by 430%.

Addressing third-party supply chain cyber risk

Assume you are already compromised and prove otherwise. Operationalizing this concept requires continuously assessing the entire network for evidence of compromise. Putting your network metadata to work is the best way to obtain this crucial visibility. Even if you have the best defenses, the adversary could still find a way in—such as through third-party software.

Conduct a cybersecurity evaluation of your vendors. As part of your existing risk management strategy and vendor due-diligence, verify that your chosen vendors engage in sound cybersecurity practices. As a best practice, require your vendors to measure compromise in real time.

Maintain a vendor base that adds value. Assess your stack of tools regularly and cull tools that do not add value. Each third-party vendor could represent an unnecessary risk.

Keep software up to date. Diligently apply the most recent patchesespecially for security software. There are numerous cases where large breaches were traced back to out-of-date software.

Supply Chain Attack Remediation in Action

In January 2020, a Lumu customer in the mining sector detected numerous contacts related to the Solarwinds Sunburst attack in the Lumu Portal. Thanks to Lumu’s Continuous Compromise Assessment, they were alerted to the incident in real time. The provided Compromise Context allowed them to monitor the attack’s frequency and distribution across their network at a glance. Related Resources pointed them to external guides and reporting on the incident for their cybersecurity operators to get up to speed.

Screenshot of the Lumu Portal showing compromise context for a detected supply chain attack

Their SOC also saw the TTPs relevant to the incident in the automated MITRE ATT&CK Matrix right in the Lumu Portal. Therefore they could understand the mechanisms used by the attackers at each stage of their attack. Their operators easily found the source of the incident and closed the door to the attackers.

Screenshot of the Lumu Portal showing the automated MITRE ATT&CK Matrix for a detected supply chain attack

They pinpointed the affected machines (not pictured) and removed all remaining traces of the compromise, ensuring that the incident was dealt with before any harm was done. 

This incident happened when news about SolarWinds and the Sunburst supply chain attack was already more than a month ‘old’. It highlights that it is not enough to hunt for the most talked-about threats or test the vulnerability of the moment. The key was that they were continuously assessing their network for evidence of all types of compromise.

If you would like to experience a taste of  Continuous Compromise Assessment, we invite you to open a Lumu Free account. Lumu Insights goes further with remote agents, spam collection, and much more, providing the most comprehensive compromise visibility available today.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post


lumu and fortinet

Lumu and Fortinet Simplify Incident Response Automation

Reading Time: 2 mins As a partner in Fortinet’s Fabric-Ready Partner Program, Lumu delivers automated attack detection and response across the network. See how to integrate Lumu Defender with Fortinet’s FortiGate NGFW.

MSSP cybersecurity stacks need to become more focused to deliver continued value to customers

MSSP Security Must Adapt to Serve Customers

Reading Time: 8 mins Managed Security Service Providers (MSSPs) have become pivotal allies for businesses, providing expert services and robust technological defenses. MSSPs must understand that they are not infallible and that challenges in their growth and operational model can lead to potential gaps in security coverage.

Copode 1.0 feature image

Dissecting COPODE 1.0: New APT Evolves Lockbit Strategies

Reading Time: 5 mins Lumu’s threat intelligence team has identified a new Advanced Persistent Threat (APT) actor named ‘Copode 1.0’, leveraging the LockBit Black code leaks for cyberattacks. This emerging threat underlines the need for stringent security practices and Lumu’s real-time monitoring offers an efficient response to such evolving challenges.