Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers' security posture before establishing a partnership. In this first piece of a two-part feature on ransomware, ZDNet discusses the need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data.
Enterprises typically would give their third-party suppliers "the keys to their castle" after carrying out the usual checks on the vendor's track history and systems, according to Steve Turner, a New York-based Forrester analyst who focuses on security and risk.
They believed they had done their due diligence before establishing a relationship with the supplier, Turner said, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers.
"Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews," he said in a video interview with ZDNet. "These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture."
Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added.
Capgemini's Southeast Asia head of cybersecurity Hamza Siddique noted that technical controls and policies established by third-party or supply chain partners did not always match up to their clients' capabilities.
This created another attack surface or easy target on the client's network and could lead to risks related to operations, compliance, and brand reputation, Siddique said in an email interview.
To better mitigate such risks, he said Capgemini recommends a third-party risk management strategy that pulls best practices from NIST and ISO standards. It encompasses, amongst others, the need to perform regular audits, plan for third-party incident response, and implement restricted and limited access mechanisms.
The consulting firm's service portfolio includes helping its clients build a strategy around detection and analysis as well as containment and recovery.
Turner urged the need for regular reassessments of third-party systems or, if this could not be carried out, for organisations to have in place tools and processes to safeguard themselves against any downstream attacks.
"There needs to be inherent security controls so if something goes off baseline, these can react to ensure [any potential breach] doesn't spread. A zero trust architecture delivers on that," he said. "Suppliers have an inherent trust relationship [with enterprises] and this needs to stop."
Steve Ledzian, FireEye Mandiant's CTO and Asia-Pacific vice president, acknowledged that it was challenging to prevent supply chain attacks because these looked to abuse an existing level of trust between organisations and their third-party vendors. However, he said there still were opportunities to detect and mitigate such threats since hackers would need to carry out other activities before launching a full attack.
For instance, after successfully breaching a network via a third-party vendor, they would need to map out the targeted organisation's network, identify the systems that held critical data, and figure out the privilege credentials they needed to steal to gain access, before they could move laterally within the network.
"Once the hacker is in your network, and you're in detection mode, you have the opportunity to identify and stop them before they are able to breach your data," Ledzian said in a video interview, stressing the importance of tools and services that enabled enterprises to quickly detect and respond to potential threats.
Their defence strategy against ransomware attacks also should look beyond simply purchasing products and into how systems were configured and architected. The main objective here was to bolster the organisation's resilience and ability to contain such attacks, he added.
Acronis' CISO Kevin Reed also noted that the majority of attacks today still were neither highly sophisticated nor zero-day attacks. Attackers typically needed time and effort after identifying a vulnerability to develop an exploit for it and to make it work successfully.
Reed said in a video interview that hackers usually would take several days to develop a workable exploit and this task was increasingly more difficult with modern software architectures.
"So it takes time to weaponise a vulnerability," he said, adding that even highly skilled hackers would take 72 hours to do so. This meant organisations should act quickly to plug any vulnerabilities or deploy patches before exploits were available.
He advocated the need for organisations to assess their suppliers' security posture, validating and cross-verifying that these third-party vendors had the right processes and systems in place.
This might be more challenging for small and midsize businesses (SMBs) that did not have the resources or expertise to do so, he noted. Reed added that these companies typically depended on their managed service providers to fulfil the responsibility.
Here, he underscored the need for managed service providers to step up, especially in the wake of the Kaseya attack.
Increased partnership between hackers a worrying trend
Ransomware attacks, though, may be primed to get more sophisticated and deployed more quickly in future, as they are no longer developed by a single hacker.
According to Ledzian, cyberattacks increasingly are broken down into different parts and delivered by different threat actors specialised in each piece of the attack. One might be tasked to build the malware, while other affiliates focused on reconnaissance and breaching a network and developing the exploit.
"When you have specialised skillsets, then each component is more competent," he cautioned.
Sherif El-Nabawi, CrowdStrike's Asia-Pacific Japan vice president of engineering, also highlighted the rise in teamwork amongst cybercriminals and emergence of ransomware-as-a-service.
Describing this as an alarming trend, El-Nabawi noted that five or six separate groups specialised in all aspects of a ransomware chain could band together, so a single group no longer needed to develop everything on its own.
Such partnerships could entice more threat actor groups to come into play and fuel the entire industry, he said.
Ledzian added that ransomware attacks also had evolved to become multi-faceted exploitation, with cybercriminals realising data theft would have a more severe impact on businesses than a service disruption.
Having data backups would no longer be sufficient in such instances, as attackers gained greater leverage over businesses concerned about threats to make public confidential data, he said.
According to CYFIRMA CEO and Chairman Kumar Ritesh, cybercriminals were moving their target towards young companies and large startups with access to large volumes of personal data, such as developers of "super apps" and mobile apps.
He further pointed to increasing focus on OT (operational technology) systems, such as oil and gas and automotive, as well as process manufacturing industries.
In particular, Ritesh told ZDNet that there was growing interest in autonomous and connected vehicles, which dashboards enabled users to access their smart home and Internet of Things (IoT) systems. Some of these systems, he noted, lacked basic security features with communication links between car and home systems left unsecured, and at risk of being exploited.
Cybercriminals also were shifting focus towards individuals and high-level influencers, such as employees working in their organisation's product research team or who had privileged credentials that gave them access to critical data and systems, he said.
With remote work now the norm amidst the global pandemic, he added that such risks were exacerbated as personal devices that were not adequately secured could be easily breached to give hackers access to a company's network and its intellectual property.