The far-reaching SolarWinds Orion attack has catapulted supply chain security vulnerabilities into the spotlight – particularly those involving the third-party software applications and hardware components that comprise much of today’s enterprise IT environments.
The attack, which potentially impacted more than 18,000 organizations to date, stems from a compromise of third-party network management vendor SolarWind’s Orion software. A sophisticated threat actor reportedly distributed malicious source code within an Orion software update – leveraging the very means by which organizations protect themselves against potential threats. This allowed the attacker to gain a foothold into victim organizations, steal and abuse legitimate identities and credentials, escalate privileges and move laterally and vertically to access valuable assets – and then maintain persistent access using the Golden SAML technique, never seen before in the wild.
The Evolution of Supply Chain Attacks
While the SolarWinds compromise is unprecedented in many ways, supply chain attacks are far from new. Attackers have long targeted third-party vendors across both digital and physical supply chains – from software and technology providers, to attorneys and consultants, to manufacturing and logistics companies – as backdoors to the networks of their enterprise or government business partners.
According to Bloomberg, the Cybersecurity and Infrastructure Security Agency (CISA) reported in 2019 that federal agencies faced about 180 different threats from the digital supply chain alone. And in recent months, the world has seen a surge in supply chain attacks targeting healthcare companies involved in COVID-19 vaccine development and delivery. Today, the SolarWinds supply chain attack shows us just how precisely targeted threat actors have become.
A Realistic Zero Trust Approach that Won’t Hamstring Supply Chain Operations
Working with numerous third-party vendors is an inevitable part of doing business, but it also creates security blind spots that can become dangerous. To protect themselves, many companies and government agencies are embracing Zero Trust models – in which they trust nothing and verify everything. But as vendor ecosystems grow in size and complexity, a hard and fast “trust nothing” strategy down the supply chain can quickly inhibit business operations and slow innovation. A successful security strategy must be both realistic and sustainable.
Shay Nahari, Head of CyberArk Red Team Services, outlines steps organizations can take to significantly reduce the impact of a potential supply chain attack in this Dark Reading article. Here are four takeaways based on his piece:
1. Protect Privileged Access. With dramatic cloud migrations underway, and the adoption of transformative digital technologies, privileged accounts and credentials represent one of the largest attack surfaces for organizations today. Identifying and managing privileged access is paramount to disrupting the attack chain – regardless of whether the attacker infiltrated the environment via the supply chain or by other means – and maximizing risk mitigation.
2. Embrace a Defense-In-Depth Approach. There is no silver bullet for cybersecurity, and no one vendor or tool can completely prevent an attack. An assume breach mindset calls for multiple layers of security, such as endpoint detection and response, next-gen antivirus, strong privileged access management and application and OS patching. But remember, cybersecurity is a journey, and it doesn’t have to happen all at once. A good starting point is to adopt a risk-based approach, investing first in the security controls that reduce the greatest amount of risk.
3. Consistently Enforce Least Privilege Everywhere. While breaches are inevitable, organizations can take steps to limit the blast radius of an attack by eliminating unnecessary privileges and permissions based on the principle of least privilege. Widespread adoption of public cloud services and SaaS application has accelerated the need for least privilege controls in cloud environments. In fact, a recent ESG survey ranked overly permissive privileges as the most common attack vector against cloud applications. Strong least privilege enforcement can help prevent all identities, whether on-premises or in the cloud, from reaching sensitive targets.
4. Monitor for Privileged Credential Theft. As the SolarWinds attack shows, sophisticated attackers go to great lengths to hide their activity and avoid detection, and it can be extremely difficult to spot a supply chain infiltration. By monitoring privileged sessions, organizations can more easily spot suspicious behavior and patterns indicative of credential theft and better understand what critical assets are being targeted – enabling faster, more decisive response to protect the organization.
The supply chain represents a critical attack vector, however, by leading with an “assume breach” mindset and securing access to sensitive data and systems, organizations can make it significantly more difficult for attackers to accomplish their end goals.
If you have been affected by the SolarWinds Orion attack, or if you’re currently focused on strengthening your organization’s security posture, learn how our free Privileged Access Management (PAM) Rapid Risk Assessment and Remediation Offer can help you minimize exposure to this breach, while laying the foundation for longer-term, proactive strategies to help prevent supply chain infiltration and privileged credential compromise to protect your organization today and into the future.