Researchers investigating a supply chain attack disclosed by 3CX in March found it had an unusual and alarming origin: another company's supply chain attack. With the root of the "Inception" attack further removed than expected, the 3CX scenario has rattled information security professionals, given the implications of just how far out of their control the security of their software may be — and the realization that doing everything right may, in some cases, not be enough in a world with so many interdependencies. An attack like this at scale might resemble a spreading virus, propagating from one point of origin and spreading from one connected community to the next. It's troubling to think just how deeply buried bad actors may lurk in your environment.

How It Came to This

The accelerating rate of digitization in recent years and an expanding threat landscape have outpaced the rate of talent development. The 2022 "Cybersecurity Workforce Study," released by (ISC)² in January, noted a "worldwide gap of 3.4 million cybersecurity workers." In another recent survey, more than four in five companies reported having fewer than five in-house security analysts, or not enough to run their security operations center (SOC). As a result, organizations have increasingly looked to external vendors to provide essential services. 

The 3CX attack is just the latest to shine a light on how vulnerabilities can arise in an enterprise's software supply chain. In a July 2022 survey by the Neustar International Security Council, nearly three-quarters (73%) of information security professionals believed they or their customers were somewhat or significantly exposed, due to increased integration with third-party providers.

New Rules for Managing Risk

Enterprises can implement a host of measures to reduce risk in their supply chain ecosystem.

To start, standardized information gathering (SIG) questionnaires may be posed to potential new partners to understand the security controls they have in place. Third-party evaluation services may also be engaged to provide additional perspective during due diligence. 

Suppliers that win a contract must be held accountable for meeting clearly defined security standards, with regular audits required at least annually. This can help enterprises determine whether suppliers are fulfilling their obligations and maintaining the necessary controls to reflect current best practices. 

Importantly, organizations must always maintain a complete picture of their partner ecosystem. Engaging in more rigorous preventive measures and contractually obligating partners to hold themselves to security standards equal to or greater than what you apply to your business are important steps to help ensure partner relationships don't become vectors for risk.

While these can be highly effective risk reduction measures, they will not eliminate risk altogether. Organizations must also have a strong strategy in place for visibility, detection, and mitigation around compromised systems, including those provided by supply chain partners. There is one thing that all compromised systems have in common: Whether to deliver information or to download additional malicious content, compromised machines will periodically beacon out to their masters for further instruction. Layered endpoint, network, and protective DNS security solutions can be used to proactively monitor for beaconing, block it, and provide notifications to security operations.

Cooperation Is Required to Continue Making Progress

The burden of responsibility for reducing supply chain risk historically has been on the victim, with the onus on individual enterprises to prevent their own fate, rather than on the parties responsible for releasing insecure software in the first place. It is time for that paradigm to shift, and the Biden administration's recently announced National Cybersecurity Strategy, which aims to recalibrate this dynamic, is a significant step in the right direction.

The strategy is centered around five pillars, the third of which is to "shape market forces to drive security and resilience." It is here that the heavy burden of security is lifted from end users and shared with the vendors who introduce vulnerable software to the marketplace. Too often, the strategy notes, "software makers are able to leverage their market position to fully disclaim liability by contract."

This pillar reinforces progress already made in the industry, where development life-cycle practices are improving to include security at a much earlier stage in product development. Its intent is to compel investment and encourage vendors to follow secure-by-design principles and engage in pre-release testing. These practices will go a long way in ensuring the integrity of products flowing into the market. 

In today's hyperactive threat landscape, it is imperative that supply chain vendors work together with their enterprise clients to identify and address breaches. Vendors investing in sound design and committing to transparency will help their clients reduce their risk exposure and operate with confidence. Good cybersecurity hygiene is everyone's responsibility, so forging a new dynamic of shared accountability is not only a good idea, it's the right thing to do.