In December 2020, the threat of supply chain attacks started to seem real to a lot of people. That's when FireEye/Mandiant dropped its bombshell report about a major "global intrusion campaign" delivered through Trojan-implanted updates of SolarWinds' popular Orion software. About 18,000 SolarWinds customers downloaded the update, though the attackers then focused on a subset of high-value targets, including major corporations and federal government agencies.
The SolarWinds incident made a strong point about the far-reaching impact of attacks on the supply chain, particularly because the group behind the campaign hasn't stopped. Microsoft detailed in October 2021 that the Russia-based advanced persistent threat (APT) group, which Microsoft calls Nobelium, has branched out from the software supply chain to target IT service providers — including cloud service providers (CSPs) and managed service providers (MSPs) — exploiting privileged and administrative credentials to gain access to downstream customers.
Although Nobelium's activities display a high level of sophistication, its latest campaign isn't new. In 2016–2017, I was part of a team at PwC charged with incident response for two major campaigns. The first was a years-long campaign by a Chinese nation-state hacking group that targeted MSPs in order to gain access to major organizations worldwide, known as Operation Cloud Hopper. The second was the NotPetya global ransomware campaign, which was strikingly similar to SolarWinds in that the actors compromised the software update system of the Ukrainian MeDoc accounting software. The lessons from both are extremely valuable for organizations now defending themselves from Nobelium and the inevitable technology supply chain attacks that are to come.
I expect we'll see frequent reports about the activities of Nobelium and other threat actors that are living off the land across these supply chains. Nearly every organization should assume it is at risk, but there are ways of countering the APT's tactics. Here are several approaches that are essential for enterprises to continuously investigate their networks.
Engage in Continuous Risk Assessments of Third-Party Providers
You should conduct detailed third-party risk assessments that cover not just technical security controls but governance, risk, and compliance. Continuous monitoring, logging, and review of activities between your organization and third parties can be measured against a pre-established baseline of normal activity to help detect anomalies. Having the right checks and balances in place can help mitigate threats coming via providers.
Thoroughly Understand Attack Vectors Across the Supply Chain
Service providers have joined hardware and software as prime targets for attackers. A comprehensive approach to security must include an understanding of the threat landscape, as well as threat groups and their tactics, such as using compromised credentials to exploit unpatched software. A complete view of potential threats — including those to system architecture, access, and authentication controls — must be compared not only against the state of your critical systems but also the security postures of partners.
Look Both Inward and Outward
It's important to monitor internally as well as externally to protect against these threats. It's not unusual for someone with admin credentials to log in to a server and then log in to other servers from there. But that initial access often isn't tracked, which can allow an attacker to enter and proceed unnoticed. An organization can put protections around internal access. Also, most organizations don't know what their third-party partners have access to. Identity and access management (IAM) should include knowing what privileges third-party partners have and tracking their movements so that unusual behavior triggers an alarm.
Execute on the Principle of Least Privilege
Over-permissioning is a common problem throughout cloud infrastructures. When developers, for example, ask for permission to access server, it's easier for admins to just grant credentials for everything rather than sorting through each request and granting access for specific tasks. But getting visibility into and control over permissions is vital to security.
That also applies to service providers, whose activities should always be monitored. A provider accessing a server it's not contracted to handle, or one that begins removing a treasure trove of data, should raise a red flag. There are many examples of attackers using compromised credentials from a service provider to steal data or cause significant damage. As such, access for service providers should always be carefully controlled.
Don't Set and Forget an Incident Response Plan
A cybersecurity strategy must emphasize resiliency, so an incident response plan must cover factors ranging from data recovery, business response and communications to cyber-insurance processes and dealing with regulators. As the responses to Operation Cloud Hopper and NotPetya showed — and the White House's Executive Order on cybersecurity mandates — it's also essential to be prepared to share threat information as part of a unified response. Supply chain attacks like SolarWinds cut across organizational boundaries; the response has to involve multiple sectors.
Internally, it's also important to conduct incident response exercises that cover data recovery and reparation. You should also try and think about how to act in every possible situation. And don't forget about contingency plans in case something unexpected happens. What happens, for instance, if the data backups used for recovery are the target of an attack? Finally, don't rely solely on your detection tools to pick up known vulnerabilities for incident response.
Cybersecurity has never been easy, but in today's environment securing servers and internal systems is a relatively easy win. The hard part is third-party risk. Organizations need to conduct third-party assessments, enforce strict least-privilege policies and continuously monitor activity. And it's best to build that security posture from the ground up, starting with making sure you have the basics of cloud security covered. Because, if you're struggling with the basics, you're not going to get to the advanced levels of security.