Attackers today are getting increasingly creative with how they target organizations, often utilizing the supply chain as a point of ingress — exactly the kind of thing that keep security pros up at night. Rather than attack their targets directly, attackers today are perfectly happy to compromise one of their third-party providers and accomplish their end goal that way.
Whether it's a hardware provider further down the supply chain, a software provider that the organization outsourced some added features to, or a service provider, all can represent a potential point of entry. This dramatically changes the attack surface for the typical enterprise and, with recent highly publicized breaches such as ASUS and Docker, is negatively impacting once-inherent trust in the supply chain.
Recent attacks have even targeted patching processes and software updates, leveraging the very means by which organizations protect themselves against potential threats. It's no wonder that organizations are moving more toward a "zero trust" model. Any blind spot becomes a potentially vulnerable attack surface. Infiltrating the target organization by compromising something or someone further down the chain is often an attractive attack vector. And the logical reaction to this type of unknown is to trust nothing — but that mindset is not practical or sustainable.
So, how do we adopt a zero-trust strategy without completely stagnating our business and hamstringing innovation? By accepting the inevitable and prioritizing accordingly.
The truth is, if attackers want to get into your organization they probably can, whether it's through your supply chain or by other means. Although you should treat your supply chain with healthy skepticism, you can't refuse to trust anything outside your control. Instead, it's best to assume there's a breach and focus your time on mitigating the risk of irreparable damage.
After all, think about the typical attacker's priorities;
1. Gain access.
2. Move laterally and escalate privileges.
3. Maintain access (depending on the situation).
If we accept that we likely can't do much to stop attackers from achieving their first goal, we should instead focus on making step two as difficult as possible.
The most basic step to take is limiting the exposure of privileged credentials. Protecting privileged credentials from compromise significantly reduces the opportunities for attackers who may have infiltrated an environment (via the supply chain or other pathways) to accomplish their end goal — expanding access and escalating privileges. Malware getting installed on a workstation for example could theoretically result in an attacker gaining local administrator authority and gaining access to other machines, eventually uncovering server or domain administrator accounts.
Below are three simple steps organizations can take to protect themselves from this type of threat by embracing a realistic zero-trust security strategy that won't hamstring their business:
1. Layer your defenses. As a defender, one thing to avoid at all costs is putting all your eggs in one basket. Perimeter defenses still serve a purpose, but given all the potential points of ingress for attackers today, it would be the height of foolishness to rely too heavily on maintaining a perimeter that gets wider by the day. It's best to instead assume a breach and embrace multiple layers of security, establishing a true defense-in-depth strategy. A good starting point is to adopt a risk-based approach to security, investing the most in the security controls that reduce the largest amount of risk.
2. Consistently employ the principle of least privilege. One of the more obvious, but also more helpful, pieces of security advice is to limit any potential points of access for hackers to exploit. Account sprawl is real and carries significant risk for the enterprises. Organizations should be sure to limit the number of user accounts as much as possible. Otherwise, it's just a potential source of risk with no corresponding reward.
This is particularly true for privileged accounts. Privileged account takeover is the dream scenario for an attacker as it makes a full network takeover easier. However, it's much harder to move laterally and escalate privileges if there aren't as many privileged accounts to take over. An obvious best practice therefore is to only grant administrator accounts to those who actually need them and ensure that they are only used for administrative tasks rather than basic day-to-day work.
3. Increase monitoring for privileged credential theft. If an organization is victimized by a supply chain attack, the initial attack by definition took place in a security blind spot and thus the enterprise won't have detected it. However, by monitoring privileged sessions to detect patterns indicative of credential theft techniques, organizations can increase the chances that they'll identify if/when the attacker is actually trying to use the access they've attained. And if the organization can catch them when they're trying to escalate, then the threat that the supply chain represents is significantly reduced.
Increasingly, the supply chain and its active participants represent a security weakness that attackers are now adept at exploiting. However, there is significant opportunity to reduce the risk and limit the damage attackers can do. With some fairly simply security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations. For many organizations, this means being aware of where privilege-related risk exists, locking that access down and actively monitoring use of privileged accounts to alert on potential anomalies, and spurring action to remediate risk.