There have been more than 200 dedicated supply chain attacks over the past decade. Some of these campaigns have affected countless supplier networks and millions of customers – SolarWinds, Kaseya and the recent Log4j debacle come to mind.
But given how distributed work has become, especially since the beginning of the Covid-19 pandemic, what exactly isn’t part of the “supply chain” now? Likewise, what workplace doesn’t include aspects of “remote work”, even if it’s being done in a cubicle on the 30th floor of a skyscraper?
Dependence on cloud-hosted platforms, weaker authentication solutions, and public tools has become endemic, and there’s no turning back now. The dense ecosystem we find ourselves in – where everything is bleeding into everything else and companies rarely have more than one degree of separation from each other – will only become denser.
Certainly, the suppliers your business rely on most should rise above the others when it comes to considering the security of your organization. But if the supply chain is anything that potentially gives you an opportunity to hop to another target, just about everything – including you – is part of the supply chain. And to an attacker, all the weaknesses in that chain look like the same thing: opportunity.
The cost of being more productive
While attackers are motivated by opportunity, companies must deal with the blurring of the clear lines that used to be a foundation of cyber security for a related reason: productivity.
For instance, more and more organizations use GitHub for their code pipeline. This is true even when internal solutions like GitLab are available because GitHub is a more convenient way for developers to upload and manage code.
IT pros know it’s possible to lock down a public tool, but no one is going to argue it’s secure by default. In fact, the opposite is true. And software like GitHub presents a variety of openings for those who seek to do you and your business harm.
Attackers look at GitHub and may not see a server that will be their actual attack vector or even where they find a way to implant the backdoor. But it is a key intelligence source for hardcoded developer credentials, crucial information about the inner workings of a software package, and more. This view could give an advanced threat actor insights both into how to build an effective backdoor and where it could be inserted for easy, reliable access without being detected.
GitHub also gifts attackers with lists of developers that have access to a repository. This list doubles as a perfect set of targets to approach once a foothold in the corporate network has been achieved. Now, with one breached laptop containing one GitHub login, an entire code repository – and by extension its host organization – can be compromised.
Similarly, the explosion of formal or informal “bring your own device” policies, alongside developers logging into easily reachable services from their own devices, dramatically widens your company’s attack surface, as it removes the crucial segmentation that acts as a defense for internal services.
Think like an attacker and then like a C-level executive
With services like GitHub, AWS, and others forming a complex web of supply chain threats, it can be extremely difficult to convey these risks concisely to decision makers in your organization. That’s why communication is key when discussing a topic that’s constantly in the news like supply chain attacks. When you only have minutes to sell your security message, concise communication – a story that gets to the crux of the matter – is crucial.
Security professionals often love details about their job, even when their audience doesn’t. The challenge is to establish the context and need for investment in security while tying them to the company’s goals instead of scaremongering about the nightmares no one wants to imagine.
Focusing on the largest revenue-generating organizations and the biggest revenue-generating products will naturally draw the attention of those who sit on the C-level. That creates the opportunity to explore the threats that could land in those spheres and how to tackle them without sacrificing too much productivity.
What’s crucial to understand in the supply chain is the elements you control, where the bottlenecks are, and where you can introduce key mitigations to prevent a small flaw from spiraling into full domain compromise. It’s also crucial to educate executives about how vast and amorphous the supply chain can be, because attackers are well aware.
If your company uses Microsoft Teams, for instance, everyone in your organizational chart is likely to know it. However, they may not be aware that Microsoft, the host of that pervasive cloud service, is now part of your supply chain. Now any potential risk to one of the world’s largest software companies that does business in most countries around the world is a potential risk to you.
We’re all in this together, for better or worse
Thinking about the supply chain probably doesn’t feel like a spiritual pursuit. But contemplating security, especially information security, from an attacker’s perspective can create a feeling of oneness.
From the perspective of those who make their living attacking our businesses, you can see that every company we work with and every tool we use is a potential weak link in our security. Thus, individual organizations cannot make risk decisions without impacting every organization upstream and downstream from yours. However, the scope of these decisions can often create an impossibly large risk profile, so understanding your key suppliers and those that you supply is often your biggest step towards effective supply chain security.
This realization isn’t likely to reward anyone with inner peace. But recognizing that the rewards of productivity come with the risk of interdependence is a key step toward reducing attackers’ opportunities before they overwhelm us.