The SolarWinds supply chain attack rocked governments and businesses alike in late 2020. Help keep your organization safe with these three key steps.
I recently wrote an article for Dark Reading about the massive supply chain attack perpetrated via vulnerabilities in SolarWinds, Microsoft, and other leading vendors. In that piece, I discussed the impact this unprecedented hack will have on cybersecurity, including the shift toward a zero trust approach to information protection.
The most insidious element of the 2020 supply chain attack is that hackers weaponized trusted applications, such as SolarWinds Orion. Last year’s massive supply chain attack leveraged weaknesses within organizations’ cybersecurity controls—such as insecure developer environments and logins—to infiltrate and spy on government and corporate systems via trusted software updates.
In this post, we’ll dig a little deeper into approaches, such as regular vulnerability assessments, that organizations can take to protect against another supply chain attack (because there will undoubtedly be another one), and why these proactive cybersecurity steps matter for organizations.
Three Best Practices to Prevent a Supply Chain Attack
The key to stopping incidents and limiting damage is to build layers of security and a system of checks and balances.
No individual security approach can guarantee an organization’s security, and a true zero trust approach to cybersecurity can be difficult to put into practice. Zero trust requires that you think of every aspect of your information network differently – for example, requiring authentication between components that previously could communicate freely, or password-protecting files that were never locked down before. If zero trust policies are implemented too quickly, important business processes can break in unexpected ways – and then you are left scrambling. Fortunately, organizations can take several immediate steps to move the ball forward and prevent future supply chain attacks like the SolarWinds attack.
1. Ensure You Are Logging and Auditing Everything
If you aren’t already gathering logs, auditing Active Directory (AD) changes, and monitoring all this information via security information and event management (SIEM) technology, now is the time to start. Logs can be the proverbial canary in the coal mine for suspicious activity, and they’re also an important part of compliance; many cybersecurity frameworks require some degree of log collection and management.
By gathering and analyzing logs, organizations can catch risky activity early on. For example, a SIEM can identify if a user is making multiple changes to corporate systems or is downloading or exfiltrating lots of data. With alerts set up to flag anomalies, security teams can take a closer look, which could help detect an intruder or catch unsafe or potentially malicious behavior from an insider, like an employee or a partner.
Organizations should also set limits on who can make changes, and what level of changes they can make using a principle of least privilege access. For example, if someone attempts to change foundational permissions or settings, that request should be flagged to IT decision-makers who can decide to allow or disallow the change—and make sure the request is coming from a legitimate source.
Core Benefit: Your organization knows who your users are, what they’re doing in your systems, and sets limits on the changes they can make without oversight. You can spot possible suspicious or unsafe activity early, and logging and auditing are also important elements of staying in compliance with many cybersecurity frameworks.
2. Keep Tabs on Trusted Software
The SolarWinds hack spread far and wide because no one was looking for it—it was a betrayal from inside an ally’s camp, well within the boundaries of firewalls and other security measures. To protect against a supply chain attack like SolarWinds, organizations will need to monitor the activity of their trusted software, such as antivirus, corporate productivity software, and more.
One of the best tools for keeping tabs on data flow is a data loss prevention (DLP) solution. If your organization already has a DLP, take a look at how you’re using it. DLPs earn a troublesome reputation, because they can be expensive, take a lot of time to manage, and can send many false alerts. However, much of the time, DLPs are configured to cast too wide of a net, or they’re underutilized for the reasons mentioned above.
By focusing your DLP on a specific set of data—your most valuable and sensitive data—your organization can reduce the number of false alerts. The DLP becomes, in effect, an internal watchful eye to make sure trusted programs aren’t the source of data leakage or misuse.
Core Benefit: Your organization keeps a close eye on data at rest and in motion, even within trusted security tools and other software.
3. Conduct Vulnerability Assessments and Penetration Testing Every Quarter
Security is a moving target. Organizations are always trying to stay one step ahead of the bad guys with threat hunting, threat intelligence, and more. One of the best ways to protect your organization against threats is to fully understand (and fix) any vulnerabilities.
We encourage organizations to understand their evolving risks with two core tactics:
- Vulnerability assessments
- Penetration testing
Regular vulnerability scans and penetration tests can reveal weaknesses before a hacker finds them.
Vulnerability assessments are often conducted with the use of automated scanning software. This can be a valuable and efficient way to understand potential issues. However, vulnerability assessment software can send up false positives, and it’s not always clear what to actually do with the results in terms of prioritization. At A-LIGN we recommend taking the next step to provide depth to the vulnerability scan and identify if any vulnerabilities are exploitable and can result in unauthorized access to systems and data.
This next step, to validate your vulnerability scans, is penetration testing. These tests, whether automated or done by hand, explore the potential vulnerabilities identified in a scan, demonstrate the real risk, and provide an opportunity to fix the problem. Some of the areas organizations can delve into with penetration testing include:
- Network layers
- Mobile applications
- Web applications
- Wireless networks
- Remote social engineering
- Facility penetration
Of course, as I noted in my Dark Reading piece, penetration testing isn’t something to do once and then forget about. Threats evolve, and new vulnerabilities appear all the time. Reputable penetration testing firms are constantly adapting to new hacking techniques, and the SolarWinds supply chain attack is no exception. Any good firm will be adjusting their playbook based on key learnings from the attack.
Keeping up with security standards and reducing risk are a crucial element of remaining in compliance with numerous regulations and frameworks. That’s why penetration tests should ideally be conducted on a quarterly basis.
Core Benefit: Your organization understands its risk and can proactively fix any vulnerabilities before a hacker uses them to infiltrate your system.
Improving Your Supply Chain Security
Government organizations, private sector companies, and even security firms are still reeling from the 2020 SolarWinds supply chain attack. We’ll probably be uncovering the full extent of damage from it for a long time. I think it’s likely that, given the size and scope of the attack, new regulations, legislation, and frameworks will likely be developed in the coming years to prevent future attacks in a similar vein.
From AD audits to logging events in a SIEM, and from investing in DLPs to conducting regular vulnerability assessments, organizations can take immediate steps to become more secure and reduce their risks of falling victim to a similar supply chain attack.
Tighten Up Your Cybersecurity
Contact an A-LIGN Expert Today