The security of an enterprise is not only dependent on the organization itself, but also on the security of their IT supply chain and contractors. These represent potential weak points into the security of any organization.
Third-party contractors and suppliers have been used to compromise larger organizations. Target’s breach began with a breach of a contractor involved in heating, ventilation, and air conditioning (HVAC) solutions. A 2011 hack on Lockheed Martin was blamed in part on information stolen from a hack on RSA that compromised SecureID tokens. HAVEX has been tied to attacks on Industrial Control Systems (ICS).
These reported cases are only the tip of the iceberg. Many supply chain vendors have insufficient personnel or resources to dedicate to security; they may have no good ways to determine if they have been the victims of a targeted attack.
Twists and Turns
The threat actors who would target parts of the IT supply chain use various “twists and turns” as part of their Tactics, Techniques and Procedures (TTP). These can include:
- Compromising source code
- If hackers can access and modify the source code of a vendor, they can easily insert a backdoor into the source code. This would provide easy access to any customers of that vendor via persistent backdoors. This can be done via compromising servers holding source code, systems used for research and development, or acquiring credentials to source control services in use. The HAVEX malware family (known externally as Dragonfly/Energetic Bear) is known to have used Trojanized versions of ICS software.
- While such an attack would be of immense value, multiple systems and accounts would need to be compromised. For example, credentials for source code control systems should be separate from other credentials (like email). Alternately, the servers themselves may be attacked (whether these are located on premise or in the cloud). This kind of access would require a fairly wide-ranging breach of the target organization.
- Compromising firmware
- If attackers are able to access and modify the binary code of systems provided by a vendor, an attacker may choose to modify the code to add backdoors, which can then be pushed out via existing autoupdate mechanisms. Customers will receive this malicious code when the update is pushed out to their systems. The Equation Group is believed to have used malicious hard drive firmware in their attacks.
- The challenges to compromising firmware would be similar to compromising source code, with an additional problem to consider: technical information would be necessary to actually create firmware that would actually run on target devices. This would have to be acquired within the organization itself, or by analysis of existing publicly available hardware.
- Compromising websites and internal portals
- Attackers can also attempt to compromise websites and internal portals used by a vendor to communicate with their customers. This can be used in a watering hole attack against the vendor’s customers. HAVEX also used this tactic to target organizations using specialized ICS/SCADA equipment.
- For this attack to be successful, the attacker must be able to gather some information about the normal browsing patterns of both the vendor and the customer. In addition, to actually compromise any web servers, credentials for webmasters or server administrators need to be obtained as well. This poses some burdens on an attacker to be familiar with the vendor’s network, but not as difficult as the two preceding scenarios.
- Spear phishing from trusted vendor email accounts
- An attacker that controls vendor systems and credentials can easily send emails to clients that appears to be legitimate. High-level personnel can be easily victimized in this manner.
- Direct network access from trusted vendors
- A vendor’s access to their client’s network can also be abused. For example, if a vendor has access to a client network via VPN, an attack at the vendor could compromise the credentials needed to access the VPN. Similarly, secure tunnels could be accessed via compromised credentials.
An attacker would enter the IT supply chain as he would any other organization. We’d earlier discussed how organizations become the victim of targeted attacks. Email is still a favored infection vector, with both malicious attachments and links to sites used to lure in users. These messages are made to appear to come from other organizations (which are preferably relevant to the target).
Some might say that the security of vendors is not part of the responsibilities of a network administrator, who already has to worry about their organization’s security. While this may be true, the security of vendors has a direct impact on an organization’s security. Here are some guidelines that can be used:
- Protect your own network
- Does your own organization already have sufficient defenses against targeted attacks? Are sensors and an incident response team in place to mitigate any attacks? Are security solutions in place on both endpoints and gateways? Before an organization can even consider discussing security issues with vendors, they must be sure that their own house is in order.
- Coordinate security policies
- As much as possible, vendors and clients should have reasonably similar security policies. Inconsistent policies can create security weaknesses in one organization that can be used for lateral movements to the other.
- Code, binary, and firmware auditing
- Patching and updating procedures should be examined to ensure that proper auditing is performed before new software/hardware is introduced into an organization. Source code audits can find hidden backdoors, hardcoded credentials, and other potential vulnerabilities. Binary audits can check file hashes to ensure that only unmodified versions of software are installed.
- Coordinate security teams
- Security resources of vendors and clients should work together to protect their overlapping networks. Sharing of threat intelligence and regular meetings can ensure that any potential threats are dealt with adequately and as quickly as possible.
We’ve earlier discussed how companies need to focus on protecting what is most important to them – their core data – and do so in a well-thought out manner. An aspect of data protection that can be overlooked is how others access your data. If an organization fails to consider that, then their data protection is only as good as the weakest link. A complete security and privacy risk assessment must consider the security of an organization’s third-party IT providers.
Aside from the above, vendors should undertake steps to protect their own systems. Products such as the InterScan™ Messaging Security software and virtual appliance, Hosted Email Security, and ScanMail™ for Microsoft Exchange™ are all designed with the technology designed to help detect threats that enter via email. Combined with Web reputation and advanced sandboxes to inspect attachments, these tools are able to help detect various threats that attempt to enter an organization’s network. Solutions such as Deep Discovery can also be used as part of a custom defense strategy to help organizations discover and mitigate attacks as well.