Supply chain cybersecurity attacks have been in the news lately, but they’re nothing new. In fact, nation state adversaries have been targeting and abusing supply chain vulnerabilities for years.
These vulnerabilities are an easy “in,” giving attackers an open door to more lucrative targets. Managed service providers (MSPs) and managed security service providers (MSSPs) are particularly attractive targets because they hold the keys to many different customer organizations. Just look at what happened when hundreds of dental office customers were hit by ransomware after their shared MSP was compromised.
We’re All Targets
“I didn’t think we would be a target” are words spoken by compromised organizations all too often.
Yet the truth is we’re all targets. We’re all links in someone’s supply chain, and that makes us susceptible if we’re not protected.
It’s easy to imagine how one might be a backdoor into a military contractor if they supply them with services or tools, but would you consider your local nail salon to be a supply chain risk? Well, you should. In fact, an attack against a large company began by compromising a local salon and using their billing system to send malicious PDFs to executives at the company who used their services.
Where to Start
There’s tremendous opportunity for MSPs and MSSPs alike to improve supply chain security defenses – both internally and for the customers that they serve.
This might seem like a daunting task, but you can tackle it – often with immediate and measurable results – by focusing on three important areas:
Service providers need to stop sharing passwords. It sounds like common sense, but it’s an ongoing problem.
As someone who has investigated credit card fraud, I’ve seen firsthand the risks of payment terminal providers using remote access software – like TeamViewer or VNC – with a single, shared password to manage thousands of customer accounts.
Earlier this week, law enforcement officials in Florida announced that an attacker used TeamViewer to successfully gain access to a password protected control panel and attempted to poison a critical infrastructure water supply. The attack was fortunately stopped, but could have been deadly.
This is lack of security is no longer acceptable. Phishing one member of your support staff is enough in many cases to destroy your reputation and potentially your business in one incident.
No different than in traditional IT departments, accounts that possess privilege should only be used when needed, and they should always require multi-factor authentication. All usage should also be logged and reviewed frequently.
2. Access rights
Should every technician be allowed access to every client? Perhaps, but probably not.
Often, groups of clients, especially key customers, have a dedicated support person or team. No different than how we segment networks to provide audit points and to contain risk, privileges require bounds.
Logging is critical in recognizing unusual access – like off hours use or access to an account assigned to a different team, which can be signs of insider fraud or an external threat actor preparing to launch a ransomware attack.
3. Monitoring for compromise
Monitoring is often under resourced as opposed to prevention. The problem is, we know that prevention isn’t always 100% achievable, yet when it comes to detection and monitoring for the failure of our preventative controls, we are being too reactive. Once an attack becomes obvious it is often too late. By the time a criminal pulls out the ransomware, they have already stolen critical data and, more often than not, have had access to your network for 30 days or more.
During investigations conducted by the Sophos Managed Threat Response team, two things stand out as early indicators of compromise. One is the use of credentials for remote access and administrative purposes during off hours; the other is the abuse of system administration tools in order to conduct surveillance and steal data from the network.
The use of legitimate accounts and your own tools is often referred to as Living Off the Land (LotL). Detecting this requires vigilance and skill. To a trained security operations center analyst, these things stand out clearly and can tip you off to thwart the attack before the bulk of the damage has been done. You either need to invest in training your staff to monitor these behaviors or engage with outside experts to monitor it on your behalf.
Prioritizing Supply Chain Security
Improving on these three important areas will significantly reduce cybersecurity risk, putting MSPs and MSSPs ahead of their competition when it comes to protecting customers.
Prioritizing supply chain security defenses can be a significant competitive advantage for service providers in acquiring new customers – and perhaps most importantly, retaining the ones they already serve.
These are simply starting points where we have identified common points of failure. Security is a journey, and securing the supply chain is just one piece of the bigger puzzle.