Recent supply chain attacks, from SolarWinds to 3CX and MOVEit, illustrate the impact that can occur when a single widely used software platform is compromised, enabling attackers to use this initial access as an entry point into any number of subsequent networks. Often the intention is to propagate malware or leverage sensitive data to extort victim organisations. In the case of the 2023 MOVEit breach, approximately ~2,356 organisations and 70 million people were impacted with effects reportedly felt months after the original 0-day discovery.
This is a hot topic right now and for good reason. Seismic supply chain attacks are shaping security frameworks and regulations at the highest level, where increased emphasis on C-suite accountability and ‘threat-led’ methodologies appear to be key concepts (i.e DORA regulations, ISO/IEC 27036, CMMC among others).
But what is the optimal approach? Will frameworks designed to secure the world’s leading financial institutions be useful for the typical organisation? Are today’s standard processes fit for purpose? In most scenarios, the lack of maturity in the often neglected area of supplier risk management creates room for debate, as the optimal approach will inevitably depend on each organisation’s unique operational requirements, supplier relationships and governance structures.
The current state of play
The reality is that the typical approach most organisations follow has not changed for almost twenty years.
Since ISO 27001 standardised IT risk management in 2005, and particularly since GDPR in 2018, the scale and complexity of security has grown immeasurably as ‘vendor security assessments’ require suppliers to complete ever more lengthy fill-in-the-blank compliance forms. However, as the volume of information has expanded, the depth of information has remained at the surface level – at least for most organisations.
That’s because certificates and accreditations are not the only way to assess supply chain partners. In industries with an elevated focus on supply chain security risks, such as finance, tech, manufacturing or energy, organisations are increasingly opting to view key partners as part of their overall ‘attack surface’ (i.e assets publicly exposed over the internet) in order to derive a more all-encompassing risk rating.
When a single questionnaire can take 2 weeks to complete, some may wonder whether this process alone is the optimal use of everyone’s time, especially when genuinely exploitable risks and vulnerabilities can be identified and remediated to make at-risk suppliers, and proxy the client, more secure.
Some may hope machine learning and AI will help streamline what can be a gruelling time sink for suppliers’ already stretched IT security teams (helpful links below). But irrespective of AI’s potential, the core process will remain, and even the most ardent Risk & Compliance Manager can admit that without actionable evidence or the ability to demonstrate or validate risks, organisations only achieve a cursory level of assessment in this manner.
The search for ‘actionable evidence’
Those who acknowledge the limitations of standard due diligence and intend to seek real world evidence of their supply chain security will encounter an array of risk management platforms on the market today.
‘Vendor risk management solutions’ typically offer a subscription service that provides a point in time snapshot of an organisation’s hypothetical exposure via a client dashboard and perfectly logical risk rating methodology.
Albeit a step in the right direction, the average organisation does not need a dashboard to view a supplier risk rating on a daily basis (unless you are an insurer assessing thousands of companies on the spot). That’s because it’s not about how quickly you can derive a near-instant risk rating for the greatest number of suppliers possible, it’s about depth, context, and the degree to which actionable insights can be identified and communicated to your partners to make them, and by proxy you, more secure.
To be specific, ‘actionable evidence’ could mean sensitive info unintentionally published by suppliers’ developers on GitHub, publicly accessible management services, outdated software, or misconfigured servers. These are all resolvable issues, but when left unaddressed, they present a foothold for would-be attackers and increase an organisation’s likelihood of being targeted.
As stretched security teams play catch up to emerging threats by default, few would disagree that greater collaboration on mutual exposures, vulnerabilities and threat intelligence (TI) is vital. The next question then becomes – how much collaboration is feasible and effective as a long term strategy?
Case study analysis
Let’s interrogate the basic details of some recent supply chain attacks to analyse whether or not a more all-encompassing supplier risk strategy could have aided secondary victims in protecting themselves.
MOVEit supply chain attack
2023
Primary victim:
MOVEit managed file transfer software
Secondary victims:
PWC, Deloitte, Ernst & Young, Aon and more (~2000 estimated victims)
Zero day exploited: Yes (CVE-2023-34362)
Systems targeted: File transfer software
Likely attacker motives:
Ransomware / cyber extortion
Danish power companies attack
2023
Primary victims:
Zyxel, 22 Danish-based power companies
Larger Entities Impacted:
SektorCERT, Danish CNI Authorities
Zero day exploited: Both known and unknown vulnerabilities
Systems targeted: Zyxel firewalls
Likely attacker motives
Operational disruption, cyber extortion, geopolitical
In Attack A, the reality is that previously unknown vulnerabilities (0-days) are unavoidable, which means the initial attack would not have been easy to prevent, even if one were to utilise the cumulative efforts of multiple big 4-backed security teams. However, how each organisation chooses to respond to 0-days is not set in stone. Here, collaborative supplier risk strategies could well have been instrumental in protecting secondary victims once the vulnerability was published, alongside well-informed threat intelligence (TI) capabilities.
In Attack B, individual power companies may have significantly benefited from a team of external offensive security consultants working to evaluate the exposure or exploitability of their shared attack surface (i.e by an umbrella organisation or governing body). Moreover, given the fact that both known and unknown vulnerabilities were exploited as part of the attack chain, it would almost certainly have increased the likelihood of successful prevention or mitigation for affected companies which may have moved to swiftly patch identified vulnerabilities.
Detailed insight into specific defensive measures taken pre- and post-attack understandably remain undisclosed, however, it is worth commending SektorCERT, the non-profit supported by Danish critical infrastructure companies, who published a detailed timeline and interpretation of events.
One could not argue that 0-days will be identified en masse if compliance and risk processes evolve to include a greater depth of evidence and actionable remediations. Nevertheless the opportunity to find previously unknown vulnerabilities is created, and the probability of identifying, communicating and remediating known vulnerabilities or misconfigurations is significantly improved.
The key point here is, whether you are a customer concerned about the compromise of key suppliers, an industry institution, governing body or a parent company overseeing subsidiaries, it is becoming increasingly important to understand how well prepared you are to prevent and mitigate supply chain attacks.
Pragmatic strategies
Those who opt to preemptively take ownership may wonder where to start. The ideal first step will be to blend that which is mandatory and that which is an efficient use of resources for you and your partners.
The '80:20 split'
Let’s take an organisation dedicating 100% of its time and resource to exclusively creating, sending, receiving and reviewing lengthy security questionnaires to assess supplier risk. By introducing an ~80:20% split between self-reported questionnaires and externally identified risk, resources can be repurposed to identify and communicate potentially exploitable security risks to key partners, thus building a more resilient attack surface while gaining a more accurate understanding of risk at a technical level.
Prioritise resources based on business-critical operations. For instance, start by assessing the SaaS you use for day-to-day operations or the file share platform you use to transfer highly sensitive data. If an external risk assessment of these providers indicates a far higher level of risk exposure than standard compliance checks, one could identify and advise remediation, or better still, build targeted defensive controls to limit further escalation within your internal network in the event that the supplier is leveraged as an attack vector.
Of course, 80:20 is rough ratio that should be tailored, while maintaining core requirements and context-specific questions. As some dismiss security compliance as mere bureaucratic due diligence, it is worth acknowledging that questionnaires do offer an indication of cyber maturity and, despite the need for evolution, they will remain an important part of the process (i.e ISO and GDPR compliance). However, minimising irrelevant questions and expanding the scope for actionable evidence is in everyone’s interest.
Finding the optimal balance is a different challenge for industry membership organisations, institutions, governing bodies or parent companies. In scenarios such as the Danish power companies attack, those tasked with the challenge of overseeing membership organisations or subsidiaries will likely benefit the most from continuous risk management strategies i.e (CASM) which may become increasingly useful in supply chain attack mitigation.
Aligning with industry leading standards
Naturally, seeking alignment with those emerging frameworks, standards and policies which increasingly mandate board-level accountability on supply chain risk is a wise step forward. Understanding which ones to follow can be tricky, as this may vary depending on your industry and jurisdiction.
For UK/EU based organisations, the following should be discussed and prioritised by senior leadership:
-DORA financial regulations
-Cyber Governance Code of Practice
-ISO/IEC 27036 – Information Security for Supplier Relationships
-ISO 31000 – Risk Management
-Cybersecurity Maturity Model Certification (CMMC)
The future of supplier risk management
As our reliance on cloud-based services grows, along with global supply chain complexity and increased geopolitical tensions, the threat of supply chain attacks looks unlikely to diminish any time soon.
At the highest level, the philosophy and approach to the relationship between customer and supplier needs to evolve from ‘you missed a spot’, to a friendly tap on the shoulder, a nudge toward risks which can be practically remediated on the spot, with evidence, but without judgement.
The uncomfortable truth that compromise is always possible, if not inevitable with enough effort, severely undermines the idea that an on-demand cyber risk scoring system alone can provide genuine utility, or that excessive judgement for a degree of misconfiguration or exposure should be the norm. We see on a near weekly basis now, well-established companies with ostensibly adequate compliance for key frameworks, standards, and policies being compromised in large scale supply chain attacks, where even the very overseers of global due diligence were recently reported to have been affected (PWC, Deloitte, E&Y and Aon in the MOVEit breach).
Not to ironically shame large corporations here; it’s simply worth acknowledging that, when even the most well-resourced and mature are falling victim, collaborative guidance on exposed assets or vulnerabilities should be freely given and unapologetically received.
Helpful links & references
We hope this article offers guidance for those seeking to improve supply chain risk strategies. The following additional links and references may also be helpful:
- Free advice on how to use AI to expedite questionnaires: https://www.xenonstack.com/blog/generative-ai-compliance
- Loopio RFP / questionnaire automation tooling: https://loopio.com/security-questionnaire-automation/
- How to prepare for new DORA financial regulations: https://www.jumpsec.com/guides/how-to-prepare-for-dora-digital-operational-resilience-act/
- The detailed and insightful overview of the Danish power companies attack: https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf
Sean Moran
Sean is a researcher and writer with a keen interest in geopolitics and its impact on the cyber security industry.