Responding to Supply-Chain Risk—It's Not Just About Vendor Management

Alerts / April 14, 2021

Organizations around the globe began 2021 grappling with two significant supply-chain attacks. First, the SVR, Russia’s foreign intelligence service, planted malicious code in Orion, SolarWinds’ flagship network management suite. When 18,000 Orion customers updated their software, they also unwittingly installed the SVR’s malicious code, giving the Russian intelligence agency direct access to the customers’ networks.

The second attack came in March, when news broke that a threat actor labeled HAFNIUM was exploiting four previously unknown vulnerabilities in Microsoft Exchange, the ubiquitous email server platform. Information security teams scrambled to install Microsoft’s emergency fix and evaluate the damage. Within days, other threat actors began targeting unpatched systems for their own goals, including ransomware attacks.

With these incidents putting supply-chain risk in the spotlight, many organizations are now examining their process to assess vendors. Likewise, the Biden administration has promised new executive orders to address supply-chain risk that will impose new testing requirements and notice obligations on companies that supply software (and perhaps other products) to the federal government. But if “better vendor management” is the only lesson your organization takes from these attacks, it’s missing the bigger picture:

  • Supply-chain attacks have obvious appeal to threat actors and will keep happening—you should assume that all software and devices are vulnerable.
  • You must understand how attackers use supply chains to achieve their ultimate goals. A compromised supply chain gives an attacker initial access to your network—just like phishing attacks and other entry techniques. What they can do with that access is partly up to you and your defenses.
  • You must recognize the limitations of vendor management. Better vendor management will not mitigate many supply-chain risks.
  • You can—and should—defend against supply-chain attacks the same way you defend against any other type of attack: Identify and implement layered controls using a risk-based approach to prevent, detect, and limit what an attacker can do in your network.
  • Supply-chain attacks are a good reason to embrace a zero-trust mindset, which encourages network defenders to stop thinking of networks as walled enclaves where everything inside the wall is inherently good. Doing so will help you protect against supply-chain attacks, other external threats, and insider threats.
  • None of these solutions will be fast or easy as organizations look to improve and redesign networks built over decades. Meanwhile, we need smart government policy to incentivize and support organizations as part of a national strategy to secure cyber infrastructure.
Supply-chain attacks will continue—assume you’ve been compromised

Supply-chain attacks have obvious appeal—a single attack against a key product like Orion or Exchange gives an attacker initial access (and sometimes even privileged access) to thousands of potential targets. An attacker with specific goals (like a nation-state) can choose its prey strategically from an ocean of potential targets. Less discriminating actors (like ransomware attackers) are happy to take whatever they catch in their net. For that reason, the Orion and Exchange attacks are just two of many supply-chain attacks documented over the past decade, and more will come. You should assume that any device or software you acquire contains inadvertent or intentional vulnerabilities.

Supply-chain attacks are the way in—what threat actors do with that access is up to you

Supply-chain attacks are just one of the many ways attackers access networks. They give an attacker an initial access point to the network, whether through a server’s compromised code or a stolen credential from your managed service provider. In this way, they’re similar to a phishing attack that gives an attacker access to an end user’s workstation. What the attacker does with that initial access partly depends on your defenses.

It’s not just about vendor management

To defend against supply-chain attacks, you must first recognize that vendor management alone will not address the issue. SolarWinds and Microsoft serve major multinational corporations around the globe and have already been subjected ad nauseam to sophisticated vendor assessments—none of which detected the issues that led to these incidents. There’s no reason to think that “better” vendor management would have prevented either of these incidents. And most organizations are simply incapable of vetting the software and devices they receive thoroughly enough to identify unknown vulnerabilities or those that attackers design to remain hidden (as the Russian SVR did in the SolarWinds attack).

This isn’t to say that vendor management is not important. It is, for at least two reasons. First, good vendor management will help companies avoid suppliers that fall below a baseline, especially when dealing with those that are smaller and less mature. Second, it’s necessary to avoid civil and regulatory liability under common law and regulations that mandate “reasonable” or “appropriate” security (e.g., federal laws like the FTC Act, various U.S. state laws, and international regulations like the General Data Protection Regulation).

But you must also assume supply-chain attacks will continue despite your best efforts to manage your vendors and the products they provide. You must expect the software and devices you receive will contain vulnerabilities and back doors, and prepare your defenses to find and limit the attackers using them.

Defend against supply-chain attacks like you would any other attack

The good news is you can protect your assets from supply-chain attacks just as you would from any other external (or insider) threat. Recall that a supply-chain attack is simply another way for an attacker to gain initial access to your network. From there, the attacker must still move around the network, access devices, collect data, or run malicious code. With the right controls, you can prevent, detect, or at least limit the attacker’s activities.

But to implement these controls, you first must know what controls you have in place, what controls you’re missing, and how the missing controls expose you to attackers and other risk scenarios. That’s easier said than done, but boils down to three key questions:

  • Who is likely to target us? Recognize that not every attack is a targeted, nation-state attack. Some attacks may come from malicious insiders, and other attackers will opportunistically target any organization that exposes a vulnerable system on the internet, whether caused by a supply-chain attack or something else.
  • What gaps or vulnerabilities exist in our environment? Importantly, this is about not just what vulnerabilities (like those in the supply chain) might allow an attacker in, but also what controls are missing that will hinder your ability to detect, prevent, or limit an attack.
  • Which of these gaps is most likely to impact us (e.g., ransomware, data theft) if we don’t address it? This question is the most important because it allows you to focus your limited resources on the most important areas. It is also, unfortunately, the question missing from many assessments that claim to assess risk. Assessments often miss this final step because it requires deep knowledge of (1) how attackers operate, (2) the vulnerabilities that exist in an organization (whether or not created by the supply chain), and (3) how attackers will exploit those vulnerabilities to create operational, reputational, legal, and regulatory risk. Assessments that merely catalog gaps or rank aggregate maturity on an arbitrary scale miss the point and provide limited value.

With a good assessment in place, you must then constantly evaluate your controls in light of new developments. How has attacker behavior shifted? What new techniques are attackers using? What changes have you made to your environment that expose you to additional risk (e.g., shifting from on-premises servers to cloud environments)? Your organization’s maturity in privacy and information-security governance will determine how well this is done.

Understand and adopt a zero-trust model

But attackers have become too advanced and the problem too widespread for you to stop here. As your organization matures, you will need new tools and mindsets to combat the most aggressive attackers and the coming reality of connected devices and borderless networks. The zero-trust model fills this need. While the zero-trust model is not new, two circumstances have ignited current interest in it. One is the recent supply-chain incidents, in which each affected organization saw a compromised device sitting at the heart of its network. The other is the borderless nature of today’s networks, fueled by the pandemic and the massive shift to remote work it forced, and by the growth of the internet and other “connected” devices. You can no longer defend your network as a walled perimeter, assuming everything outside the wall is bad and everything inside it is good.

Looking past the hype, the zero-trust model simply means that you can’t implicitly trust any device, or trust that users are who they claim to be. Your Exchange server might be good, or it might have four vulnerabilities in it known only to a covert threat actor. Your SolarWinds server might be good, or it might have malicious code developed by the Russian SVR planted in it. That person logging in as Pat from accounting might be Pat, or it might be an attacker using Pat’s credentials who is about to download the company’s entire customer database before launching ransomware. You get the point.

Instead of assuming any activity on your network is good, the zero-trust model asks you to constantly evaluate whether the activity you’re seeing makes sense based on several factors, including: the identity of the user, what the user is doing, the time of day, the user’s past behavior, and other contextual factors. When Pat accesses multiple files for the first time at 2:13 a.m. and begins transferring 3GB of data to an unrecognized IP address, the controls in a zero-trust model recognize this is anomalous and react. Some activity may trigger outright blocks; others may trigger additional risk-based authentication. As an added benefit, the zero-trust mindset helps protect against not only external attackers and supply-chain issues, but also insider threats who may use their privileged access to harm the organization or steal data.

In February 2021, the National Security Agency released guidance on zero-trust architecture that provides additional examples and recommendations for implementing the zero-trust model at different maturity levels. Notably, certain forward-leaning regulators are now also asking about zero-trust models during examinations and inquiries.

No quick solutions

But knowing the solution doesn’t mean these things are easily done. To start, vendor management is a challenging paper chase where suppliers are crushed by a never-ending avalanche of spreadsheets and forms, and buyers have limited options to assess what they’re getting back. Then there’s the shortage of skilled individuals. On the assessment side, there’s a talent shortage of those with the background and experience to assess risk. On the implementation side, you can’t just throw NSA guidance at anyone and expect implementation will be done well. Small and midsize businesses are especially affected by this skills shortage; cloud computing has helped somewhat, with zero-trust options available on major cloud platforms, but they still require skilled personnel to implement properly. Finally, there are organizational challenges. Many of today’s networks developed organically over years or decades. Rapid turnover in technology jobs means those who built critical networks or applications may have left long ago. Significant architectural changes don’t happen overnight—and when they do, they can lead to other problems.

So these are long-term solutions that will take time to implement. But you should still develop plans and take deliberate actions toward implementing them. This will require investment and top-level support. While you are doing this, government action can help. Legislation should encourage organizations to investigate, document, and share information about incidents without fear that those results will be unreasonably used against the organization. This will improve information sharing, which will, in turn, improve assessments and collective defense. And federal legislation should provide a limited liability shield to organizations engaged in interstate commerce that have taken reasonable steps to implement security measures. This will incentivize organizations to take action while ensuring that those clearly falling below the bar may be held accountable.

Never waste a good crisis

The recent supply-chain attacks serve as a good reminder for your organization to consider how it is protecting its network from external and insider threats. A good vendor management program is an important initial step. But it would be a mistake to focus too heavily on supply-chain risks or believe this is only a vendor management issue. A more comprehensive approach is necessary to protect against the cyber threats that are here today and coming tomorrow.

Whether through supply-chain issues or other vulnerabilities, attackers will continue to penetrate networks despite your organization’s best efforts. Knowing this, you can more broadly protect your assets, operations, and reputation by (1) implementing a robust risk assessment process that truly assesses risk across the enterprise and (2) adopting a zero-trust mindset over time that adapts to current threats posed by supply chains, remote work, and connected devices. While these changes won’t be simple or fast, you can build these solutions into your long-term plans. Meanwhile, the government can support organizations with smart policy to promote information sharing and incentivize more rapid adoption of secure architectures.

Authorship Credit: Andreas T. Kaltsounis

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.