Supply chain attacks continue with the ransomware attack against Kaseya. Between 1,000 and 1,500 Kaseya direct and indirect customers were exposed to the attack, and the total ransom requested was $70 million. Similarly, the cyberattack on SolarWinds and the cyber breaches caused by vulnerabilities in the Microsoft Exchange server are some of the other recent examples of how far-reaching the impact of a supply chain attack can be.Â
I recently wrote that all organizations are responsible for protecting themselves from supply chain attacks, but what is required is due diligence and due care by upstream vendors.
The Kaseya Attack
Around July 2, REvil ransomware gang infected Kaseya’s virtual systems/server administrator (VSA), a product used by managed IT service providers and organizations to manage and roll out software updates to systems on computer networks.Â
It is believed that REvil had exploited a VSA authentication bypass vulnerability to upload the malware. Threat actors used this compromise to push a fake and malicious automated software update to VSA installs. This was a zero-day attack.
Figure 1 shows how Kaseya resides at the top of a software supply chain. Because of this, Kaseya reported that about 50 of its direct customers were compromised as the REvil attack moved downstream. Around 40 of those customers were IT service providers using the Kaseya services. This condition allowed the attack to move further downstream to up to 1,500 organizations.
Figure 1: Kaseya Attack Downstream Infection
Learn More: Mitigating the Impact of Ransomware Attacks With Business Continuity Planning
Supply Chain Attacks
The Kaseya attack is an excellent example of a supply chain attack. There is no evidence that REvil understood the downstream impact, but that does not matter. What matters is that this is a common consequence of infections in supply chain links.
In addition to ransomware disruptions, other supply chain security challenges includeÂ
- Theft of intellectual property or trade secrets
- Business continuity events
- Counterfeit components (hardware, software, firmware) inserted at one of the supply chain links
- Other types of malware attacks
In the Kaseya attack, Kaseya quickly responded as there was little impact given the number of organizations affected. However, this is not always the case. Figure 2 shows how one or more insertions of malware can infect one or more implicit trust zones. Once this happens, significant damage to the organization is possible. In this example, a software developer used a software module infected by a threat actor.
Figure 2: Trust Zone Infection
In a previous article and the video on Supply Chain Risk ManagementOpens a new window , I described the steps organizations should take to protect themselves from supply chain threats. The steps include ensuring upstream links in the chain provide transparency into their security efforts to manage supply chain risk properly. What to look for in upstream entities during supply chain risk assessments makes up the article.
Learn More: Global Supply Chains: Have We Experienced the Cyber World’s Pearl Harbor Already?
Mitigate Upstream Supply Chain Risk
When a service or product supplier conducts a risk assessment, it should use a security best practices framework that addresses supply chain security. Frameworks used for supply chain risk assessments include
- NIST IR 7622Opens a new window Notional Supply Chain Risk Management Practices for Federal Information Systems
- COSOOpens a new window (Committee of Sponsoring Organizations of the Treadway Commission)
These are both good frameworks, and there are others. Each link in a supply chain should provide a third-party certification or attestation of compliance with an accepted framework.
As of 2020, the Association of Certified Public Accountants (AICPA) created guidelinesOpens a new window for supply chain audits. This is called the SOC for Supply Chain. The SOC (System and Organization Control) report is not a certification. It is an attestation by a third-party auditing firm that a service or product provider is implementing and managing security controls as expected.Â
In 2017 (updated in 2020), the AICPA released its guidelinesOpens a new window for performing security attestations. The document provides guidance for auditing organizations that supply products and services.
SOC audits use a set of Trust Services Criteria (TSA) directly based on the COSO framework. The TSA includes auditing for full management support and engagement in an organization’s security efforts.Â
The TSA guides the auditing of
- Security: This checks the access to and the protection of data and systems throughout their life cycles.
- Â Availability: Does the audited entity take steps to ensure the continued operation of critical business functions?
- Processing Integrity: Does system processing result in completeness, validity, accuracy, timeliness, and authorization?
- Confidentiality: Is data adequately classified and protected according to those classifications?
- Privacy: Is customer privacy protected?
The COSO defines security objectives; it does not detail how to achieve them. It is up to the audited entity to demonstrate satisfactory compliance with each TSA criterion. A SOC for Supply Chain audit should also test the effectiveness of an organization’s security efforts.
Regardless of how a customer organization assesses supplier risk, each recipient of technical products and services should have documented expectations about how their suppliers should protect what they distribute. One approach is to ensure a zero-trust environment exists at both the supplier locations and on-premises. Here are some guidelines for achieving this.
Finally, each node in the supply chain must demonstrate that it requires transparency and verification of security efforts by all direct upstream suppliers. Safe supply chain exchanges require that every link ensures that all of its supply chain links include reasonable and appropriate prevention, detection, and response controls.
If a supplier refuses to provide third-party security audit summaries, a customer organization should find another supplier. If a critical supplier refuses, customer organizations should have the ability to perform an audit or engage a third-party auditor. When this is not possible, the supplier network and its output should be considered hostile.
Learn More: Software Bill of Materials: Protect Yourself, Protect Your Supply Chain
Final Thoughts
Every supplier must take steps to ensure safe operation, production, and distribution: both upstream and internally. However, no control set is perfect. All organizations in the supply chain should implement zero-trust production and service environments. They should also ensure transparency in their effectiveness.Â
Securing the supply chain requires a concerted effort by all organizations. Suppliers must understand that there are adverse financial consequences for lack of due care and reasonable transparency into security efforts.
Do you think supply chain is one of the weakest links in any organisation’s cybersecurity efforts? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!