Ready for the next threat against digital supply chains?

by Bruce Snell

16 July 2021

Security building

Just as the US was rolling into a long 4th of July weekend, word of a compromise affecting Kaseya’s VSA product hit the wire.

This compromise allowed for the product’s update process to be injected with malicious code, giving attackers full access. What made this particularly dangerous is that VSA is a remote monitoring tool used by managed service providers (MSP) to manage networks and endpoints for their customers. The impact was initially thought to be small, around 50 or so companies.

However, it soon became apparent that because the VSA users were primarily MSPs, the impact had spread downstream to their customers, ultimately affecting around 1500 companies. The Swedish grocery store chain, Coop, was forced to close their 800 locations as the attack shut down the chain’s cash registers. With high profile attacks becoming something of the norm these days, we should look past the individual details of this attack and focus on the bigger issue: increasing attacks against the supply chain.

A man looking at his cash machine

We should look past the individual details of this attack and focus on the bigger issue: increasing attacks against the supply chain

The security arms race

We have seen a number of newsworthy security incidents this year involving ransomware as a service (RaaS) tools. REvil and DarkSide are some of the more publicly known gangs in the RaaS ‘industry’ that have been steadily growing over the past few years. Historically the attackers were more independent and loosely organized, making for a fairly tame game of cat and mouse with the makers of security tools.

With the rise of RaaS, it’s turning into more of an arms race with cybercrime gangs working together to develop new exploits to launch against their potential victims. It’s not enough to simply try to fight these developments by purchasing the latest and greatest security tool. Security must be a process, not a product. Tools should be utilized as part of a larger security infrastructure that considers active threat activity, adaptive policies and quick response. There’s no silver bullet in security, it’s a process that unfortunately many organizations can’t handle on their own. That’s why it’s important to find a solid security consulting partner to fill in the gaps you may be missing.

You are the weakest link, goodbye

Historically, few industries have operated completely on their own. From the farmer relying on the farrier to provide shoes for the horses who pull the plow, to the automotive industry relying on hundreds of OEM suppliers to provide the parts needed to keep cars rolling off the assembly line, the supply chain is an important part of keeping the economy moving forward.

Where in the past, the supply chain was made of interconnected physical components (shipping, logistics, etc.) the modern supply chain also includes the integration of back-end systems to streamline ordering, fulfillment and payment. While it may be difficult (unless you’re the crew from the Fast & Furious franchise) to hijack the physical supply chain, we’re seeing how modern cybercriminals are hijacking the digital supply chain with increasing efficiency and ease.

All it takes is for one weak link in the supply chain for a cybercriminal to get in and extort large sums of money with ransomware. So, in this increasingly interconnected world, how do you ensure your organization remains safe while still being flexible and agile?

Cars at the factory

Supply chains are an important part of keeping the economy moving forward

A security DNA test

Many organizations rely on MSPs to help manage their IT infrastructure. This has become something of a necessity as we see a continued skill shortage in the IT and information security fields. As an organization looking to outsource, it’s important to carefully examine the MSP you’re doing business with. Do they have a robust security program in place? Are they up to date on industry certifications? What tools will they be using to remotely manage your infrastructure and are those tools meticulously maintained and secured? In short, security must be baked into everything the MSP does. It must be part of the DNA of the organization. 

Are your applications secure?

On the other side of the fence, organizations that provide tools and services as part of the supply chain have a responsibility to provide secure applications when connecting to their customers’ infrastructure. As we saw with the Kaseya incident, one small vulnerability can lead to a massive impact down the line.

This is why DevSecOps (short for development, security and operations) is critical to modern business. Security can sometimes be forgotten during the development of applications. It can be a time-consuming part of the development lifecycle, which is why it’s important to integrate application security testing into the development lifecycle. Using tools like NTT Application Security can help integrate static and dynamic application security testing (SAST and DAST respectively) into the development lifecycle, reducing the amount of time required to test for vulnerabilities while still allowing for rapid application development.

Don’t be afraid to lock things down

I’ve noticed a reoccurring pattern during my time in the security field. Organizations bring in a new technology capable of blocking new and unknown attacks, but then put them in ‘alert only’ mode until an attack has taken place, only then enabling blocking for that specific attack.

This happened with network intrusion prevention systems (Network IPS), firewalls (first with traditional firewalls and then again with next generation firewalls) and endpoints. The primary reason for this is a fear of a false positive blocking legitimate business processes.

Business professional in a server room

Fear of a false positive blocking legitimate business processes could be exposing organizations

Over the past decade, the alert fidelity has dramatically increased across the board and many organizations are realizing the cost of not blocking a ransomware attack dramatically outweighs the cost of blocking a false positive. In many ransomware attacks, had the initial infected host been isolated by one of the many excellent endpoint detection and response (EDR) tools available on the market, the victim of the attack could have been spared the pain of network and system shutdowns and potentially millions in ransom.

I recommend organizations of any size to take a hard look at what the impact of a Kaseya like incident would cost them and weigh it against the cost of implementing strong security policies and actively blocking against attacks.

Ransomware is here to stay

If 2021 has shown us anything, it’s that ransomware isn’t going away. The RaaS ‘market’ is not slowing down. Unfortunately, it’s no longer a case of ‘will I be breached’ but one of ‘when and how much will it cost’. However, with the right plan and the right security partner to help you, there is a light at the tunnel

Bruce Snell

Bruce Snell

VP Security Strategy and Transformation, Security Division at NTT Ltd.