Steps to consider to better protect against supply chain and linked incidents.
In many ways, we live in the era of the ‘cybersecurity event’. Hackers have noted the impact that targeting a single link in a software supply chain, like a software vendor, can have and, as such, we’re seeing an uptick in attacks on third parties that claim thousands of organisations as secondary victims.
In 2023, the MOVEit attack, for example, is thought to have impacted over 2611 organisations and between 85 and 89 million individuals as victims worldwide. This attack exploited a zero-day vulnerability that allowed hackers to inject SQL commands and access the databases of the managed file transfer software product’s customers.
If 2023 was marked by MOVEit, this year, so far, is surely marked by the Snowflake breach. Whilst the exact scope of impact that the Snowflake breach has had is currently unknown, high profile victims include Ticketmaster, Santander Bank and, most recently, AT&T.
Snowflake attributes the recent breach to a ‘credential stuffing’ attack, which involves using previously stolen login credentials to access user accounts. With the full scope of impact unknown, what can organisations do if they think they may be affected?
Securing the Supply Chain
Secondary breaches are a worry for all organisations that employ third parties, and essentially all organisations do employ third parties in this day and age. However, more than ever, organisations are relying on the security practices of the vendors they work with to keep them and their data safe.
Recent research found that many organisations rely on application security vendors to stay informed about new software vulnerabilities, owing to an increase in vulnerabilities reported and inability to keep up with prioritising them. This is especially true of cloud vendors like Snowflake. Often, the security of these third parties goes unchecked and unmanaged by vendors.
One thing is clear, securing just your own immediate environment is an insufficient measure of protection in the interconnected cloud systems that many of our networks are now built on. A holistic approach to the entire security supply chain, as well as broader partner networks, is key. So, where should organisations start?
Implement MFA
The Snowflake incident underscores the critical need for multi-factor authentication (MFA) to help mitigate similar risks, especially on accounts that have access to vast amounts of sensitive customer information. MFA makes it harder for cybercriminals to gain instant access to an account using stolen credentials, as it requires a second step of authentication for access. A suspicious access alert should be enough to raise concerns among security teams, thus stopping an attacker from gaining access.
Ultimately, MFA makes it harder – and often less worthwhile – for cybercriminals to gain access to an account. Access to sensitive data should be protected by robust authenticators. While using text messages or using an app to relay a time-based one-time password (TOTP) is better than not having MFA configured, upgrading systems so that they are relying on open standards like FIDO2 can help ensure that organisations are protected from known attacks.
Refresh Attitudes to Password Hygiene
With so many accounts to manage and passwords to remember, password best practices often slip. Credential stuffing attacks have the potential to impact multiple of a single individual’s accounts if they reuse the same password. This is especially worrying if that individual has access to accounts that hold admin rights and manage sensitive data.
Organisations should consider password complexity and management tools when it comes to creating and remembering strong passwords. Additionally, changing compromised passwords in light of a supply chain breach is a crucial first step to securing an account and mitigating risk.
However, changing passwords as a matter of policy often leads to fatigue, which leads to weak or reused passwords. Encourage users to set up a unique passphrase that’s sufficiently long and complex, then only force them to change the password when a compromise is known to have occurred.
Privilege Access Management and Identity Access Management
Another way that organisations can reduce the risk of impact when it comes to supply chain attacks is by evaluating the risk of privileged access. IT and security teams should audit who has and needs access to various databases and tools. This includes third party vendor access too. Ensure that all systems and users are adhering to the principle of least privilege.
In a similar vein, it is important that security teams thoroughly vet any third parties that they work with to mitigate any excess risk. Organisations must view the security of all vendors they work with as an extension of their own team and, in turn, an extension of their own attack surfaces.
Monitor for Threats Continuously
So much of cybersecurity protection involves proactivity. It is also important that organisations do not passively wait and see if they are the next victim. When news of a breach is first flagged, it’s imperative for organisations to act on the information they’ve received, whether that’s immediately changing credentials, scanning for threats, or patching systems with critical updates.
Trusting Third Parties, Securely
It’s important that organisations do not shy away from using third party data storage providers in the wake of cybersecurity events, like the Snowflake one. Rolling your own data storage comes with its own risks too.
Instead, organisations should proactively implement tools that mitigate excess risk posed by third party organisations. By implementing strong authentication mechanisms, like MFA, considering enhanced access requirements, and thoroughly vetting any third-party vendors and partners, organisations can significantly reduce their vulnerability to this and similar attacks.
Written by
John Tapp
Associate Principal Security Consultant at the Synopsys Software Integrity Group