Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach reinforces the fragility of not only the software supply chain, but the entire third-party vendor ecosystem. As more information comes to the surface about the true depth and breadth of the breach, it is glaringly clear that this extensive ecosystem of vendors is the gateway for attackers to move laterally from network to network.
Over the last few years, many organisations have improved cyber defences and have succeeded in making themselves increasingly harder targets for adversaries. However, even for these well-defended organisations, the greatest defence weaknesses now lie with their suppliers and partners who are less well protected but with whom they are highly interconnected or upon whom they rely for technology. Among too many partner organisations, cybersecurity is an afterthought at best, despite well-documented threats, making engaging with these organisations a high-risk activity that introduces unpredictable and, therefore, unmanageable cyber risk.
Improving visibility to defend against broader attack techniques
Gaining visibility into supply chain risk is undeniably complex. Business partners normally have limited insight into each other’s network defenses, and minimal ability to understand and mitigate the security risks inherent in these relationships. Industry-standard practices to date involve point-in-time questionnaires and audits that are useful, but which offer limited context about the ongoing state of cybersecurity within partner networks.
Obtaining this context is crucial. However, to circumvent the hardening of their primary targets, hackers attempt to exploit the weaker partner and leverage the trust relationship to “swim upstream” into the better defended, more desirable, target. While we saw a particularly effective approach to exploit the software update process in the SolarWinds hack, it is important to understand that there are a variety of approaches actors can take to infiltrate supply chain operations. An adequate defense needs to protect not only against the specific techniques used in SolarWinds, but should also guard against the broader class of techniques where an organisation can be compromised via their relationship with a poorly defended partner.
Recent research undertaken by BlueVoyant with 1500 CIOs, CISOs and Chief Procurement Officers across six verticals and five countries showed the considerable extent of unmanaged risk in the software supply chain and third-party vendor ecosystems. Overall, the research revealed that globally four in five firms surveyed (80%) had suffered a cybersecurity breach caused by a third-party vendor and the average respondent’s organisation had been breached in this way 2.7 times.
It is nearly impossible to effectively manage third-party risk unless the state of your partners’ defences is clearly understood, both technically and operationally, and that you continually ensure that their cyberdefence posture is sufficient. It is critical that organisations have an in-depth understanding of the cyber risks associated with their supply chain relationships, mitigate those risks to the degree possible, and evaluate net risk versus the business value of the relationship. Put simply, if your organisation is connected to another organisation and you don’t have a clear view into the state of their cyber defence posture, you have accepted an unknown and unnecessary level of risk associated with that organisation.
Having a high level of trust in partners makes you vulnerable
Our research highlights that, on average, organisations are working across a network that encompasses 1409 vendors. Within this network, companies will have several groupings of suppliers and partners that are integral to the business in different ways. For example, groups of suppliers who have access to the IT systems and network, and others who hold confidential information, as well as mission-critical suppliers whose ongoing operation is essential to business continuity. Further, there will be those who have a high level of trust in their business relationship and unwisely allow that trust to be carried over into their network interconnectivity, without establishing an adequate understanding of each other’s defensive position.
While many organisations have added rigor to their cybersecurity operations, many well-resourced and capable organisations have not. SolarWinds is not an isolated instance of a highly successful, but poorly defended, organisation. Cybersecurity is too often not properly resourced and, in some cases, simply not a sufficient priority, even for organisations in the business of building software products. When partnering, organisations should verify before they trust and embed this into their cybersecurity protocol, repeating the verification process at regular intervals.
Our research uncovered that comprehensive reviewing of partner defenses is rare. Only 23% of organisations are monitoring all suppliers; meaning 77% had limited visibility and many only re-assessed their vendors’ cyber risk position annually, or less frequently. This means in the intervening period, organisations are effectively flying blind to risks that could emerge rapidly and unexpectedly in the prevailing cyber threat environment. Also concerning, 29% admitted that they had no way of knowing if an issue arose with a supplier.
Understanding the adversaries’ techniques
To make informed decisions about defensive capabilities, companies must first understand how advanced threat actors approach industrial-scale supply chain operation attacks.
Hacking is a for-profit, international, multi-billion-dollar business undertaken by professionals – generally organised crime and nation-state-funded actors. To be profitable, attackers must be able to assess many possible targets and make decisions about where to focus their resources for maximum impact; both in terms of value and volume. The most valuable intelligence is identifying those organisations that are important (as a potential target) and that have consistent weaknesses in their defences.
As a secondary consideration, attackers look to identify normally well-defended targets who possess unexpected point-in-time vulnerabilities. These lapses are often the needed window of opportunity a skilled hacker requires to initiate and sustain long-term, illegal-business operations.
Developing these industrial strength capabilities allows hackers to scale their operations. However, this is technically complex, expensive, and requires sufficient depth of knowledge of offensive operations to build automated vulnerability detection engines. Unfortunately, most advanced cyber actors have the resources and skills to accomplish this and have already done so.
Criminals use sophisticated tools to scan the Internet – and all Internet-facing systems – for vulnerabilities and general system information to collect intelligence that will help them identify vulnerable targets. The efficacy of their vulnerability scanning and network intelligence collection determines their profitability. Threat actors continue to improve their capabilities at an alarming rate.
These are five key steps that organisations should employ to safeguard their supply chain:
1. Having the right contractual provisions in place from the outset
Historically, organisations have put contractual provisions in place that require the supplier to have good cybersecurity. The contractual provisions are important for enforcement purposes, but may or may not be fully complied with. The requirement of periodic questionnaires is useful, but they are a single point in time data collection effort, the answers to which can be broadly correct, but not necessarily comprehensively correct.
Onsite audit rights, again are useful, but are limited in terms of the number that can be practically conducted, and again, represent a single point in time. Although these techniques are necessary and valuable, they’re simply no longer sufficient. Today, contracts should stipulate regular monitoring of the supplier’s security posture and should document the procedure for identifying and remediating emerging risks that could compromise security and/or business continuity.
2. Understanding the risks
Typically organisations focus on partners with a higher dollar value, neglecting to consider that even small partners pose a material risk. Monitoring part of the supply chain, and not all of it, is a recipe for trouble as it creates vulnerabilities at various points across the supply chain. Therefore, organisations should expand assessment, monitoring and reporting programs to cover the long tail of vendors – regardless their size – and not just critical suppliers. As outlined above, when a hacker looks at suppliers, their priority list differs from that of the target organisation. Where hackers look for easy vulnerabilities and trusted relationships so they can “hide in the forest,” companies tend to prioritise the importance of relationships to the business. Organisations also need to establish agreed upon risk tolerance thresholds, applying different tolerances for different suppliers, determined by the access they have to data, systems, and their importance to overall operations.
3. Real-time monitoring
In the modern cyber context, auditing the supply chain only once a year makes as little sense as having a Managed Security Service (MSS) that works only once a year, or a company Security Operations Center (SOC) that operates only occasionally. Therefore, organisations must take a proactive defensive posture of rigorous and continuous assessment and monitoring of the supply chain, notifying suppliers when they are insufficiently protected – to ensure that the supply chain is not vulnerable to threat actors who are looking for every possible point of entry 24/7 – so they can detect and remediate critical vulnerabilities before an attack occurs.
4. Operationalise data for improved visibility and maximed value
To improve visibility of their supply chain, organisations should operationalise the data that they already collect, which will provide better and actionable insight to maximise the value of existing resources. This includes automating analysis of the most critical risks (the exceptions that need action versus the raw cyber risk data itself), prioritising and triaging these critical risks in the context of their impact on the organisation and reducing false positive alerts to remove the “noise,” which allows in-house teams to properly focus on analysing critical vulnerabilities.
5. Resources to remediate supply chain vulnerabilities
While it is a prerequisite for effective cyber defence to have the data on the cyber health and vulnerability status of your supply chain, that alone is not sufficient. Organisations must also have the personnel and expertise to curate findings for priority and accuracy, to follow up with vulnerable supply chain participants to ensure remediations are implemented, and to continuously monitor both the overall portfolio and individual suppliers. Typically they require substantial internal staffing – or part or all of the function – can be outsourced to DVV Solutions and BlueVoyant. We provide comprehensive supply chain cyber risk identification, prioritisation and remediation services.
The SolarWinds attack, along with a number of other well publicised breaches have been driven by nation state-sponsored activity, foreshadowing near term and ongoing criminal syndicate attacks. Cyber criminals already have the ransomware capabilities to wreak long-term havoc on an organisation’s network. Their next target is the supply chain, making end-to-end monitoring of your entire supply chain a critical strategic imperative.
You’re Only As Strong As Your Weakest Link
There’s never been a more vital time to ensure the resilience of your organisation and the supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more supply chain and third-party cybersecurity domains.
For more information on enhancing your supply chain transparency:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
This article was originally published by BlueVoyant and is shared with their kind permission.