By Marc Gaffan, CEO of IONIX
The digital supply chain is in the attackers crosshairs, and CISA is worried. In mid-June, they issued a Binding Operational Directive, “a compulsory order to the federal, executive branch, departments, and agencies to safeguard federal information and information systems.” CISA is especially concerned about devices that connect to the internet. The order covers routers, switches, firewalls, VPN, load balancers, and out-of-band server management interfaces. It also covers remote management tools, like SolarWinds.
The fragility of the digital supply chain came into focus in 2020 with the SolarWinds hack. Russian attackers compromised a software update impacting 18,000 organizations, including the US Departments of Health, Treasury, and State.
A threat actor set on penetrating your organization doesn’t care whether they’re attacking your internet-facing asset directly or exploiting a vulnerability from a third-party digital service that provides a toehold into your environment (e.g., a takeover of a dangling Azure blob called by an app referenced in a script on your website).
CISA’s directive recognizes that the increasingly interwoven nature of the digital supply chain demands a radically different approach to threat protection. It must identify the sprawling network of dependencies on the same level as an organization’s other assets – and separate signal from noise.
Perhaps proving CISA’s point, another cybersecurity story has dominated the month of June. Progress Software’s popular managed file transfer solution MOVEit has suffered three separate SQL injection vulnerabilities in less than a month.
Enterprises increasingly rely on third-party web services, vendors, and platforms to accelerate growth, scale operations, and increase efficiencies. What they are also doing is expanding their attack surface. A partner’s security problems quickly become yours in a connected digital supply chain. MOVEit is just the latest example of how one impacted organization can lead to problems for hundreds of others. In less than a month, the third SQL injection vulnerability shows how these services are frequently targeted and often fragile.
Attack Surface Discovery
Digital connections, like data, grow and change daily. These connections include IP addresses, cloud infrastructure, SaaS applications, and managed platforms (like MOVEit).
According to a recent ESG survey, manual processes for attack surface discovery can take over 80 hours to complete, making them impractical and inefficient in the face of the scale and dynamism of modern digital landscapes. Leveraging automation is the only way to get a handle on an organization’s attack surface.
The tasks that are automated run the gamut, from incredibly dynamic to mundane. Of course, AI and ML are a big part of it. Advanced AI algorithms and machine learning models can uncover all domains, subdomains, and IP addresses related to a network or system. Their reach extends to indexing the internet and public cloud platforms to identify and attribute all domains, IP blocks, and cloud infrastructure. They overlay continuous mapping across Web, Domain Name System (DNS), Cloud, Software-as-a-Service (SaaS), and On-Premises. They even help monitor domain registrars and global certificates.
Risk assessment
Automation is at the heart of assessment as well as discovery. Discovered assets are evaluated against specific categories, including Cloud, PKI, Web, DNS – automated at scale across the entire environment.
By evaluating assets and connections automatically, security teams can identify risky connection vulnerabilities – external risks due to being connected to 3rd party web services, external dependencies that impact security posture, and DNS chains.
Alert fatigue is a real problem. An assessment of risk has to provide context and focus on the most critical, impactful threats. Any vulnerabilities discovered within the supply chain must account for in calculating the risks they pose to the first-party assets that connect to them. Any attack surface solution should derive from these vulnerability assessments a prioritized risk score for the organization and each asset, with clear steps to remediate the vulnerabilities and eliminate the risks.
A risk assessment should dynamically prioritize threats based on the potential damage to the business. These factors include sensitive data access, business context, brand reputation, and dependencies’ operational impact.
Mitigation
As is always the case, a strategy for securing the attack surface requires a combination of technology and human processes. The technology will be used primarily for collecting and synthesizing information, while the processes will focus on enabling humans to be preemptive or remediate action.
No enterprise trusts its cybersecurity vendor to automate threat mitigation fully. What matters at this point in the process is having the context and clarity required to make decisions and act. You can’t ask or expect a SOC team to adopt your processes and procedures; you must integrate them into theirs. Intelligent workflows align remediation tasks with the way security operations work, so they spend less time routing tickets and more time resolving critical risks.
Conclusion
Cybersecurity teams are under intense pressure to get control over their digital supply chain. The challenge is enormous. Teams are being asked to identify and secure assets they have no control over. These assets belong to partners, and their partners. Before teams can develop and enforce policies and practices around their digital supply chain they need to find the right tools to support them.
