Supply chain attacks target the weakest spot in most every enterprise’s security program: third-party access.
The SolarWinds hack was a classic supply chain attack, compromising downstream organizations in order to traverse the victim’s extended enterprise of customers, suppliers, vendors and other third parties to gain unauthorized access to their on-premises and cloud systems.
The hack was unprecedented, transforming a core security product into a malware delivery system that provided unauthorized access to sensitive data for a minimum of nine months by escalating privileges, forging access tokens, and other alterations that went undetected.
Minimize supply chain cyberattacks
How can your organization protect itself from data breach by affected third parties in your supply or value chain? Apart from “basics” such as enforcing least privilege for third-party users and forcing administrative password resets on initial use (to avoid “username:admin, password:admin” scenarios), below are four unique and effective ways your organization can mitigate access-related third-party risk.
1. Provide an identity to anything connecting to your enterprise: people, systems and things. Doing so establishes an inventory of all third-party entities and the systems and data they’re permitted to access – a fundamental component of third-party risk management. Then, create controls that mitigate risk of unauthorized or inappropriate access using technologies such as role- or attribute-based access control, automated identity lifecycle management, policy-based authentication and authorization, multi-factor authentication (MFA), and others.
2. Take advantage of identity broker technology to verify credentials and enrich authentication requirements. According to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), the SolarWinds Orion hack was accompanied by forged SAML tokens that provided unauthorized access to enterprise resources without detection.
Advanced cloud identity brokers can be used to reject forged tokens by analyzing and verifying the attributes represented in the token against local or remote data stores, e.g., user credentials, device reputation, impossible location scenarios, and others. Based on the result, the request may be rejected, passed as is, or an enriched token can be created to invoke strong or multi-factor authentication for greater assurance.
3. Access governance for third-party identities. Access governance measures the efficacy of an organization’s program for creating and managing identities. Access certification processes are key to an identity governance program, requiring approvers, sponsors and other certifiers to verify and attest that users have the right access and permissions. This verification process could also lead to detecting a supply chain attack should certifiers discover incorrect access assignments.
For example, high risk applications that require certification every month or quarter could have averted months of unauthorized access. Suggesting that access certification is key or fundamental to uncovering attacks may be an oversimplification; however, when considered as part of an identity governance strategy it is a potentially low-risk and high-reward approach to thwarting bad actors.
4. Centrally-manage all third-party access. It is not only possible but imperative to centrally manage third-party identities. Most enterprises manage third-party users directly within line of business applications (silos), which puts organizations at extreme risk. For example, many third-party users have access to multiple cloud and on-premises systems within an enterprise. But the people (or systems) that manage access for line-of-business applications don’t usually have visibility into the hundreds of other systems to which that user may also have access.
Unless the user’s accounts and access rights are known BEFORE provisioning access, you won’t be able to apply the access policies appropriate for the aggregate risk presented by the user. This lack of visibility leads to high-risk scenarios, such as weak authentication for users who are “privileged” in reality, and an inability to have an enterprise-wide view of each user’s access rights.
Centrally managing and automating identity and access management for third-party users creates a wide and deep view of the risk each user presents, enabling the right policies to be applied and enforced day in and day out. Third-party user lifecycles can also be automated with the right solution, automatically changing or revoking user access in response to real time events. Your auditors will love you.