Zero Trust is Key to Supply Chain Security

Originally published by CXO REvolutionaries.

Written by Jeff Lund, Global CISO - Global Information Security, Marsh McLennan.

When former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs spoke at Black Hat 2022, he highlighted two factors that regularly undermine organizations’ security and increase their exposure to breaches: a convoluted tech stack and an overabundance of implicit trust.

As someone who’s spearheaded my own zero trust transformation, I obviously agree that eliminating implicit trust makes for more secure operations. But what’s perhaps less apparent is how adopting zero trust, as a significant part of your security program, helps to protect organizations by streamlining their tech stacks.

A bloated lineup of third-party IT solutions poses a danger to organizations because it both expands their attack surface and increases the opportunity of becoming collateral damage via a compromised vendor somewhere further down the supply chain.

A 2021 Deloitte study on zero trust points out that, "As an enterprise more frequently relies on third-party vendors to host and manage data, infrastructure, and other services, the attack surface expands." The report cites findings that 59% of companies surveyed were compromised via a third party, and those incidents tended to cost 13% more than those involving a single party.

Supply chain attacks have emerged as an area of focus for groups ranging from hacker conferences to financial services to the U.S. federal government. Given this focus, it’s worth exploring how zero trust architecture, as part of a solid security program, can help mitigate the impacts of this threat by simplifying the IT stack and reducing the attack surface. But let’s first illustrate the very real threat of supply chain attacks to set the stage.

The state of the supply chain attacks

The compromises of the SolarWinds and Kaseya IT management platforms were in many ways emblematic of the damage that can be wrought by supply chain attacks. By capitalizing on the implicit trust granted to software updates pushed by friendly vendors, threat actors were able to bundle malicious payloads up with necessary updates that were readily installed by unsuspecting customers.

Lauren Proehl, responsible for our Global Cyber Defense program, identified several supply chain attacks of IT providers impacting many industries. A few of the most significantly impacted suppliers are highlighted below. The common thread, though, is that these attacks were carried out against IT vendors who passed the infection to thousands of their customers, potentially exposing the customers to further breaches, data loss, business loss, and financial impacts.

Attributed to APT29 (UNC2452 or Nobelium), the attackers inserted malicious code into the Orion network management system, which was used by numerous government agencies and multinational companies. Due to the addition of this malicious code, the SolarWinds Orion Platform created a backdoor that allowed hackers to access accounts and impersonate users of victim organizations. Multiple government agencies and commercial organizations were impacted, including FireEye. Overall, 18,000 customers were using vulnerable versions of Orion. The breach impacted 85% of businesses surveyed and on average impacted 11% of annual revenue. As a result, the actors were likely able to gain access to some of the most sensitive DOD and intelligence agencies in the U.S. government, along with hundreds of private companies, to conduct a prolonged reconnaissance operation.

The attackers behind the Kaseya compromise, REvil, were more motivated by profit than intelligence gathering. They included a ransomware payload in their attack presumably meant to generate revenue for the group. An estimated 1,500 customers were impacted, several negotiating individual ransoms to unlock their files.

Attackers were able to infect two legitimate PyPI packages with malware as part of a phishing campaign, researchers from SentinelOne and Checkmarx confirmed. Two packages with a combined total of about 700,000 PyPI package downloads were compromised in the attacks. 700K downloads of PyPI packages were impacted. PyPi has 622k monthly active users and is the official repository of software that can be used by the Python programming language. Many organizations use PyPi in addition to other open-source packages.

The supply chain threat is real.

These attacks certainly contributed to NIST’s decision to revise its guidance for protecting against them and prompted the U.S. Office of Management and Budget to release a directive focused on zero trust security. They helped to spark the realization that supply chain risks undermine security by:

• Enabling account takeover – Using the account of a trusted vendor as a beachhead from which to launch attacks like phishing campaigns and malware.
• Introducing fourth-party risk – Whereby your carefully evaluated third-party vendors are compromised via their not-so-carefully-evaluated third parties.
• Masking Trojanized software – As we saw in the case of the SolarWinds and PyPI attacks.

Removing implicit trust as a network feature goes a long way toward limiting the blast radius of supply chain attacks by preventing lateral movement and placing a strong emphasis on identity verification and access management. It also helps to reduce bloat in IT stacks, limiting the exposed attack surface. Zero-trust is a massive help in reducing possible impacts from supply chain attacks, but it must be paired with a mature security program.

Don’t ignore the security basics

• Limit data shared with suppliers. The more data you make available to a third-party vendor the more you are putting at risk. It’s a bit like gambling in Las Vegas; only risk what you are willing to lose.
• Enable the security controls documents by the supplier as best practices. You might recall the highly publicized Okta breach via its subprocessor, Sitel. Okta customers who employed the best practice configurations for their Okta tenant were not impacted, even if they were identified as part of the 366 potentially exposed customers.
• Enable DMARC/DKIM email security for all your mail domains. It’s not perfect but it helps with business email compromise and phishing email scenarios.
• Enable multi-factor authentication across your internal environment as well as everything externally exposed. Despite weaknesses like MFA fatigue, MFA remains one of the best controls you can implement to protect your data.
• Review software downloaded to your systems before installing. Yes, this slows down developers, but leverage automation and internal trusted repositories to create a positive DevOps experience.
• Periodically re-assess vendor controls. Security isn’t ever done, and the threat continuously evolves. Your vendors, just like you and your organization, are continuously updating their systems. Make sure their controls continue to be aligned to your threat posture.
• Patch your applications and systems. Identify vulnerabilities in your applications, application code, and the underlying systems and patch them aggressively!
• Monitor, monitor, monitor – monitor your threat intel feeds, retroactively check your environment for indicators of compromise of active threats, monitor for unusual administrator activity, and monitor external access originating from your systems.

Implement a zero trust network architecture

While traditional networks rely on castle-and-moat security – a fiercely guarded network with a “passthrough” gate in the form of a firewall – zero trust architecture absolves the need for this perimeter focus. This reduced reliance on firewalls limits the attack surface by removing security appliances discoverable from the open internet. It’s also one less vendor whose compromise may have unintended consequences for its customers.

VPNs are another, critical way in which subtracting one vendor adds to an organization’s overall cybersecurity. It seems that a week doesn’t go by in which a VPN isn’t exploited to illicitly gain access to a network. Rather than relying on a VPN to backhaul traffic through the corporate security stack before connecting it to the internet, zero trust architecture uses the internet as the network with a proxy in the middle to handle connecting users to resources. In essence, a VPN extends your network – and your attack surface along with it.

These are just a couple of examples. By implementing zero trust, organizations can eliminate handfuls more point products and their vendors that were previously required to safely route traffic through data centers. If security is the enemy of complexity as Krebs suggests, inbound and outbound traffic from the data center is where much of that complexity is created.

Instead, routing traffic through a cloud-based proxy like the Zscaler Zero Trust Exchange means many of these security controls can be moved to the cloud, simplifying infrastructure and reducing the number of vendors needed to secure traffic.

There’s a lot to be said about how the fundamental architecture of zero trust enhances security and reduces exposure to threats. But we should also acknowledge that, in an age where security vendors are prime targets for compromise, the simplicity of the zero trust model is a security feature in its own right.