Organizations Battle Ransomware Targeting Supply Chains
Organizations are increasingly at risk of ransomware attacks through their extensive supply chains, a threat that is complicated by visibility challenges as the attack surface expands, according to global Trend Micro survey of 2,958 IT decision makers.
While the vast majority (79%) of global IT leaders said they believed their partners and customers are making their own organization a more attractive ransomware target, less than half (47%) of organizations shared knowledge about ransomware attacks with their suppliers and a quarter said they don’t share potentially useful threat information with partners.
Among the organizations that experienced a ransomware attack in the past three years, more than two-thirds (67%) said the attackers reached out to customers and/or partners about the breach to force payment.
Supply Chains Are Everywhere
Bharat Mistry, technical director at Trend Micro, pointed out that all organizations have supply chains, no matter the size or vertical.
“They can be large and complex involving many suppliers doing many different things, and effectively securing them can be hard because vulnerabilities can be inherent, or introduced and exploited at any point,” he said.
In most cases, third-party suppliers have an inherent level of trust and a footprint/landing zone in an organization especially if it’s digital, as in software or SaaS. It’s the abuse of this channel that elevates the risk of ransomware, he said.
Mistry explained that supply chain risk management usually comes in the form of a yearly audit and that there is no mechanism to test or monitor to ensure that suppliers are consistently upholding their obligations to comply with an organization’s baseline cybersecurity posture.
Lack of Knowledge is Particularly Worrisome
From his perspective, the lack of threat knowledge sharing between organizations and their partners and suppliers is particularly worrying.
“Collaborative sharing of threats and rapid dissemination of information is vital to combat the risk of an attack through the supply chain. Third-party suppliers, at the end of the day, are an extension of the enterprise perimeter,” he said.
He added that the threat landscape continues to evolve at a relentless pace and keeping up is a challenge for any organization.
“Companies are only as secure as their weakest link; in the vast majority of cases, that weakest link is the supply chain,” Mistry said.
Tony Goulding, cybersecurity evangelist at Delinea, a provider of privileged access management (PAM) solutions, said IT security pros must be laser-focused on their own infrastructure to ensure that any incident–whether initiated through a supply chain partner or not–does not turn into a breach and provide a launch point to attack others in the chain.
“Organizations may also adjust their operations to focus on domestic partners versus foreign and to relocate infrastructure into domestic data centers and clouds,” he said. “Of course, a risk management strategy should help identify potential threats and risk tolerance enabling IT to assess gaps and prioritize security controls necessary to close them.”
To the extent an organization has a strong influence over the supply chain, it can drive greater visibility and security best practices in the partner organizations.
Mistry said the first step is to have a supplier governance program that ensures, at a minimum, the supplier meets the organization’s baseline security requirements. These could be independent pentesting reports that are carried out annually or could be industry certifications, such as ISO 27001.
“Secondly, organizations should mandate the same high security standards they apply internally, such as multifactor authentication and least-privileged access, network segmentation, comprehensive preventative controls and XDR for rapid detection and response,” he said.
Leveraging PAM to Decrease Risk
Goulding adds that PAM solutions can drive down such risks, breaking the attack chain in multiple places.
“One place to target is end-user workstations,” he said. “These are frequently targeted to gain an initial foothold, using phishing and related techniques to take over the user’s account and own their workstation.”
The security of home networks and basic security hygiene is often lacking in work-from-home scenarios, giving threat actors an opportunity to compromise local administrator accounts and move vertically from the workstation to the server network.
“PAM can be used to lock those down, but there’s also a need to balance security with user productivity,” Goulding explained.
Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, said when it comes to preventing ransomware, it’s important to have visibility into an environment.
Endpoint detection and response (EDR) tools can achieve that, but they can also be expensive and out of reach for educational institutions with limited budgets, for instance. Warner advises small IT teams to use Sysmon, a free Microsoft utility, to get visibility into their environments.
“IT leaders should also look for a threat detection and response platform that centralizes logs and makes it easy to respond to security threats,” he explained.
Securing environments against ransomware attacks requires broad visibility and risk mitigation efforts that are difficult for organizations to keep up with.
“It’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: Discovery, gaining a foothold and escalating privileges,” Warner said. “Detection, in addition to being aware of what data you hold, will allow you to quickly respond to attacks and, in the worst-case scenario, be sure of post-exploitation handling of a ransomware event.”
