In early 2021, Sita, a supplier of IT systems for the airline industry, started informing airlines using its passenger service system that their frequent flyer programme data could have been exposed.
As it turned out, the passenger service system, which airlines use to send data of frequent flyers to other airlines in the same alliance so that they can accord benefits to their customers, was compromised by a highly sophisticated cyber attack.
Singapore Airlines was one of the affected airlines even though it did not use the Sita system. That’s because it provided the data of its frequent flyer members to a Star Alliance airline that was using the affected system, exposing information such as membership numbers, tier status, and in some cases, member names.
While airline alliances bring benefits such as network effects that enable airlines to fly their customers to more destinations, the interconnectivity between their systems also attracts cyber criminals looking to exploit the weakest links through supply chain attacks. These links can also take the form of popular third-party systems that many organisations use to run their IT operations.
One such system is the SolarWinds network management software, which had malware inserted into its software updates by threat actors in a supply chain attack that compromised large enterprises and government agencies.
Feixiang He, adversary intelligence research lead at Group-IB, a Singapore-based cyber security company, says there are some driving forces behind the rising popularity of supply chain attacks.
Firstly, the cyber defences of many high-value targets are in a much better shape than before. Direct attacks against target systems may take a lot of effort and yield little results. Hence, it is more effective for cyber criminals to move up the software supply chain to exploit weak links outside their target’s cyber defences.
He says the use of open-source software also poses a supply chain security risk, debunking the assumption that security is almost guaranteed in popular open-source projects.
“In an ideal community approach, weaknesses and malicious behaviours should be discovered by someone and fail the code review. In reality, most of such projects are maintained by volunteers who have various focuses that are not necessarily related to security. It is unreasonable to assume security by default,” he says.
“Furthermore, open-source projects are usually for general purpose uses. Some seemingly secure designs may become a vulnerability in a specific system architecture. Lastly, loosely managed open-source software library repositories also give the attackers extra options to covertly deploy malicious software.
“We’ve seen multiple cases where the attackers upload malware to a Python PIP package manager repository and infected software developers in large corporates,” he adds.
He says the shift towards cloud infrastructure and the “as-a-service” model also introduces uncertainties to ownership and accountability, making incident detection and response challenging.
Ultimately, any weaknesses in supplier systems automatically become weaknesses in the enterprise, says Joseph Failla, security lead at Accenture in Australia and New Zealand.
Citing Accenture’s research, Failla notes that while organisational cyber resilience is on the rise, many cyber security programmes only actively protect about 60% of the business ecosystem on average, while the remaining 40% of security breaches are largely indirect.
Adding to the challenge is the difficulty of gaining visibility into the partner supply chain. This could be due to legal constraints and other organisational barriers preventing suppliers from sharing information.
“Other times, their security capabilities aren’t up to scratch. This lack of visibility impedes organisations’ abilities to understand where to focus assessments and mitigation efforts,” Failla says.
Mitigating supply chain risks
Despite the challenges of fending off supply chain attacks, especially if a nation-state or state-linked threat actor is involved, becoming a sitting duck for such attacks is not an option.
Jonathan Tan, managing director for Asia at McAfee, advises organisations to maintain an aggressive and healthy cyber security posture to contain risks as much as possible in the event of a potential breach.
That means identifying the most critical data and applying the principle of least privilege. A sound approach, Tan adds, is to assume that the most critical assets are under attack, especially those that leverage third-party applications where elevated privileges are required for their effective operation.
Raen Lim, group vice-president of South Asia and Korea at Splunk, notes that the adage of auditing one’s suppliers is harder than it sounds “because your one ‘video conferencing vendor’ or ‘payment processing vendor’ is actually composed of maybe a half-dozen business systems, through external APIs and services”.
“You need visibility into every data component and flow. You also need to know how to respond quickest when a breach is discovered, both to shut it down and to determine which data may have been compromised,” she adds.
As such, Lim advocates for the zero-trust security model to minimise security risks as it is focused on users, assets and resources rather than a network perimeter. The model also demands organisations to rigorously authenticate users as they move towards a more distributed security environment.
Automating security operations, she adds, will also help organisations identify and respond to cyber attacks without human intervention, along with improving the effectiveness of security analysts through automation and analytics.
Sanjay Aurora, managing director of Asia-Pacific at Darktrace, agrees, noting that by augmenting human security teams with artificial intelligence technology, organisations can focus on understanding what’s ‘normal’ behaviour across their digital estate, and constantly enforce that normal when things go amiss.
“This technology can identify the subtle indicators of this malicious activity wherever it emerges, and thwart it before damage is done,” he adds.
Changing role of the CISO
The reliance on third-party providers has created new demands on cyber security defences, adding complexity to the responsibilities of the chief information security officer (CISO).
Now more than ever, CISOs need to be more directly engaged with the broader risk management function or even take on a risk management leadership role.
Recent high-profile supply chain security breaches have attracted the attention of CEOs and their boards. CISOs have found themselves needing to leverage both technology and leadership skills to effectively communicate the potential impact of supply chain attacks to the leadership team, and to drive executive buy-ins on solutions or mitigation efforts.
Accenture’s industry intelligence found that CISOs have significant concerns around how supply chain risks can be managed. These include effectively monitoring vulnerabilities; increasing internal early detection capabilities; whether scenario planning exercises are keeping pace with more sophisticated threats; and if teams are prepared to deal with new threats.
“The industry intelligence also proposed that CISOs need to strike a better balance between their technology and leadership competence,” Failla says. “CISOs are not only expected to demonstrate practical capabilities but be equally good at communicating in a non-technical manner.
“This form of communication will better resonate with the senior leadership team and the board, helping CISOs align cyber security with enterprise risk management practices while building trust internally.”
What the software industry can do
McAfee’s Tan says the most insidious aspect of the SolarWinds attack was the use of a backdoor and stealth tactics to monitor if malicious activity was being analysed, by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behaviour in those scenarios.
The backdoor then enabled the attackers to take any number of secondary steps, which could involve stealing data, destroying data, holding critical systems for ransom, or any number of other malicious actions.
“The attackers may still be doing damage right…
Read More: The rise and rise of supply chain attacks