Supply Chain Breaches and OT/IoT Scenarios

Today, with international sourcing, the mixture of proprietary and open-source code, and enormous variability in vendor practices, it is nearly impossible to perfectly secure the enterprise supply chain borders. The list of supply chain attacks is long and infamous, and, of course, this applies to hardware as well: peripherals, networking equipment, and IoT devices. But in the end, the commonality to all IoT devices and supply chain attacks is the compromise of credentials and authentication, followed by abuses of network privileges in proliferation and spread. 

In a recent webinar, Christopher Beier, Senior Product Marketing Manager, discussed supply chain attacks and provided steps to mitigation. 

In this article:

• The top four supply chain risks
• What is software supply chain security?
• The five main IoT threats of 2022
• 10 questions for determining your suppliers’ risk level
• How and why UEBA can help with supply chain security
• 6 tips for choosing a UEBA tool

The top four supply chain risks

A supply chain attack is a cyberattack with the goal of damaging an organization by going after the less-secure parts of the supply chain. Christopher explains, “The landscape is getting even more complicated when we think that nine out of 10 companies are leveraging open source software projects. Add to that the growing use of the Internet of Things (IoT) for cars and smart devices, appliances, door locks, thermostats, and all its growth in IoT in industries like healthcare and energy — you have a never-ending expansion of the attack surface. It’s essential that organizations review their cybersecurity requirements, gain visibility into their supply chain dependencies, and be prepared with modern tools and practices to help prevent future supply chain attacks.”

Here are the top four supply chain risks, according to Christopher:

1. Third-party vendor risks – Third-party vendors may not take cybersecurity as seriously as your company does. And unfortunately, there is an increasing reliance on third-party and open-source software to grow. 

2. Digital risk – Digital risks are an increasing supply chain threat. “The more digital solutions you add to your ecosystem, the more potential gateways cyber criminals have,” Christopher says. “These exposures have caused several software vulnerabilities, zero-day attacks, and if you overlook what you’re putting into your environment, you’re subject to ransomware attacks or other security breaches, process disruptions, non-compliance with your regulatory standards.”

3. Supplier fraud – Supplier fraud is when a cyber criminal pretends to be a retailer to steal money without providing a service. This can be done through social engineering techniques, AI-generated voice mails, phishing, or deep fake video recordings. 

4. Data integrity – Data integrity in the supply chain is a key area of concern, and security measures should make sure that all data is secure. Christopher cautioned, “encryption practices are especially important between third-party integrations because the hackers already know, and they’re targeting your third-party vendors because they likely have access to that sensitive data.” 

What is software supply chain security?

Software supply chain security is the act of maintaining the security of components, activities, and practices in the creation and deployment of software, including third-party and proprietary code, deployment methods and infrastructure, interfaces and protocols, developer practices, and development tools. “The SolarWinds attack began in 2020, and unofficially elevated software supply chain security to the top of a lot of people’s minds, both in government and private sector, said Christopher. “Subsequent events like the Log4j vulnerability underscore that software supply chains are real.”

The five main IoT threats of 2022

A recent study, State Of Enterprise IoT Security In North America: Unmanaged And Unsecured, commissioned by Armis, states that 67% of enterprises have experienced an IoT security incident.These are the main IoT threats, as Christopher discussed in the webinar: 

1. Unencrypted data storage – IoT devices collect a huge amount of valuable data throughout the day, much of which is stored in the cloud. This data can make IoT devices a target for hackers and other cybercriminals, so it is essential that it is stored securely. It’s also very important that whenever data is transferred between devices, it is done securely, ideally with an encrypted connection. Unfortunately, many IoT devices do not yet have reliable firewalls and other security features, which leaves this data very vulnerable.

2. Unsecured financial information – Some IoT devices have access to their users’ financial information. When these devices have access to things like your credit card or banking information, they quickly become a target for hackers.

3. Access to physical property – Another huge security risk to consider is the fact that IoT devices are often connected to physical property in some way.

4. Weak passwords and ID verification – A strong password is essential for protecting your devices. Unfortunately, many IoT devices are not password protected. Even with password-protected devices, many users choose options that are very simple and easy to guess. This leaves your IoT devices very vulnerable to hackers.

5. Botnets and malicious IoT devices – IoT allows electronic devices to connect and talk to each other — but not all of these devices are created with good intentions. Cybercriminals can take existing IoT devices and use them to infiltrate secure networks.

10 questions for determining your suppliers’ risk level

Christopher provided some of the key questions companies can use to determine how risky their suppliers’ cybersecurity practices, based on NIST and MITRE research:

1. How is configuration management performed? Quality assurance? 
2. How is it tested for code quality or vulnerabilities? 
3. What levels of malware protection and detection are performed? 
4. What steps are taken to “tamper-proof” products? Are backdoors closed?  
5. What physical security measures are in place? Documented? Audited? 
6. What access controls, both cyber and physical are in place? How are they documented and audited? 
7. How do they protect and store customer data? 
8. How is the data encrypted? 
9. How long is the data retained? 
10. How is the data destroyed when the partnership is dissolved? 

How and why UEBA can help with supply chain security

Christopher advised that user and entity behavior analytics (UEBA) can help with supply chain attacks: “This is a technology that uses machine learning to understand how humans and machines normally behave so that you can identify and find high-risk activity.” Companies with the best shot at detection are agencies with behavior analysis techniques built into their identity management that could flag anomalous activity, particularly “impossible logins.” If Federal agencies are not set up to detect such anomalous activity, they’ll never be able to detect similar user impersonation attacks, which are becoming fashionable for adversaries. Security should be automated as much as possible because asking people to sort through individual Indicators of compromise is a really hard ask. Here are some of the problems UEBA can help solve: 

Compromised credential detection

• Identify abnormal account access, activity, device usage, application object access, etc.

Privileged user monitoring

• Identify privileged users based on contextual data or behavior (e.g., performing admin activity or using privileged systems)
• Identify risky anomalous activity, correlated across many data sources to reduce false positives
• Can turbocharge PAM/PAS products 

Compromised system/host/device detection

• Identify and classify devices (e.g. server, workstation, IoT devices, etc.)
• Baseline normal behavior including communication ports, protocols, authentication, access, activity, etc.
• Detect anomalous activity, and related users

Data exfiltration detection

• Identifies unusual data access, outbound data transfers, USB activity, printer activity, file activity and more. 
• Low FP because UEBA has the context of users, their roles, and normal activity
• Can find data exfiltration early in its life cycle 
• Turbo-charges DLP tools based on behavior and risk

Failed login attempts and account lockouts

• Sorts lockouts by risk, allowing security teams to zero in on the most critical ones
• Provides context around the lockout for quick triage
• What happened before or after the lockout? 
• Does this user do this a lot? 
• Is the user behaving abnormally in other ways?

Service account misuse

• Automatically identifying service accounts by understanding their behavior
• Flagging abnormal behavior indicative of compromise or misuse
• Providing a clear chain of events with surrounding incident context

Six tips for choosing a UEBA tool 

Lastly, Christopher provided the following tips for picking a UEBA tool: 

1. Look for broad data source support, specifically support for the tools you use and those you plan to invest in. With this support, UEBA can make those tools better by offering better detection and a way to view all of their data together. 
2. Normal behavior – This is crucial. There are many analytics companies out there that simply package up a boatload of correlation rules and call it analytics. This is replacing 1.0 tech with more 1.0 tech. To make sure that a UEBA product is actually learning and baselining, ask the vendor to show you the models and to show normal behavior. This functions as proof that it has really learned your users and machines. 
3. Dynamic peer grouping – AD data is often incomplete or out of date. Dynamic peer grouping allows UEBA to compare users to their peers to find abnormality even without AD data. It does this by finding users whose normal baselines are similar and then dynamically grouping them together. This might be by application, tiger team, boss, you name it. Then the system can compare deviations in a baseline against these groups to find abnormality.
4. Lateral movement tracking – Not all tools are built equally in terms of their ability to follow attacks. Ask your vendor what their capabilities are. See it in a demo or a proof of concept. Make sure you’re happy with this capability so you don’t miss parts of attacks later.
5. Machine-built timelines – Ask your vendor to show you what their incident timelines look like. Would this be sufficient to understand what happened with an attack or would you need to go back to your SIEM to dig up raw logs? You want to be able to automate as much of the evidence gathering as possible to improve your team’s productivity.
6. SOAR integration – If you have a SOAR tool, see if it integrates with your UEBA tool of choice. The story does not end at detection; you still need to respond to threats you discover. Having the ability to automatically respond to detected threats provides faster response times and further productivity gains.

For more insights, watch the webinar and read the transcript.

For more insights, watch the webinar, Supply Chain Breaches and other OT/IoT Scenarios.

You’ll learn about:

• What steps can CISOs and IT security teams take to mitigate risk from supply chain attacks
• How SIEM and XDR solutions can detect attacks that have slipped past your perimeter defenses
• How third-party credentials are being used, and how user and entity behavior analytics (UEBA) can help detect unauthorized access