The very nature of the third-party relationships required in supply chain management presents the greatest weakness. Security leaders are tasked with being proactive, maintaining the highest level of visibility and control in their environments in order to balance security and functionality, as well as align with business objectives.
Security leaders and their teams must also continue to manage risk, which from an internal perspective means identifying and minimizing the impact of organizational risk. When a third party is introduced, organizations are placed in more of a reactive position, relying on attestations and details from the supplier regarding security posture, policies, etc. Visibility and control become drastically reduced.
In particular, ransomware has become a topic of discussion globally as cybersecurity leaders grapple with the magnitude and impact of cyber risk and the threat of downtime revenue disruption to their business. Successful attacks unfold in mere hours from Initial Access to data exfiltration and ransomware deployment, making the time to detect and time to contain critical factors in building an effective cybersecurity program.
Unless you’re prepared to defend against ransomware, these attacks result in your organization being locked out of critical systems and applications for days and weeks. In many cases, the resulting downtime can cost organizations upwards of $225,000 per day, which drives many CEOs to pay the ransom.
And these attacks are, unfortunately, not uncommon. Between the end of February and mid-July 2022, two affiliates of the Conti Ransomware Group - one of the longest-running and most lethal ransomware groups today – claimed that they had compromised 81 victim organizations. Fifty-nine percent of those victims are U.S.-based.
Mail-borne threats Emotet and Qakbot currently dominate the threat landscape for Manufacturing. These threats, which can lead to network-wide ransomware intrusions, arrive in email inboxes disguised as typical business communications with subjects like Invoice and Shipping. Qakbot has also been known to hijack and replay older email threads, sometimes from business partners, giving recipients the sense that the email is familiar and trustworthy.
Web-borne threats such as RedLine Stealer, SocGholish, and SolarMarker, are encountered when employees are browsing the web. These malwares depend on the user downloading and executing them. Their purpose is to steal data directly from the computer they are executed on, scraping browser history, passwords, cookies, and fingerprint telemetry from the user’s endpoint. This information can then be sold on the dark web and leveraged for further operations against the organization, often by utilizing the credentials to gain access.
At this point you may be asking “Is it realistic to think that we can develop a nationally secure and resilient supply chain against these and other ever-evolving threats?” As cyber criminals evolve and supply chain attacks continue to grow exponentially, these attacks offer threat actors increasingly stealthy, scalable, and privileged access to any organization’s on-premises, cloud, or hybrid environment. But while we may never be free of supply chain attacks, we can become more resilient, which will limit and eventually minimize the damage.
To make the case for new security investments, you need a clear understanding of the ROI you can deliver versus how operational downtime will impact your business revenue.
The solution: a multi-layered defense strategy along with a strong Incident Response (IR) plan in place is crucial to secure your organization against future attacks. Again, there is a need to focus on resilience, which by definition (according to NIST) is, “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Let’s break down what that means in practice:
- Anticipate - be proactive, control the controllables, address the ‘known knowns’ along with the ‘known unknowns.’
- Withstand - continuously improve detection and response capabilities, and outsource where it makes sense. Have a ‘ready for anything’ mentality, account for the unknown, and minimize the impact to the business. Not all risk can be avoided.
- Recover - continuously develop, test, and improve the IR plan.
- Adapt - conduct post-mortem analyses to identify lessons learned and make appropriate people, process, and technology changes, updates and implementations.
- Evolve - security programs cannot remain static; they must continue to evolve, just as the threat landscape does. The reality is, today’s solutions may not solve tomorrow’s problems, so constantly challenging our way of thinking and evaluating whether we’re solving or prioritizing the right problems the right way can drastically improve an organization’s security posture.
Outsourcing security operations, although a bit of control is relinquished, can enhance an organization’s security posture and cyber resiliency. Financial resources used to ensure security operations, leveraging the talent of external experts rather than applied to the purchase of individual controls that need to be internally managed, has proven to show a strong return on investment.
Larry Gagnon is the SVP of Incident Response at eSentire.