A year ago, the SolarWinds attack brought software supply-chain attacks to the forefront of the news. Now, new incidents are emerging on a weekly basis. To make matter worse, businesses and government institutions are fending off attacks from both traditional cybercriminals and nation-states that have large budgets and many resources, making their campaigns difficult to stop.
Any organization can be a victim of a tech supply-chain attack, but managed service providers (MSPs) in particular offer large attack surfaces that make them high-value targets to cybercriminals. On average, one MSP can manage the IT operations for 100 companies; so the criminals only need to hack one MSP to get access to those 100 clients.
Research suggests that 53% of companies feel a false sense of security when it comes to supply chain attacks, making them an easy target. Many do not truly understand the nature of these threats, and consider the use of “known, trusted software” to be a form of protection. In the first half of 2021, 292 organizations were victims of such attacks, affecting an estimated 5.5 million individuals.
Acronis, the cyber protection company, recently hosted a panel discussion at the Microsoft Inspire conference in which four renowned cybersecurity experts explored the challenges of protecting Microsoft 365 environments. One topic focused on what lessons Microsoft users — including MSPs and small-to-medium-sized businesses (SMBs) — should learn from these advanced attacks.
“Supply-chain attacks exploit the trusted relationship a business has with its software provider,” said Candid Wüest, VP of Cyber Protection Research at Acronis, “If a cybercriminal invests enough time and money on a given target, any organization can be breached. Luckily, Microsoft uses a zero-trust approach, which has mitigated the damage caused by these breaches. While Microsoft admits that unauthorized individuals had read access to their code, no one had write access to change their code.”
Zero trust means that you never trust anything or anyone inside or outside the network by default. It relies on the principle of least privilege by only assigning the rights required for a user to do their job. The software verifies every access attempt.
“The first lesson to learn from these attacks is that every business should implement a zero-trust approach,” Wüest said. “For example, open-source libraries and tool sets that a business uses can be compromised. In addition, criminals can inject code into the Java scripts on your website. Should a business monitor its websites to ensure that these Java scripts are not being modified? The answer is yes, but many organizations do not do that.
“The second lesson,” he continued, “is to be sure you have visibility into the attack. Would you even notice if your data is being extracted? For many organizations, the answer is no.”
Keatron Evans, Principal Security Researcher, Instructor and Author of the InfoSec Institute added: “Another important lesson is that every business should be sure that their IT staff is trained on how to properly respond and deal with a breach.”
Evans discussed a case where a large MSP suffered a supply-chain-type breach. Their code was compromised, affecting hundreds of their clients. In the aftermath of the breach, the MSP was advising its clients on incident response but, unfortunately, they were giving their clients the wrong instructions. Evans said: “This exacerbated an already bad situation. MSPs need to be sure they truly understand how to handle an incident.”
Many supply-chain attacks are targeting larger technology players, but the fallout from the attack can compromise both MSPs and SMBs. Many times, the targeted company has huge security budgets and advanced processes in place, but the attackers are extremely sophisticated.
“With many supply-chain attacks, the average MSP and SMB are spectators on the street in a superhero movie where Superman is battling a giant villain,” said Scott Bekker, Editorial Director of Redmond Channel Partner and Converge 360. “All the MSP/SMB can do is try to not get stepped on.”
To help ensure they do not get stepped on when a supply-chain attack happens, MSPs and SMBs must implement a zero-trust approach, put the right systems and processes in place so they have visibility into an attack, and train their IT staff on incident response strategies.
Get up to speed on zero trust. For more information, visit acronis.com
Copyright © 2022 IDG Communications, Inc.