From RSA to SolarWinds: Lessons Learned from a Decade of Supply Chain Breaches

Over the past decade, supply chain attacks have become one of the leading causes of breaches. Connections into a network bring exploitable vulnerabilities and an increased risk of security incidents. Dan Raywood examines why the supply chain remains such a challenging problem for organisations and offers some solutions.

Understanding The Challenge

The realities of supply chain attacks are clear to see: from the attack on RSA back in 2011, where there was an intention to get into Lockheed Martin, to the incident ten years later, where threat actors exploited software or credentials from at least three companies – notably Solarwinds’ Orion software – to hit the US government.

What we know about supply chain attacks is probably a well-trodden path: attackers exploit a vulnerability in one entity to gain a route into another and often larger business to achieve a breach, dwell in an environment, or something nefarious.

A supply chain attack seems incredibly hard to prevent as it involves a chain of events, and a defender will need to take serious precautions to know who is connected to them and what incidents they have experienced.

Recognising The Risk

Recent research from BlackBerry found that 74% of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach.

How can you be sure that the entities connecting to your business are secure and adhere to the same level of compliance as your business? Richard Starnes, CISO of Six Degrees Group, says this is possible if you use a flow-down contract, which requires any company you’re working with to follow your lead and can roll down to other suppliers.

“You have a requirement for a client that outlines specifications that need to be met, and if they cannot meet these specifications, then I cannot use them,” Starnes says.

Strengthening the Weakest Link

Starnes says one of the main issues enabling supply chain attacks is the involvement of small and medium enterprises, as larger enterprises have been more complex to enter, and dwell time is not what it used to be—Mandiant’s 2024 M Trends report noted that dwell time was down from 16 days to ten from 2022 to 2023.

Ian Thornton-Trump, Cyjax’s CISO, says lessons learned from supply chain attacks show that there needs to be a better understanding of the consequences of your customers’ and suppliers’ security failings.” What you can do is monitor them and their security posture and their security compliance requirements, and when they have a security breach, they notify you first,” he says.

“This is not about an adversarial relationship, as you’re not trying to catch them out, but it gives you an opportunity to make modifications rather than move into a defensive posture.”

This moves to the issue of finding out about security issues via the media rather than being informed directly by the victim, allowing you to do incident response and surveillance.

Building a Trust-Based Ecosystem

The Blackberry research found that 65% of companies inform their customers about incidents, with 51% concerned about the negative impact on corporate reputation.

Thornton-Trump says the only way to ‘trust but verify’ is if there is transparency on all sides, allowing you to make preparations in case a breach happens and you know how to respond.

Correct Steps

What are the correct steps to ensure you find all the gaps that an attacker could hit you through, including professional—and potentially even compliant—businesses? Guidance from the UK’s National Cybersecurity Centre on supply chain security recommends a series of principles, which include knowing who your suppliers are, building an understanding of what their security looks like, and forming a plan of action.

These recommendations also require heavy reliance upon your suppliers’ security arrangements. This can involve requiring “prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum-security requirements you have set at different stages of the contract competition” and explaining the rationale for these requirements to your suppliers so they understand what is required.

Leveraging Established Frameworks and Standards

Maintaining compliance with ISO 27001 can help ensure your suppliers are at the same level as you. It can enable you to vet your suppliers better and insist on their level of compliance without requiring a checklist or questionnaire.

Third-party service providers must implement appropriate security measures that are regularly monitored and reviewed when working with businesses using the ISO 27001

standard as a guardrail for supplier management. Sam Peters, CPO of ISMS.online explains, “this enables organisations to identify, evaluate, and address security risks linked to external suppliers and allows companies to set pre-defined security criteria and conduct periodic assessments, ensuring ongoing compliance and security.”

ISO 27001 also requires businesses to maintain comprehensive records of all third-party interactions, including risk assessments, security requirements stipulated in contracts, and ongoing performance monitoring.

Ultimately, Peters argues, “ISO 27001 lays the foundations for rigorous partner and supplier vetting processes, robust partnership agreements, and a culture of continuous improvement, giving you a level of security regulation that should give you extra confidence.”

Third and Fourth Connections

Another consideration is the further flow down to third—and fourth-party connections. Research released earlier this year from Security Scorecard found that 97% of companies in the UK have a breached entity in their third-party ecosystem.

Starnes said many companies tier their suppliers and have a description of the supplier that dictates the regulatory compliance they place on that entity.

“For a tier one supplier, you would use a questionnaire administered every year, while for a tier two, you would have a less in-depth questionnaire done every two years.

“For a tier three supplier, you have another questionnaire and a notification for when there is a material change or an incident, and that is how many of them are managed.”

Overcoming Resource Challenges

While managing supply chain security can be resource-intensive, the effort pays off in the long run. Despite the time commitment, organising and auditing your supply chain is essential for maintaining a secure network. Automating parts of this process and leveraging compliance standards can streamline efforts and reduce the burden on security teams.

A Path Forward

By adopting a ‘trust but verify’ approach and fostering transparency, businesses can strengthen their supply chains against potential threats. Continuous monitoring, clear communication, and adherence to compliance standards are crucial to creating a resilient and secure supply chain. While the challenge is significant, proactive and positive strategies, including adopting an ISMS, can make a substantial difference in safeguarding against supply chain attacks.