by Vincent Kobel, VP Cybersecurity at METACO
This article is an extract from a recent METACO white paper titled “Supply Chain Attacks Highlight the Fundamental Importance of Digital Asset Security“, which contains crowdsourced insights from cybersecurity experts Costin G. RAIU, Juan Andrés Guerrero-Saade, Eliza May Austin and Chris Kubecka.
Similar to data breaches, supply chain attacks carry a compound risk with exponential impact on the tech ecosystem and beyond. As you are reading this, cybercriminals are working to corroborate the data they harvest from their victims with existing information, getting it ready to launch subsequent attacks which are harder to detect.
The more adversaries find out about their victims and the interconnected players in its environment, the better they can target any of them.
As a consequence… “the private sector’s aggregated risk from software supply chain compromises continues to grow.”
We are past the point where the financial and reputational impact is the most serious consequence. The fallout of a major supply chain attack now also includes instability – both in the business world and in international politics – which are inherently intertwined.
“What I’m afraid of is that – looking at the future – the erosion of trust caused by supply chain attacks and malicious updates has the potential to be even more damaging than the attacks themselves.” – Costin G. RAIU, Director of the Global Research and Analysis Team at Kaspersky
With digital assets coming of age and shedding their stigma to become a reliable category of financial assets, they are bound to become a magnet for malicious actors. The bigger the payoff at the end of their compromise attempt, the more incisive their actions will be.
That is why supply chain security is crucial for sponsoring trust and cultivating the lasting credibility that digital assets deserve.
The risk of not prioritizing supply chain attacks
As a cybersecurity specialist, I know that supply chain attacks are inevitable but also that their impact can – and should – be thoroughly mitigated. It’s up to every organization to decide how much of its budget goes to cybersecurity and how much risk it’s willing to sustain as “the cost of doing business.”
In financial terms, the effects of a supply chain attack can be daunting. The SolarWinds compromise cost the company $3.5 million in December 2020 alone, with ongoing legal and investigative costs to follow and span over months – even years.
The TNT division of FedEx and Maersk each spent around $300 million to repair and rebuild their IT infrastructure after NotPetya, which also took a heavy financial toll on several other companies. Maersk had to reinstall “4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017”, an operation of almost unimaginable amplitude and complexity. And the Danish shipping company wasn’t even the main target of the attack – just collateral damage.
In another example, BlackEnergy 3, the compromise of the Ukrainian power grid, “caused approximately 225,000 customers to lose power across various areas” of the country. Even worse, Stuxnet targeted Iran’s nuclear program with a type of malicious behavior that was unusual and highly focused.
Supply chain attacks are not only dangerous because of their immediate impact but also because of their deep implications that concern every company out there – a statement that doesn’t carry an ounce of exaggeration.
“Supply chain attacks have been a long-standing bogeyman in the security space, with a lot of the concern focused on the perception of hardware supply chain vulnerability due to a shift towards foreign manufacturing of important components.
The past six years have emphasized the greater indiscriminate impact of software supply chains – and just how vulnerable most organizations are when it comes to the integrity of the software they rely on.
Whether it’s trojanized legitimate applications, backdoored dependencies, or benign software being served malicious updates, attackers have turned legitimate software from well-meaning software suppliers into an entry point to customer networks.
At the end of the day, this phase of supply chain attacks emphasizes the importance of moving beyond reputational trust towards actively monitoring endpoints to determine software integrity over time.” – Juan Andrés Guerrero-Saade, Principal Threat Researcher at SentinelOne and Adjunct Professor of Strategic Studies at Johns Hopkins School of Advanced International Studies (SAIS)
Long-term implications of a supply chain attack
Besides fueling the underground economy with troves of data and intelligence about companies, governments, and individuals, supply chain attacks have numerous consequences that keep accumulating.
One of them is the long road to recovery an organization has to go through once it’s been hit. From investigating weaknesses in software, hardware, and even business processes to patching vulnerabilities, restoring data from backups, and rebuilding entire IT systems, rehabilitation takes colossal effort and resources.
“The long-term consequences organizations don’t factor in until disaster strikes include several elements.
First, can the organization patch or update technology associated with the supply chain issue? Example, older tech builds on specific programming languages which could potentially cost millions to upgrade the digital ecosystem of the organization.
Another factor is who is ultimately liable. Would it be the organization who must pay fines such as those brought on by the EU GDPR and associated costs or would it be the supply-chain that caused a breach?
Another concern is answering the question: can the supplier be switched to another, more secure option without increasing costs substantially?” – Chris Kubecka, Distinguished Chair at the Middle East Institute Cyber Program Established security after the Shamoon cyberwar attack against Saudi Aramco in 2012
The rise and mass uptake of digital assets incentivizes motivated attackers
Malicious actors are very well versed in finding creative ways to exploit weaknesses in systems, whether we’re talking about software or human nature. While security specialists deal with a bombardment of issues, cybercriminals look for that one vulnerability that gives them a way in and a chance to undermine their defenses.
In reality, there is no right way to mitigate a supply chain attack, no perfect playbook to rely on.
Layered defense is the only viable strategy along with strong cooperation between stakeholders in the organization and their technology partners, including law enforcement. Hardware and software security, business processes, and cybersecurity training for all employees are all elements decision-makers need to orchestrate.
This principle is even more important in digital asset management, where keeping the private key safe is fundamental. You could say it’s our most important job.
That is why, at METACO, we combine digital and physical countermeasures in tailored, scalable security setups.
Besides a multi-layered approach, segmenting networks of individual components, leveraging trusted/confidential computing principles, and compartmentalizing workloads are essential elements for implementing defense in depth. This reliable security practice helps keep things contained and reduces the impact of a cyberattack.
Another option of architecting a zero trust network which assumes that networked devices (e.g. laptops, desktop computers, smartphones, etc.) are not trusted by default, forcing them to authenticate every time and prove their identity and integrity.
What adds to the challenge in digital asset management is that standardization and transparency are lacking in this space. Competition makes collaboration difficult at this stage, as most organizations are trying to carve their path in this relatively new field.
As responsible specialists, we should be keenly aware that attackers take advantage of this fragmentation. In digital asset security, where customers potentially have millions – if not billions – in crypto assets, cybercriminals have a strong incentive to hack their way into systems to steal the master key, no matter the cost. If they have to pay someone $1 million just to pretend they are an HVAC repairman, they will do so because the reward is worth it.
That is why, when you start adding digital assets to your financial inventory, you need to ensure you work with a technology partner that is keenly aware of supply chain risks and that is actively mitigating them.
“Think of a huge successful FTSE100 company, a national supermarket for example.
Do you think it would be easier to illegally enter their digital environment or to penetrate the defences of the 8-employee company that supplies yogurts to them?
One has a big budget, technical employees and defence tools in place (one would hope).
There are a number of risks associated with this simple scenario, from invoice fraud from a known trusted supplier to phishing, vishing or website injection…” –Eliza May Austin, CEO of th4ts3cur1ty.company and PocketSIEM
A reminder for owners of digital assets
One of the threats that digital asset owners have is tied to how they access and manage this category of assets, particularly crypto.
As mentioned, attacks targeting app stores are advancing both in volume and sophistication. Concretely, malicious actors use app distribution platforms to spread malware either by designing apps that appear to be legitimate or by infiltrating compromised code into bona fide applications. This is why we advise against managing crypto assets with apps from these platforms.
It’s elements like these that have a compound effect on digital asset security. Given the breadth, depth, and dynamic of the sector, ensuring defense in depth, especially against supply chain attacks, is a highly demanding task for internal teams.
The option of working with a security provider with deep expertise around digital assets can turn out to be not just more cost-effective but also more dependable. We have seen first-hand how financial institutions and other large organizations have effectively harmonized their digital asset operations. Rather than trying to secure wallets and private keys themselves, they were able to build or improve their ability to secure, trade, issue and manage digital assets by choosing METACO. Besides expertise and technology, they also got the proficiency of our integration team.
Preventing supply chain attacks – a shared responsibility
To architect security improvements designed for the long-term, we must start from the concept of shared responsibility. It is also crucial that we keep supply chain attacks at the top of the agenda in conversations between business and technology decision-makers. In our view, it all starts from a shared understanding of the risks involved, the potential consequences, and the inherent limits everyone is operating within the current tech paradigm.
We echo the call launched by The Atlantic Council to forge “new alliance models and operational collaboration.”
We also actively contribute to advancing talks about digital asset security through educational content, such as our glossary, the METACO talks, bytes, and insights. When working with our customers, we run workshops that help establish common grounds in terms of concepts we operate with in digital asset management and their implications. It is our goal to support them in making decisions for their organizations but also enable them to pass on clear, practical information to their peers and respective connections.
Looking at digital assets through the lens of an attacker can be eye-opening, so I hope you will take this opportunity to consider including the supply chain in your response and remediation plan for cyberattacks.