LAS VEGAS – Supply-chain attacks have nabbed headlines lately thanks to high-profile incidents like the Wipro news last April, where attackers were able to compromise the staffing agency’s network and pivot to their customers. That incident pointed out that supply-chain risk should be thought of in a much more holistic fashion than it usually is, with people at its heart, according to Eric Doerr, GM at the Microsoft Security Response Center.
Speaking at Black Hat 2019 on Thursday, Doerr pointed out that supply-chain risk comes from four main areas: Hardware, software, services and people. All are important, but it’s the latter, he maintained, that should be the top focus.
“People like to think about hardware as the main supply-chain threat, but really, you need to start with people – your contractors and partners,” he said. He added that people aren’t just introducing risk into corporate environments — they’re also the key to proactively driving it out.
Wipro: A Case Study
Though Edward Snowden made the risk from contractor threats infamous, most companies still don’t see the risk coming from people as their biggest issue, according to Doerr – even though they should.
This was highlighted in the Wipro incident, as it rapidly became clear as the story unfolded that an advanced threat actor had been able to access the networks of multiple companies through the trusted vendor relationships they had established with IT consulting giant.
“At Microsoft, we wondered if perhaps other staffing agencies were impacted,” Doerr said. “We think some of the Olympics stuff may have had a component of this as well. Anyone in incident response now you spend a lot of time chasing things down that turn out to be false alarms, but we had to explore it. We have thousands of Wipro employees working in various parts of Microsoft doing important things.”
While it turned out that Microsoft wasn’t impacted by this particular attack, Doerr noted that there were several lessons learned in its exploration process when it comes to locking down the “people” part of the supply chain.
“You’ve threat-modeled a policy and now you’re testing your threat model,” he said. “We saw it as a great opportunity to test our thought process and that model.”
For instance, the first thing Microsoft did was to look at its already compiled inventory of third-party contacts, and perform an audit to determine if any contractors or partners were working on sensitive projects or have access to sensitive systems. Then, it determined if the security policies and procedures about where those third-party people are embedded had been followed.
Other steps that Microsoft took were to look for malicious signs and block any suspicious behavior; force a credentials reset (even though it was unpopular with employees); and add monitoring to all partner interfaces. Reports of the attack also mentioned a specialized Mimikatz binary that the attackers used, so Microsoft also deployed a signature for that.
“What we took away from this is that you have to assume that humans, like routers and software, will get breached eventually – and you have to be in the position of being satisfied that the damage will be manageable,” Doerr said.
To get into that position, it’s important to inventory everyone and everything on one’s network, and then employ the principle of least privilege, he added: “Where do you want to implant a partner or vendor? What kind of access do they need or should they have? You have to answer these questions.”
Then, make sure that there are tools and systems in place that can ensure that they can’t deviate from policy; and, where possible, provide the devices that third parties will use to do their jobs.
“This is very hard, especially when dealing with vendors that work across companies,” Doerr acknowledged. “You have to determine if you can hand out laptops like candy – but also if you can you expect them to juggle three or four different laptops as they move from place to place.”
Software: The People Dimension
The other attack vectors in the supply chain also tie back to people in many ways, Doerr added. For instance, when news broke that the CCleaner APT was targeting networks via the TeamViewer remote viewing software, talking to people became key to incident response at Microsoft.
“TeamViewer is used for provisioning and troubleshooting of physical machines, and it’s one of the more scary things you might have in your environment,” Doerr said. “But it’s not always obvious why someone is using something.”
So, Microsoft did an audit of who was using TeamViewer, and then manually went and talked to the teams to find out what they were using it for.
“You have to go and explore these things, because you have to balance theoretical security with business disruption,” he said.
The investigation uncovered that some people were interacting with third-party hardware suppliers using TeamViewer, because that’s what the vendors were using to debug equipment. The fact that the risk was being introduced from external partners brought up an additional dimension of diplomacy: Having open and transparent conversations about vulnerabilities and susceptibility to attacks that don’t involve blame are key to proactively mitigating third-party risk.
“How far do you get to mandate policy and governance?” Doerr said. “Do I tell the supplier that they can’t use a piece of software? What about the supplier of the supplier? It’s critical to get past the usual adversarial model and forge a true partnership with suppliers where you talk about shared risk. Because in the end, we’re all in this together.”
In the end, Doerr said, when it comes to supply-chain risk, the human element should be central.
“Start with people, because for most companies this the biggest risk and the least well understood, but the easiest to mitigate with the tools you probably have on hand,” he said. “And, how we treat people above and below us in the supply chain really matters – again, we’re all in this together.”
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.