In parts one and two of this series, we talked about enhancing visibility into your supply chain and implementing an effective third-party risk management program. In part three, we’ll explore how organizations can anticipate which types of supply chain compromises they may be especially vulnerable to.
You’ve put together a solid inventory of assets and products your organization relies on, it’s well maintained, and you’ve got a third-party risk management program (TPRM) that has illuminated both new and old vendor relationships. These efforts are extremely important, but even the most well-prepared organizations still suffer breaches. We’ve already stepped back from the technical details of the SolarWinds compromise in order to gain a more strategic perspective of supply chains. How can we take this further and improve an already good security posture?
Organizations as Systems
Organizations are complex systems whose whole is greater than the sum of their parts. The parts themselves are also in flux and likely aren’t being seen in their entirety. Our visibility into the parts may be limited to a snapshot in time. For example, an asset inventory may be accurate one day, but increasingly inaccurate after that until another inventory cycle is performed. Even with real-time data on asset inventories, we’d be ignoring the relationships between different parts of an organization.
We quickly reach a limit to how much we can understand about complex systems by only looking at the parts. TPRM is a crucial way of integrating an organization’s parts into a whole that can be managed for better security. If we’re to anticipate previously unknown attack vectors, we need other high-level ways of looking at organizations and supply chains so we can uncover different kinds of systemic issues, and perhaps see them as a threat actor would see them.
When Systems Fail
Why is it so important to see beyond the mere parts of a system when we’re anticipating dangers to an organization? Let’s take an example from the world of safety, where disasters are usually not the result of a threat actor. In the book Drift into Failure, Sydney Dekker explains how the space shuttle Columbia disaster investigation did not limit itself to prior investigation methods. We can liken these older investigation methods to incident response procedures: seek out and identify the root cause of a failure on a mechanical or technical level so that it can be detected and prevented in the future. Instead of merely going “down-and-in” to figure out the technical root cause of the Columbia explosion, Dekker writes that NASA went “up-and-out” to take a higher viewpoint. This led them to the insight that insufficient communication among departments helped lead to the Columbia disaster. Organizational culture contributed to failure, even if the “physical” root cause was mechanical failure, and this crucial insight would have been missed without taking a higher viewpoint.
In a supply chain, an organization becomes one of many components in an even larger system, and information about the other components will be limited. However, to gain a better understanding of risk, we can still examine and uncover the edges where suppliers come into contact with an organization. TPRM was made for this, but it can’t cover everything and won’t always see a risk for what it is. Let’s try a different approach to complement TPRM.
Uncovering Supply Chain Vulnerabilities
In his Blackhat 2019 talk on supply chain attacks, Eric Doerr of Microsoft offers four types of suppliers: hardware, software, services, and people. TPRM should already have covered vendor relationships for each. If your program hasn’t considered one or more of these categories, start with adding those. Members of your organization who regularly come into contact with particular categories should be consulted about what they rely on day-to-day. For example, software developers are likely to be using tools that create an implicit or unknown vendor relationship (aka “shadow IT”), and conversations between developers and risk management are likely rare.
Once you’re pretty confident that suppliers of hardware, software, services, and people are well accounted for, you need to be creative. Let’s get concrete again: Picture your organization’s physical headquarters and the comings and goings of goods, people, and services through and around that physical location – The everyday activities that are usually taken for granted. Do your best to imagine how any of these could be abused or exploited. This applies for the remote workforce as well, though the examples would differ. Here are some examples to get you started:
- Picture the front entrance. What suppliers would interact with this entrance and how?
- Job recruiters might not ever enter the building, but they supply job candidates that will usually be allowed on the premises for an interview.
- What is revealed about your organization during an interview?
- Are there points in time when a job candidate will be unaccompanied?
- If I was a threat actor, I’d use the interview to gain an understanding of internal technologies, and unaccompanied periods of time to place a rogue device on the premises.
- Are there lesser-known or unofficial entrances to the building?
- Delivery drivers likely cannot be covered under TPRM, but they are often highly trusted for being familiar and providing an essential service.
- Do delivery drivers have access to a loading dock or rear entrance?
- Are they subject to the same policies of accompanying visitors throughout the building or are they unofficially treated as exempt?
- If I was a threat actor, I’d pose as or blackmail a delivery driver to gain an understanding of the floor layout and/or place a malicious device within a non-descript brown box.
- What is near the building?
- Some of the team members regularly meet for lunch at a local coffee shop, an unofficial supplier of insecure wireless internet.
- If I was a threat actor…
- Delivery drivers likely cannot be covered under TPRM, but they are often highly trusted for being familiar and providing an essential service.
- Job recruiters might not ever enter the building, but they supply job candidates that will usually be allowed on the premises for an interview.
The approach outlined above combines threat modeling and agile-like user stories to help see your organization’s supply chain through the eyes of its unwanted “users”: threat actors. This is only one of many ways to approach risk evaluation in the complex system that is your organization, but hopefully one that will allow you to see supply chain vulnerabilities in a new light.