Secure the Virtual Supply ChainTrend Micro's Tom Kellermann on Emerging Cyberthreats
When it comes to breach prevention, many organizations are improving their own security posture, but neglecting that of their strategic partners.
See Also: The Global State of Online Digital Trust
It's a wide gap that far too few organizations even recognize, says Tom Kellermann, vice president of cybersecurity at Trend Micro.
"The criminal community is very much targeting managed service providers to conduct what's called 'island-hopping' from that service provider into your ecosystem," Kellermann says.
The onus, then, is on organizations to validate their partners' security measures, to ensure that attackers cannot sneak in through an unguarded back door.
"It's imperative that you review those service level agreements, and also then to make sure that you have the same level of security for your data as it's hosted by somebody else half of the time."
In a recent study by Trend Micro and ISACA, researchers found that of the major breaches investigated in 2012, 32 percent occurred as a result of a third-party breach. A year later, only 19 percent of those breached entities amended their service level agreements to include new security provisions, Kellermann says.
"We really need to pay attention to the systemic risk that exists now as we outsource much of our data to these managed service providers."
In an interview about virtual supply chain threats, Kellermann discusses:
- Supply chain gaps organizations frequently overlook;
- Top threats exploiting those gaps;
- Proactive security measures that should be employed.
Kellermann is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies, strategic partnerships and government affairs. He served as a commissioner on The Commission on Cyber Security for the 44th Presidency and serves on the board of the National Cyber Security Alliance, The International Cyber Security Protection Alliance and the National Board of Information Security Examiners Panel for Penetration Testing. He is a Professor at American University's School of International Service and is a Certified Information Security Manager (CISM).
Virtual Supply Chain Risks
TOM FIELD: We hear a lot about supply chain risk, not so much about the virtual supply chain. Can you talk about it some and give us a sense of what organizations of all sizes are perhaps overlooking?
TOM KELLERMANN: In general, what organizations are not paying attention to is the fact that the criminal community, the hacker community and criminals of all sorts are very much targeting managed service providers to conduct what's called "island hopping" from that service provider into your ecosystem. The reason for that is the consolidation of data and the movement toward cloud computing. A mid-market firm needs to obviously outsource a lot of their IT processes, but in that regard it's imperative that you review those service level agreements and alter them to make sure that you have the same level of security for your data as it's hosted somewhere else half of the time.
In a recent study by ISACA and Trend Micro, it was noted that, of the major breaches that occurred last year, 32 percent of them were due to third-party systems being breached. What's ironic is a year later, only 19 percent of those organizations actually changed their service level agreements to add security of those agreements with that third-party that was the reason for the breach. We really need to pay attention to the systemic risk that exists now as we outsource much of our data into these managed service providers.
FIELD: Let's talk about some of these virtual supply chain risks and the specific threats. How do you see them manifesting in the marketplace?
KELLERMANN: If you understand the hackers' mindset - and there are many, many more of them now in today's world, and the FBI's number-one criminal priority is cyber now - less than one percent of these folks are actually successfully prosecuted. Where that's relevant is that they fully understand your dependency on these ephemeral relationships, these IT ecosystems that exist, and they're leveraging specific attacks in terms of trying to target either the websites or the mobile apps of these organizations to conduct what's called watering hole attacks, where in your website, or the website of your manage service provider, or your portal, where the mobile app that you've created is essentially turned rogue and it attacks people who visit it by pushing trojans or malware down the browsers of the visitors. This is becoming highly problematic because, back in the day, there used to be widespread phishing and targeted spear-phishing, which still occurs, but now they're actually leveraging your assets against your user base.
Strategic and Tactical Concerns
FIELD: In a prior conversation, you told me you had two specific concerns, two phenomena that you're seeing. One is strategic and one is tactical. Could you go into those details just a bit, please?
KELLERMANN: Strategically, the organized crime syndicates in the world obviously have absorbed hacking into their mantra and their business model. [Also] hackers themselves have many more highly capable and sophisticated weapons that they're using to bypass perimeter defenses. In essence, what they're starting to do is they're leveraging destructive payloads against targets for the purposes of either the primary intent or the clean-up mechanism once they're done essentially exfiltrating your secrets or your sensitive data.
What's going on now, since many more organizations are hacking back, and many organizations are shutting off command and control of hackers when they're inside systems, is they're beginning to punish with destructive payloads organizations that are doing a good job of incident response, which is troubling to say the least.
Tactically, there's a new type of attack called ice phishing that we're seeing leveraged in the wild. Here they're actually compromising your web server and then they're spear-phishing your user base with legitimate links to your website and to your web server, except that those leads are corrupted. It's not a re-direction technique to some other site that's polluted that can then attack their user base with exploits, but rather your own web server is used in conjunction with a targeted spear-phishing campaign wherein legitimate URLs from your own web server or from your managed service provider are being leveraged to attack your constituency. That's a very troubling trend. Ice phishing will become much more mainstream because it's a more elegant form of phishing.
FIELD: This really reinforces the point that we've made before, which is that you don't have to go to a "bad site" and you don't have to click on a "bad link" to be infected.
KELLERMANN: Correct. This really speaks to the over-colonization that's occurring. We just need to respect the fact that web server security and mobile application security are imperatives in today's environment. Essentially, the paradigm has to shift. As a mid-market firm, you may not have the staff or the resources to fully deploy effective security, and you outsource your IT. At the same time, you should choose that managed service provider, not just based on price points, but also based on what you think is a proactive strategy and a proactive procedural set that they have to manage these types of risks. [Don't] just focus on perimeter defenses, but actually take the next steps to create defense in depth.
FIELD: I like the word you use, "proactive," because it feeds into the next question I have. What proactive advice do you have for organizations so they can 1) assess their risks, and 2) especially be able to mitigate them?
KELLERMANN: Here's one specifically. I wouldn't ever outsource or use a managed service provider or a cloud provider unless they can verify to me that they've undergone my robust penetration test and remediated the attack facts that were identified in said tests. That's a first. Second, it's imperative in today's environment to actually utilize what's called file integrity monitoring. You need to validate the integrity of your files and white-list your applications because of the nature in which hackers actually pollute trusted files and trusted applications so that they can maintain a footprint within your system. Because of the advent and explosion of zero-days in the past year, I would say virtual patching is fundamental. It doesn't solve the patching conundrum, but it gives you time. It solves that exploit now. It deals with that capacity of that adversary in the here and now and it gives you more time to actually roll out your change control of your vulnerability management.
In addition, you have to use a DLP in today's environment. You have to ensure not just that you're using a DLP, but that your managed service provider is using a DLP, so that you can control what data is actually exfiltrating from your ecosystem. This really speaks to the fact that the paradigm that's necessitated here is less of creating a fortress around your data, but more in creating a prison. Make it more difficult for the adversary to steal your data and to walk out of your house with data. Make sure that the managed service provider also is on the same page with you.
Then, fundamentally, when you roll out your mobile program - because let's get real, everyone's doing the consumerization of IT, and you're allowing most of your staff to bring in their devices - take it a step further. Don't just deploy a MDM and think you're okay. Recognize and appreciate that many times hackers are attacking these mobile apps, conducting these attacks on those apps that you built or apps that you trust your users to use. There's a new phenomenon called mobile application reputation software. Can you validate and vet the sanctity and the righteousness of that app when it's on a device? Because when it goes rogue, you should be aware and you should be able to shut it down. When you can, pay attention to these tactics in order to roll out a layered security in today's environment. Trend Micro is really good and can help you with that.