Cyber incidents and business and supply chain interruption are the two top global risks businesses worldwide are facing in 2022, according to the Allianz Risk Barometer. However, we are seeing that organizations still lack in cybersecurity preparation and culture. The dangerous logic of being compliant with regulations equals to being secure is still prevalent, and it makes businesses easy targets for adversaries. In the modern-day cyber landscape, no organization can be completely insured against cyberattacks. Digitalization, expansion of attack surfaces, and shift to remote working are driving the cyberthreat concern, and especially for enterprises that are reliant on supply chains.
Supply chains are vulnerable, easy to disrupt, and highly attractive to cyber criminals. Typical supply chain’s attack surface is vast and expanding rapidly. It can include local and cloud networks, third-party vendors and suppliers, multiple software and its dependents, and application tools, customer interfaces, technology and physical assets, and multi-cloud infrastructures. Aside from being hard to safeguard, another important point that attracts adversaries and makes supply chains a prime target in 2022 is – gaining access to one link can compromise the entire chain. Threat actors then get access to networks, customer personal information, company assets, its partners, and vendors.
There is another key factor to consider when evaluating supply chain security and resilience. Growing dependence on multiple global vendors and expanding attack surfaces all play into the hand of threat actors looking to exploit companies’ vulnerabilities. We are seeing a huge spike in state-sponsored and industrial espionage and forced tech transfer. A lot of companies used to not take geopolitical cyber risks into consideration, as they did not think their organization or industry are likely to be targeted.
However, the new reality of globalization and digitalization brings together companies, customers, users, as well as vendors from across the world. Furthermore, the more high-tech a supply chain gets, the more it depends on multiple, and a lot of times poorly vetted, vendors and third-party software suppliers. This, as mentioned before, greatly expands the attack surfaces and increases vulnerabilities. Trust becomes implicit in favor of smoother operations. Yet, there is no proper vetting procedures for implementing new software, hardware, or updates. SolarWinds supply chain attack was one of the most prominent examples of the third-party software compromise, which affected the company, its vendors, and customers.
Russia’s war in Ukraine, continuous sanctions, tensions with China, and consequential supply shortages exacerbate the situation, giving threat actors more motivation for espionage, ransomware, and disruption attacks.
These factors have created a perfect storm for cybercriminals and it is no surprise that cybercrime is on the rise this year. Supply chains must adopt proactive security measures to combat the threats.
Does your organization have a clear insight into viable threats and threat exposures, vulnerabilities, vetting process for incoming software and updates, have a full scope of the network, and have a remediation plan ready? Missing out on one of the points can leave a company and the supply chain exposed to threat actors, and lead to financial loss, operational downtime, loss of data and intellectual property.
Standard threat modeling frameworks do not provide full coverage for supply chains as they lack in scope, concentrating on certain areas or applications and not taking into the account the full range of assets. Most of the frameworks are compliance-driven and satisfy regulations. However, threat actors do not follow rules and abide by requirements. On the contrary, they are creative and always look for loopholes and weaknesses.
So, as important as it is to meet regulations, to give an organization and everyone within the supply chain the best fighting chance against cyberthreats, security teams and executives need to adopt offensive approach. Risk-centric threat modeling, such as PASTA methodology, is a pro-active approach to cybersecurity. It provides a security blueprint for a supply chain that encompasses multiple security and IT disciplines, such as:
PASTA threat modeling gives the security framework the advantage of not only full supply chain scope, but also providing a threat actors’ perspective and view of a company and its vulnerabilities. PASTA considers what objectives guide cybercriminals to select a target supply chain (stealing data, persistence, IP theft, sabotage, extortion, etc.), how they define intended attack surfaces, and exploit weak system components and architecture flaws.
It is a risk-based application threat modeling methodology that begins with a phase for understanding key business and supply chain objectives to be supported by the threat modeling process and completes with a risk mitigation phase. Threat modeling provides an opportunity to mitigate any business risk issues that have been identified and qualified as a part of the process. PASTA’s seven stages provide a fundamental framework for an iterative threat modeling.
So, how does threat modeling process look like in practice? Let’s go over a brief example with one of the most known supply chains in the US – United States Postal Service (USPS).
USPS handles more mail than any other postal system in the world and its retail network is larger than McDonald’s, Starbucks, and Walmart combined. With such a vast network, serving over 163 million people and employing over half a million, and having an immense social significance, USPS is a prime target for cybercriminals.
Threat modeling process begins with assessing the organization and determining the threat landscape. The threats USPS faces can include, but not limited to, establishing persistence, exfiltrating PII, harvesting employee information, cryptojacking, extortion, sabotage. Once we established viable risks, we can understand what motives can be driving threat actors in perpetrating attacks on the postal service:
Understanding the motives that guide cybercriminals gives us a clear view which attack surfaces and vulnerabilities are viable and likely to be targeted. It is a foundation of a solid security framework based on a risk-centric threat model.
From these motives we catalog the correlating attack surfaces of the US postal service: employees and contractors, endpoints, informeddelivery.usps.com, Mail Sorters domain, controllers, AFCS systems, email, and network.
Now that we determined the scope of the company, its viable threats and threat motives, and established the attack surfaces likely to be targeted, we can list the associated attack patterns:
This clear breakdown allows us to now create an attack tree. Here’s a quick example:
This condensed overview gives us an idea of a threat modeling process for a supply chain. It gives a full scope of the attack surfaces, considers operational and business objectives, as well as objectives of the cybercriminals and routes they are likely to choose. As we can see, the threat model for a supply chain is scalable and provides not only security framework solution for an organization, but creates a security blueprint that can evolve with a company, its network, and cyberthreats.