Threat Modeling Against Supply Chains

Threat Modeling Against Supply Chains

Cyber incidents and business and supply chain interruption are the two top global risks businesses worldwide are facing in 2022, according to the Allianz Risk Barometer. However, we are seeing that organizations still lack in cybersecurity preparation and culture. This is why threat modeling against supply chains is a vital procedure to protect data.

The dangerous logic of being compliant with regulations equals being secure is still prevalent, and it makes businesses easy targets for adversaries. In the modern-day cyber landscape, no organization can be completely insured against cyberattacks. Digitalization, expansion of attack surfaces, and shift to remote working are driving the cyber threat concern, especially for enterprises that are reliant on supply chains.

Supply chains are vulnerable, easy to disrupt, and highly attractive to cyber criminals. A typical supply chain’s attack surface is vast and expanding rapidly. It can include local and cloud networks, third-party vendors and suppliers, multiple software and its dependents, and application tools, customer interfaces, technology and physical assets, and multi-cloud infrastructures. Aside from being hard to safeguard, another important point that attracts adversaries and makes supply chains a prime target in 2022 is – gaining access to one link can compromise the entire chain. Threat actors then get access to networks, customer personal information, company assets, partners, and vendors.

Geopolitical Cyber Supply Chain Issues

There is another key factor to consider when evaluating why threat modeling against supply chains works: a supply chain’s security and resilience. Growing dependence on multiple global vendors and expanding attack surfaces all play into the hands of threat actors looking to exploit companies’ vulnerabilities. We see a huge spike in state-sponsored and industrial espionage and forced tech transfer. A lot of companies used to not consider geopolitical cyber risks, as they did not think their organization or industry was likely to be targeted.

However, the new reality of globalization and digitalization brings together companies, customers, users, as well as vendors from across the world. Furthermore, the more high-tech a supply chain gets, the more it depends on multiple, and a lot of times poorly vetted, vendors and third-party software suppliers. This, as mentioned before, greatly expands the attack surfaces and increases vulnerabilities. Trust becomes implicit in favor of smoother operations. Yet, there are no proper vetting procedures for implementing new software, hardware, or updates. SolarWinds supply chain attack was one of the most prominent examples of the third-party software compromise, which affected the company, its vendors, and customers.

Russia’s war in Ukraine, continuous sanctions, tensions with China, and consequential supply shortages exacerbate the situation, giving threat actors more motivation for espionage, ransomware, and disruption attacks.

These factors have created a perfect storm for cybercriminals and it is no surprise that cybercrime is on the rise this year. Supply chains must adopt proactive security measures to combat the threats.

Does your organization have a clear insight into viable threats and threat exposures, vulnerabilities, vetting process for incoming software and updates, have a full scope of the network, and have a remediation plan ready? Missing out on one of the points can leave a company and the supply chain exposed to threat actors, and lead to financial loss, operational downtime, and loss of data and intellectual property.

Supply Chain Attack Impact (The Need for Threat Modeling Against Supply Chains)

Financial Loss: The average cost of a data breach to an organization increased to $4.35 million in 2022. The financial loss is not limited to a ransomware payout and can have a long-term impact: lost sales, increased insurance premiums, charges run up by criminals using a company’s resources, fines and penalties, cost of upgrading security.

Time Loss: Businesses estimated it takes around 60 hours to respond to a software supply chain attack, which can, in turn, cause prolonged operational downtime.

National Security Threats: Cybercriminals target strategic assets, such as critical infrastructure, mail services, and power grids.

Cargo Loss (COGs Loss): Cargo supply disruption can cost time, cause schedule delays, and carry the financial cost of replacing the shipments.

Corporate Losses: Data breaches can lead to a loss of customer trust and reputation harm, as well as a loss of market share.

Human Life and Societal Loss: Supply chain attacks could result in deaths of people when vital resources cannot be dispatched to emergencies, or when 911 gets breached.

Why Choose Offensive Security and Risk-Centric PASTA Threat Modeling Against Supply Chains?

Standard threat modeling frameworks do not provide full coverage for supply chains as they lack scope, concentrating on certain areas or applications and not taking into account the full range of assets. Most of the frameworks are compliance-driven and satisfy regulations. However, threat actors do not follow rules and abide by requirements. On the contrary, they are creative and always look for loopholes and weaknesses.

So, as important as it is to meet regulations, to give an organization and everyone within the supply chain the best fighting chance against cyber threats, security teams, and executives need to adopt an offensive approach. Risk-centric threat modeling, such as PASTA methodology, is a proactive approach to cybersecurity. It provides a security blueprint for threat modeling against supply chains that encompasses multiple security and IT disciplines, such as:

  • Regulatory risk assessment
  • Business impact analysis and asset management
  • Security hardening and security architecture review
  • Threat analysis and vulnerability assessment
  • Penetration testing
  • Residual risk analysis

PASTA threat modeling gives the security framework the advantage of not only full supply chain scope, but also providing a threat actors’ perspective and view of a company and its vulnerabilities. PASTA considers what objectives guide cybercriminals to select a target supply chain (stealing data, persistence, IP theft, sabotage, extortion, etc.), and how they define intended attack surfaces and exploit weak system components and architecture flaws.

It is a risk-based application threat modeling methodology that begins with a phase for understanding key business and supply chain objectives to be supported by the threat modeling process and completes with a risk mitigation phase. Threat modeling provides an opportunity to mitigate any business risk issues that have been identified and qualified as a part of the process. PASTA’s seven stages provide a fundamental framework for iterative threat modeling against supply chains.

VerSprite's Risk-Based PASTA Threat Modeling Process

Using Threat Modeling Against Supply Chains: A Real-World Example

What does the threat modeling process look like in practice? Let’s go over a brief example of one of the most known supply chains in the U.S. – the United States Postal Service (USPS).

USPS handles more mail than any other postal system in the world and its retail network is larger than McDonald’s, Starbucks, and Walmart combined. With such a vast network, serving over 163 million people employing over half a million, and having an immense social significance, USPS is a prime target for cybercriminals.

The threat modeling against supply chains process begins with assessing the organization and determining the threat landscape. The threats USPS faces can include, but are not limited to, establishing persistence, exfiltrating PII, harvesting employee information, crypto-jacking, extortion, and sabotage.  Once we established viable risks, we can understand what motives can be driving threat actors in perpetrating attacks on the postal service:

  • Establish persistence across multiple sites to leverage infrastructure for multiple objectives.
  • Siphon out PII from analytics platforms in order to harvest and share on black market forums.
  • Collect USPS user information for perpetration and illicit access to USPS systems.
  • Hold hostage systems that are responsible for the fulfillment of key processing activities, generally via ransomware.
  • Obtain unauthorized access to infrastructure to mine cryptocurrency.
  • Disrupt operations, particularly in areas where there is a single point of failure to interrupt USPS services

Understanding the motives that guide cyber criminals gives us a clear view of which attack surfaces and vulnerabilities are viable and likely to be targeted. It is the foundation of a solid security framework based on a risk-centric threat modeling against supply chains.

From these motives, we catalog the correlating attack surfaces of the US postal service: employees and contractors, endpoints, informeddelivery.usps.com, Mail Sorters domain, controllers, AFCS systems, email, and network.

Now that we determined the scope of the company, its viable threats and threat motives, and established the attack surfaces likely to be targeted, we can list the associated attack patterns:

  • Collusion | Insider Threat
  • Drive-by-Download | Phishing
  • Injection Based Attacks | Authentication Bypass
  • Supply chain compromise |Malicious component
  • Pass the Hash Authentication Attacks
  • Phishing attacks
  • Network MITM | Botnets

This clear breakdown allows us to now create an attack tree for threat modeling against supply chains. Here’s a quick example:

  • Threat (let’s take sabotage):
  • Targets (USPS sorting system, scanning solution, multi-purpose extractor):
  • Weaknesses (no security testing against key components, poor physec preventing tampering, CVE-2014-5410 remote DoS, etc.)
  • Attack Vectors and Patterns (CAPEC 523: insider threat installs malware, CAPEC 437: supply chain tainted board, CAPEC 9: buffer overflow in local command-line utilities, T1068: exploitation for privilege exploitation)

VerSprite Can Help with Threat Modeling Against Supply Chains

This condensed overview gives us an idea of the process for threat modeling against supply chains. It gives a full scope of the attack surfaces and considers operational and business objectives, as well as the objectives of the cyber criminals and the routes they are likely to choose. As we can see, the threat model for a supply chain is scalable and provides not only a security framework solution for an organization, but creates a security blueprint that can evolve with a company, its network, and cyber threats.

Interested to know more about risk-centric threat modeling? Download your free PASTA eBook here.

PASTA Threat Modeling