Threat Modeling Against Supply Chain

Cyber incidents and business and supply chain interruption are the two top global risks businesses worldwide are facing in 2022, according to the Allianz Risk Barometer. However, we are seeing that organizations still lack in cybersecurity preparation and culture. The dangerous logic of being compliant with regulations equals to being secure is still prevalent, and it makes businesses easy targets for adversaries. In the modern-day cyber landscape, no organization can be completely insured against cyberattacks. Digitalization, expansion of attack surfaces, and shift to remote working are driving the cyberthreat concern, and especially for enterprises that are reliant on supply chains.

Supply chains are vulnerable, easy to disrupt, and highly attractive to cyber criminals. Typical supply chain’s attack surface is vast and expanding rapidly. It can include local and cloud networks, third-party vendors and suppliers, multiple software and its dependents, and application tools, customer interfaces, technology and physical assets, and multi-cloud infrastructures. Aside from being hard to safeguard, another important point that attracts adversaries and makes supply chains a prime target in 2022 is – gaining access to one link can compromise the entire chain. Threat actors then get access to networks, customer personal information, company assets, its partners, and vendors.

Geopolitical Cyber Supply Chain Issues

There is another key factor to consider when evaluating supply chain security and resilience. Growing dependence on multiple global vendors and expanding attack surfaces all play into the hand of threat actors looking to exploit companies’ vulnerabilities. We are seeing a huge spike in state-sponsored and industrial espionage and forced tech transfer. A lot of companies used to not take geopolitical cyber risks into consideration, as they did not think their organization or industry are likely to be targeted.

However, the new reality of globalization and digitalization brings together companies, customers, users, as well as vendors from across the world. Furthermore, the more high-tech a supply chain gets, the more it depends on multiple, and a lot of times poorly vetted, vendors and third-party software suppliers. This, as mentioned before, greatly expands the attack surfaces and increases vulnerabilities. Trust becomes implicit in favor of smoother operations. Yet, there is no proper vetting procedures for implementing new software, hardware, or updates. SolarWinds supply chain attack was one of the most prominent examples of the third-party software compromise, which affected the company, its vendors, and customers.

Russia’s war in Ukraine, continuous sanctions, tensions with China, and consequential supply shortages exacerbate the situation, giving threat actors more motivation for espionage, ransomware, and disruption attacks.

These factors have created a perfect storm for cybercriminals and it is no surprise that cybercrime is on the rise this year. Supply chains must adopt proactive security measures to combat the threats.

Does your organization have a clear insight into viable threats and threat exposures, vulnerabilities, vetting process for incoming software and updates, have a full scope of the network, and have a remediation plan ready? Missing out on one of the points can leave a company and the supply chain exposed to threat actors, and lead to financial loss, operational downtime, loss of data and intellectual property.

Supply Chain Attack Impact:

• Financial Loss. Average cost of a data breach to an organization increased to $4.35 million in 2022. The financial loss is not limited to a ransomware payout and can have a long-term impact: lost sales, increased insurance premiums, charges run up by criminals using company’s resources, fines and penalties, cost of upgrading security.
• Time Loss. Businesses estimated it takes around 60 hours to respond to a software supply chain attack, which can, in turn, cause prolonged operational downtime.
• National Security Threats. Cybercriminals target strategic assets, such as critical infrastructure, mail services, and power grids.
• Cargo Loss (COGs Loss). Cargo supply disruption can cost time, cause schedule delays, and carry financial cost of replacing the shipments.
• Corporate Losses. Data breaches can lead to a loss of customer trust and reputation harm, as well as a loss of the market share.
• Human Life and Societal Loss. Supply chain attacks could result in deaths of people when vital resources cannot be dispatched to emergencies, or when 911 gets breached.

Why Choose Offensive Security and Risk-Centric PASTA Threat Modeling?

Standard threat modeling frameworks do not provide full coverage for supply chains as they lack in scope, concentrating on certain areas or applications and not taking into the account the full range of assets. Most of the frameworks are compliance-driven and satisfy regulations. However, threat actors do not follow rules and abide by requirements. On the contrary, they are creative and always look for loopholes and weaknesses.

So, as important as it is to meet regulations, to give an organization and everyone within the supply chain the best fighting chance against cyberthreats, security teams and executives need to adopt offensive approach. Risk-centric threat modeling, such as PASTA methodology, is a pro-active approach to cybersecurity. It provides a security blueprint for a supply chain that encompasses multiple security and IT disciplines, such as:

• Regulatory risk assessment
• Business impact analysis and asset management
• Security hardening and security architecture review
• Threat analysis and vulnerability assessment
• Penetration testing
• Residual risk analysis

PASTA threat modeling gives the security framework the advantage of not only full supply chain scope, but also providing a threat actors’ perspective and view of a company and its vulnerabilities. PASTA considers what objectives guide cybercriminals to select a target supply chain (stealing data, persistence, IP theft, sabotage, extortion, etc.), how they define intended attack surfaces, and exploit weak system components and architecture flaws.

It is a risk-based application threat modeling methodology that begins with a phase for understanding key business and supply chain objectives to be supported by the threat modeling process and completes with a risk mitigation phase. Threat modeling provides an opportunity to mitigate any business risk issues that have been identified and qualified as a part of the process. PASTA’s seven stages provide a fundamental framework for an iterative threat modeling.