Threat Modeling Against Supply Chain

Threat Modeling Against Supply Chain

Cyber incidents and business and supply chain interruption are the two top global risks businesses worldwide are facing in 2022, according to the Allianz Risk Barometer. However, we are seeing that organizations still lack in cybersecurity preparation and culture. The dangerous logic of being compliant with regulations equals to being secure is still prevalent, and it makes businesses easy targets for adversaries. In the modern-day cyber landscape, no organization can be completely insured against cyberattacks. Digitalization, expansion of attack surfaces, and shift to remote working are driving the cyberthreat concern, and especially for enterprises that are reliant on supply chains.

Supply chains are vulnerable, easy to disrupt, and highly attractive to cyber criminals. Typical supply chain’s attack surface is vast and expanding rapidly. It can include local and cloud networks, third-party vendors and suppliers, multiple software and its dependents, and application tools, customer interfaces, technology and physical assets, and multi-cloud infrastructures. Aside from being hard to safeguard, another important point that attracts adversaries and makes supply chains a prime target in 2022 is – gaining access to one link can compromise the entire chain. Threat actors then get access to networks, customer personal information, company assets, its partners, and vendors.

Geopolitical Cyber Supply Chain Issues

There is another key factor to consider when evaluating supply chain security and resilience. Growing dependence on multiple global vendors and expanding attack surfaces all play into the hand of threat actors looking to exploit companies’ vulnerabilities. We are seeing a huge spike in state-sponsored and industrial espionage and forced tech transfer. A lot of companies used to not take geopolitical cyber risks into consideration, as they did not think their organization or industry are likely to be targeted.

However, the new reality of globalization and digitalization brings together companies, customers, users, as well as vendors from across the world. Furthermore, the more high-tech a supply chain gets, the more it depends on multiple, and a lot of times poorly vetted, vendors and third-party software suppliers. This, as mentioned before, greatly expands the attack surfaces and increases vulnerabilities. Trust becomes implicit in favor of smoother operations. Yet, there is no proper vetting procedures for implementing new software, hardware, or updates. SolarWinds supply chain attack was one of the most prominent examples of the third-party software compromise, which affected the company, its vendors, and customers.

Russia’s war in Ukraine, continuous sanctions, tensions with China, and consequential supply shortages exacerbate the situation, giving threat actors more motivation for espionage, ransomware, and disruption attacks.

These factors have created a perfect storm for cybercriminals and it is no surprise that cybercrime is on the rise this year. Supply chains must adopt proactive security measures to combat the threats.

Does your organization have a clear insight into viable threats and threat exposures, vulnerabilities, vetting process for incoming software and updates, have a full scope of the network, and have a remediation plan ready? Missing out on one of the points can leave a company and the supply chain exposed to threat actors, and lead to financial loss, operational downtime, loss of data and intellectual property.

Supply Chain Attack Impact:

  • Financial Loss. Average cost of a data breach to an organization increased to $4.35 million in 2022. The financial loss is not limited to a ransomware payout and can have a long-term impact: lost sales, increased insurance premiums, charges run up by criminals using company’s resources, fines and penalties, cost of upgrading security.
  • Time Loss. Businesses estimated it takes around 60 hours to respond to a software supply chain attack, which can, in turn, cause prolonged operational downtime.
  • National Security Threats. Cybercriminals target strategic assets, such as critical infrastructure, mail services, and power grids.
  • Cargo Loss (COGs Loss). Cargo supply disruption can cost time, cause schedule delays, and carry financial cost of replacing the shipments.
  • Corporate Losses. Data breaches can lead to a loss of customer trust and reputation harm, as well as a loss of the market share.
  • Human Life and Societal Loss. Supply chain attacks could result in deaths of people when vital resources cannot be dispatched to emergencies, or when 911 gets breached.

Why Choose Offensive Security and Risk-Centric PASTA Threat Modeling?

Standard threat modeling frameworks do not provide full coverage for supply chains as they lack in scope, concentrating on certain areas or applications and not taking into the account the full range of assets. Most of the frameworks are compliance-driven and satisfy regulations. However, threat actors do not follow rules and abide by requirements. On the contrary, they are creative and always look for loopholes and weaknesses.

So, as important as it is to meet regulations, to give an organization and everyone within the supply chain the best fighting chance against cyberthreats, security teams and executives need to adopt offensive approach. Risk-centric threat modeling, such as PASTA methodology, is a pro-active approach to cybersecurity. It provides a security blueprint for a supply chain that encompasses multiple security and IT disciplines, such as:

  • Regulatory risk assessment
  • Business impact analysis and asset management
  • Security hardening and security architecture review
  • Threat analysis and vulnerability assessment
  • Penetration testing
  • Residual risk analysis

PASTA threat modeling gives the security framework the advantage of not only full supply chain scope, but also providing a threat actors’ perspective and view of a company and its vulnerabilities. PASTA considers what objectives guide cybercriminals to select a target supply chain (stealing data, persistence, IP theft, sabotage, extortion, etc.), how they define intended attack surfaces, and exploit weak system components and architecture flaws.

It is a risk-based application threat modeling methodology that begins with a phase for understanding key business and supply chain objectives to be supported by the threat modeling process and completes with a risk mitigation phase. Threat modeling provides an opportunity to mitigate any business risk issues that have been identified and qualified as a part of the process. PASTA’s seven stages provide a fundamental framework for an iterative threat modeling.

VerSprite's Risk-Based PASTA Threat Modeling Process

Real-World Threat Model Example

So, how does threat modeling process look like in practice? Let’s go over a brief example with one of the most known supply chains in the US – United States Postal Service (USPS).

USPS handles more mail than any other postal system in the world and its retail network is larger than McDonald’s, Starbucks, and Walmart combined. With such a vast network, serving over 163 million people and employing over half a million, and having an immense social significance, USPS is a prime target for cybercriminals.

Threat modeling process begins with assessing the organization and determining the threat landscape. The threats USPS faces can include, but not limited to, establishing persistence, exfiltrating PII, harvesting employee information, cryptojacking, extortion, sabotage.  Once we established viable risks, we can understand what motives can be driving threat actors in perpetrating attacks on the postal service:

  • Establish persistence across multiple sites in order to leverage infrastructure for multiple objectives.
  • Siphon out PII from analytics platforms in order to harvest and share on black market forums.
  • Collect USPS user information for the purposes of perpetration and illicit access to USPS systems.
  • Hold hostage systems that are responsible for fulfillment of key processing activities, generally via ransomware.
  • Obtain unauthorized access to infrastructure in order to mine crypto currency.
  • Disrupt operations, particularly in areas where there is a single point of failure in order to interrupt USPS services

Understanding the motives that guide cybercriminals gives us a clear view which attack surfaces and vulnerabilities are viable and likely to be targeted. It is a foundation of a solid security framework based on a risk-centric threat model.

From these motives we catalog the correlating attack surfaces of the US postal service: employees and contractors, endpoints,, Mail Sorters domain, controllers, AFCS systems, email, and network.

Now that we determined the scope of the company, its viable threats and threat motives, and established the attack surfaces likely to be targeted, we can list the associated attack patterns:

  • Collusion | Insider Threat
  • Drive-by-Download | Phishing
  • Injection Based Attacks | Authentication Bypass
  • Supply chain compromise |Malicious component
  • Pass the Hash Authentication Attacks
  • Phishing attacks
  • Network MITM | Botnets

This clear breakdown allows us to now create an attack tree. Here’s a quick example:

  • Threat (let’s take sabotage):
  • Targets (USPS sorting system, scanning solution, multi-purpose extractor):
  • Weaknesses (no security testing against key components, poor physec preventing tempering, CVE-2014-5410 remote DoS, etc.)
  • Attack Vectors and Patterns (CAPEC 523: insider threat installs malware, CAPEC 437: supply chain tainted board, CAPEC 9: buffer overflow in local command-line utilities, T1068: exploitation for privilege exploitation)

This condensed overview gives us an idea of a threat modeling process for a supply chain. It gives a full scope of the attack surfaces, considers operational and business objectives, as well as objectives of the cybercriminals and routes they are likely to choose. As we can see, the threat model for a supply chain is scalable and provides not only security framework solution for an organization, but creates a security blueprint that can evolve with a company, its network, and cyberthreats.

Interested to know more about risk-centric threat modeling? Download your free PASTA eBook here.

PASTA Threat Modeling

The VerSprite PASTA Threat Model Framework provides enterprises with results to support their security efforts, meet business objectives, and provide stakeholders and decision-makers with solutions and guidance to scale the business.