Pratum Blog

Chain Icon overlaid on image of warehouse

One of 2021’s biggest cybersecurity storylines has been the jump in supply chain attacks. (They’ve jumped fourfold this year in some reports.) These attacks turn the breach of a single organization into a massive headache for hundreds of partner companies. One of the most famous examples was the breach of Kaseya in July. That attack eventually enabled the REvil ransomware organization to encrypt the data of hundreds of companies worldwide as the attack cascaded outward from Kaseya to managed service providers (MSPs) to small/medium-size businesses. In a supply chain attack, the threat comes from one of your trusted software providers who hackers turn into a Trojan horse before anyone realizes what’s happening.

In this post, we’ll break down how supply chain attacks happen and what you can do to protect your system from these threats that arrive when your most trusted vendors unknowingly pass a big problem along to you.

Basics of Supply Chain Attacks

In what you might think of as a traditional hack, threat actors target one company and conduct reconnaissance to find vulnerabilities they can exploit. Then the threat actor breaks into that specific victim's computer network to exfiltrate data, launch ransomware, etc.

During a supply chain attack, the threat actors take the same initial steps, but their focus is upstream. They will compromise and infiltrate a trusted vendor that supplies software or IT services to many other companies. In this kind of attack, the goal isn’t focused on data exfiltration or launching ransomware on the vendors’ systems. Rather, hackers intend to sneak malware into the “supply chain” of software updates that the company installs on its customers’ computers. From a hacker’s perspective, these attacks are more efficient and have a greater impact because they leverage IT vendors that already have established and authorized connections into their customers’ network and systems. That means the malware can deploy across hundreds of companies and systems virtually undetected.

Every client of the IT vendor under attack becomes part of the attack. This blows up the “security by obscurity” belief that many smaller companies adopt. They think that because they’re small, they won’t be targeted by threat actors. But with supply chain attacks, tiny companies face just as much risk as big, high-profile enterprises.

The Kaseya Case Study

To understand these attacks, let’s break down the famous 2021 breach of Kaseya, an IT management software provider that mainly serves MSPs. On Friday, July 2, Kaseya’s incident response team identified a security incident related to Kaseya VSA. Their VSA (Virtual System Administrator) product delivers automated software patching, remote monitoring, and other capabilities so MSPs can seamlessly manage their customers' IT infrastructure. After breaking into Kaseya, the threat actors infected 50-60 MSPs. From there, they infected approximately 1,500 of the MSPs’ clients. The threat actors encrypted the victims’ data, effectively shutting down systems and networks. In Sweden, for example, the supermarket chain Coop closed 800 stores when its cash registers and payment processing systems went down—all because of a breach that was originally two steps removed from Coop’s systems.

Supply Chain Attack Diagram

The threat actors initially demanded $70 million to decrypt the systems, but later lowered the demand to $50 million. It appears that Kaseya refused to pay the ransom and received a decryptor tool from a third party on July 21 (yes, that’s nearly three weeks after the problem was discovered). With this tool, Kaseya was able to assist victims in restoring their systems and networks.

The SolarWinds Case Study

The SolarWinds breach that dominated headlines in December 2020 was another supply chain attack. Russian hackers, working for the Russian government, injected malicious code into SolarWinds’ IT management tool Orion, which gave the attackers access to thousands of systems when it was deployed. SolarWinds reported that up to 18,000 clients had installed the update with that malicious code. The victims of this attack included both private companies and government agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice. The hackers didn’t demand a ransom, which indicates that this attack focused on espionage.

Why Supply Chain Attacks Are Increasing

Supply chain attacks are hard to defend against because they use software updates from trusted vendors. Organizations have always been concerned about infections that come from employees opening phishing e-mails with malicious attachments; clicking links and revealing their login credentials; or plugging a virus-infected USB drive into their computer. Today though, companies must also focus on creating defenses that screen the IT software and service providers who have authorized access into their network.

Threat actors increasingly use supply chain attacks for several reasons:

  • Many companies have improved their overall security posture, making it harder for threat actors to find vulnerabilities to exploit.
  • Supply chain attacks take longer to detect because they come from trusted third parties.
  • The return on investment for ransomware hackers is higher because the compromised vendor can, in turn, infect hundreds of other companies.

How to Strengthen Your Defense

To mitigate the risk of supply chain attacks, we recommend the following steps:

  • Log and monitor all third-party access into your network.
  • Establish a solid vendor management program so that you know the security practices of every third party you work with, including their incident response plans and cyber insurance policies. You should create a security questionnaire all vendors must complete, and you may want to consider requiring third-party certifications such as SOC 2 for your vendors.
  • Implement extended detection and response (XDR) that monitors and correlates data across the network to improve visibility into potential threats on the network.
  • Review the security of your own software development life cycle. In another example of a supply chain attack, a recent vulnerability in the Python Package Index (PyPi) left unpatched systems vulnerable to hackers getting write permissions to the pypa/warehouse repository. Hackers could install malicious packages without the developer’s knowledge. The solution: Monitor and regulate software repositories to secure software development and assure continued integrity. We recommend implementing an audit of software dependencies and version-locked dependencies during application auditing. Your organization may not directly maintain these dependencies, but they directly impact your security.

Pratum’s team can help you create a thorough defense strategy that protects your operations even when threats arrive from your trusted partners. Contact us for a free consultation.

Internal and External Penetration Testing

Regular penetration testing provides a key pillar in your ongoing cybersecurity plans. But penetration tests come in a lot of forms, and vendors often put their own spin on describing their work. In simple terms, penetration testing involves a team of ethical hackers proactively looking for exploitable vulnerabilities in your web applications, computer systems and networks. Their job is to identify your security gaps before a hacker does and compromises your system.

To ensure you’re picking a pen test that meets your needs, use this blog to understand the purpose and value of internal penetration testing and external penetration testing. Attacks can come from any direction, so your testing has to probe for weaknesses that come from outside and inside your environment.

External Pen Testing

This tests security programs by looking at anything with external access, including any device with a public-facing service, IP or URL such as a web application, firewall, server or IoT device. A pen tester may also try to gain access to external-facing assets such as e-mail, file shares, or websites. The pen testers simulate the work of an attacker who, depending on their motivation, may utilize a vulnerability or chain multiple vulnerabilities together in order to gain access to sensitive data. In various parts of the Internet, hackers sell or trade information on zero-day exploits (those not listed in known vulnerability databases) for these purposes.

External pen testing methods include:

  • IDS/IPS Testing – This examines whether Intrusion Detection Systems and Intrusion Prevention Systems are doing their job of analyzing network traffic and packets for known cyberattack signatures.
  • Segmentation Testing – This checks whether networks are properly separated to keep an attack from pivoting from one to the other.
  • Manual Testing of Identified Vulnerabilities – Here a tester tries to exploit the vulnerabilities that are widely known in the hacking community. This is a key step, considering that an estimated 60% of breaches involve vulnerabilities for which patches are available.
  • System Screening/Port Screening/Service Scanning for Vulnerabilities – These automated tests essentially look for doors left open into your network.
  • Checking Public Information for Leakages – You’d be surprised how many lists online publicize which companies have been hacked. A good pen tester checks those sources to see if your company’s name appears there.
  • Foot-printing/Banner Grabbing – These are methods of gathering information from a system in order to launch attacks against it.
  • Open Source Intelligence (OSINT) reconnaissance – Pen testers can find a surprising amount of useful information just by looking for clues in social media, websites, etc.
  • Social Engineering – About 80% of all breaches gain access through social engineering, so a true test of your security should include phishing and vishing (bogus phone call) tests.
  • PCI, HIPPA and Other Compliance-based Testing – Many frameworks have specific pen testing requirements organizations must meet to achieve compliance.

During the process, a pen tester gathers information on open ports, vulnerabilities, and the company’s users. Then they attempt to leverage that information for various attacks such as brute forcing passwords, phishing attacks, and precise operating system and service attacks.

The external pen test should reveal any areas that may be compromised and exploited to gain access to your network. The organization should also use the pen test as an opportunity to verify their current process for detecting anomalous activity. In other words, did your defenses pick up what the pen tester was trying to do and stop them?

Once a perimeter is breached, a given pen test’s rules of engagement may allow for using further attacks to gain access to internal network assets, often referred to as pivoting or lateral movement.

Internal Pen Testing

Most organizations focus on the perimeter in their security work. But the fact is that those with direct access to an organization’s data pose the most significant threat overall. People (even well-intentioned ones) are often easily manipulated and prone to mistakes. Many times, what happens at the host level goes unmonitored, and many organizations aren’t aware of what is entering or leaving their networks. Many common misconfigurations lead to full network compromise. All of that makes internal pen testing a critical part of your security strategy, even if your external pen testing seemed secure.

If your business has a file sharing system without a password, for example, you should re-evaluate who has access to various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack, whether by an employee with malicious intent or a loyal employee who unknowingly gives their login credentials to a hacker.

The expansion of work-from-home policies has created a new range of internal vulnerabilities to test. That may be private networks such as home WiFi, smartphones, cable and streaming services. Connecting your organization’s network to any of those channels could open it up to external threats.

A threat actor who manages to get in through one of these channels rarely attacks right away. They may move about and gather private data by observing from within. During this quiet period, they may collect data to use later or sell to others. Hackers could lurk in your system for weeks, months or longer if proper internal auditing, patching and testing are not performed on a regular basis. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. A breach of Starwood Hotels discovered in 2018 had gone undetected for four years.

During internal pen testing, the assessor tries to find out just how much damage a threat actor or employee could do from the inside the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. Hackers often pull this off by exploiting relaxed policies that focus on convenience rather than necessary mitigations.

The tester will often use less important, easier-to-compromise systems as a channel for getting to more secure areas with higher levels of protection and more sensitive data and controls. Internal pen testing can also include privilege escalation, malware spreading, information leakage and other malicious activities.

Internal Pen Testing methods include:

  • WiFi Networks
  • Firewalls
  • IDS/IPS
  • Employees
  • Computer Systems
  • Mobile devices
  • HVAC
  • Cameras
  • Physical access

Plan Your Pen Testing Approach

Choosing the right security path for your business is not always simple, and there is no “standard” penetration test that works for every organization. No matter how large or small your organization, Pratum can customize a solution that provides value to your organization.

If you’re interested in learning more about the type of pen test that will work best for you, contact Pratum today.

Editor's Note: This post was originally published in May 2020 and has been updated for accuracy and comprehensiveness.
Insurance cost graph overlaid on person working on computer

When your cyber insurance coverage comes up for renewal this year, you can plan on a couple of new factors:

  • Your premium will be significantly higher.
  • Your insurance company will ask a lot more tough questions about your cybersecurity policies.

The new demands from insurance companies have gotten so rigorous that Pratum has had more than one client call to say, “They’re telling us that if we don’t implement some new cybersecurity policies ASAP, we’ll lose our cyber insurance coverage.”

Clearly, the cyber insurance market is navigating uncertain times. A 2021 AM Best report flatly stated that, “prospects for the U.S. cyber insurance market are grim.” In this blog, we’ll help you make sense of the factors driving changes in your policy and pricing right now. (If you’re just getting started with cyber insurance, read this blog to learn the basics of cyber policies.)

Somebody Has to Pay All Those Ransoms

If a run of forest fires torches your area, you expect your homeowners’ insurance to spike in the coming years. Cyber insurance is no different. It’s a fairly recent insurance product, with only a few years of claims to guide insurance companies as they underwrite policies, set premiums and establish their profit expectations. In such a young market, many insurance companies were fairly lax on their underwriting procedures, echoing the days of easy mortgages before the 2008 financial crisis. Throw in constantly changing threats and security plans, and you have all the dry ingredients required to blow a volatile industry sky high.

In the last year, ransomware has been the match tossed into the cyber insurance tinderbox. Ransomware attacks jumped 151% in the first half of 2021, and ransom payments have quintupled from an average of $43,600 in 2019 to more than $220,000 this year.

Hackers Learn to Leverage Cyber Insurance

Hackers have learned how to operate in a world where more victims have cyber insurance. When hackers breach a system, they often run a search for cyber insurance policies, just to find out what kind of budget they’re working with. If a victim balks at paying a ransom demand, the hackers are known to screen shot the victim’s own cyber insurance policy and send it over with a note saying, “Don’t lie about how much you can pay us. We’re looking at your policy’s provisions right now.”

What It Means for Insurance Companies

Charts of cyber insurance claims over the last year look like hockey sticks, which means some insurance companies are losing money on their cyber insurance lines as premiums fall behind what they’re paying out in claims. Articles from within the insurance industry are using phrases like “spiraling loss costs” and “existential threat.” A recent report from Howden states, “The cyber insurance market is undergoing one of its most transformative changes since the first cyber policy was underwritten some 20 years ago.”

Earlier in 2021, seven major cyber insurance companies banded together to form CyberAcuView, “a collective effort to enhance cyber-risk mitigation efforts.” In short, the companies will be sharing claim data to make their businesses more accurate and sustainable. Will this teaming up of major players do anything good for customers? Time will tell.

Some industry watchers argue that all this represents a healthy clean-up for the industry. They’re hoping that the trials of 2021’s ransomware surge will mold a new breed of insurance company that uses more accurate underwriting, provides healthy coaching to clients and uses a combination of carrots and sticks to get clients to use better risk mitigation strategies.

10 Most Common Information Security Risks

10 Most Common Information Security Risks

You can address insurance companies' typical concerns by solving these key issues we see on nearly every risk assessment.

Get it Now

What It Means for You

As insurance companies work to stave off this seeming existential threat, expect two developments:

  • Higher Rates – Cyber insurance rates are averaging a 32% increase this year, with some customers seeing quotes 50% higher than a year earlier.
  • Tougher Underwriting – We’re all used to getting better rates on health insurance or car insurance if we quit smoking or drive more safely. In today’s cyber insurance market, the issue isn’t just whether you’ll get a better rate. It’s whether any company will even be willing to insure you without the right cyber safeguards in place.

Many insurance companies are requiring steps such as implementing multifactor authentication before they’ll renew policies or grant new ones. And unlike in the old days of a year ago, the insurance company may not take your word for it when you say you’re doing all the right things. The insurance company may hire a third-party assessor to confirm you have the right tools in place, or it may ask to run a scan of your system for proof.

Start Your Cybersecurity Plan Now

While you may find all this heavy-handed, we have to point out that the insurance companies are really just requiring what a wise organization would be doing anyway. In a world overrun with cyber threats, you’re needlessly gambling your job and your company’s future if you ignore basic cyber hygiene steps such as implementing MFA, regularly patching software, etc. And if your insurance company isn’t the one pushing you to take these steps, your industry partners and clients probably will be soon.

If you need help getting started on a set of cybersecurity policies that boost your insurance prospects along with your overall peace of mind, contact Pratum today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.