It may not be apparent to all observers, but information security practices are undergoing a transformation. For at least a decade, environments have been becoming less perimeter-centric: Gone are the good old days when in-line controls protected the trusted, safe interior from the “wild west” of the outside.
As environments become more complex and externalized, the traditional “perimeter” loses meaning. Moreover, as attackers themselves become more sophisticated, security teams increasingly need to expect that the internal environment is compromised already.
As a consequence, the emphasis is on detection (locating attackers already in the environment) and response (minimizing the amount of time they can dwell unchecked), rather than on putting all the eggs in the prevention basket and hoping attackers can’t get in.
As a company gains maturity, the opportunity arises to enlist suppliers as an information source, as well as to leverage investments in intelligence-gathering to assist them. There are two primary challenges with the data collection aspects of intelligence-driven security approaches: first, finding or collecting relevant information; and second, contextualizing that information for specific environments. Surprisingly, folks in a company’s supply chain can help with both.
Suppliers can serve as an early warning mechanism to collect information about the threat environment. Larger organizations in the supply chain, for example, might have access to information that the company does not have. They may subscribe to different information sources, gather data points from other customers in the same industry, or otherwise gain access to valuable insights that can be of direct assistance.
This can help with contextualization. If a number of similar organizations — for example, in the same industry or of similar size — see a similar thing or are being attacked in a similar way, it is directly relevant. Having an open line of communication to learn about patterns from those in a position to observe them can be extremely valuable. In many cases, all it takes is a conversation to make it happen.
Smaller vendors and partners, or those that are less technically sophisticated, might have less to offer in terms of specific information for a company to consume, but they absolutely will benefit from information the company might be able to share with them.
Of course, a company can’t compel its suppliers to make use of the information it provides, but it absolutely can give them the ammunition to do so. It also can look for evidence of responsiveness in the vetting or periodic reassessment it does, and use that information to decide how much to rely on them in the future.
The point is, an intelligence-driven approach not only makes sense for a company’s internal environments, but also can provide value when systematically applied to the supply chain.
It won’t pay off in every case, but a company that extends its efforts to cover the supply chain, in addition to other methods it employs, may realize substantial benefits. Establishing a communication channel to allow information sharing can be time well spent and result in tangible security value.
Extending Situational Awareness
This is why intelligence-driven security approaches that are aware of attacker motivations, tradecraft and methods have been gaining traction. Take, for example, the strategy Lockheed Martin’s “kill chain” paper outlines for understanding attacker activity as part of a systematic campaign, thereby rendering it more difficult to mount.
The company’s own “chain” of events, when disrupted, renders such campaigns ineffective. That is a useful strategy, and one that lends itself well to a highly mutable, complex, and interdependent environment such as those most organizations have in place today.
Alignment of such an approach to internal defenses and control placement is useful, because it allows “orbital” deployment of defenses. That is, instead of a “chain” of layered defenses, it presupposes a 360-degree attack surface where attackers potentially can circumvent many of the controls in place, and each individual countermeasure can fill a dual detective and protective role.
While readily applicable to internal controls, this type of approach is adapted less easily to other types of security — notably, the supply chain. The supply chain can be an area of risk or potential attack for any organization — and, just as a company’s internal environments are becoming more complex, so too are those of its partners, vendors and suppliers.
However, intelligence-driven methods can offer the same advantages to a company’s external support network as they provide in its own environment.
It’s important for a company to understand the threat environment for elements in the supply chain in the same way that it understands its own internal environments. Just as it evaluates its posture from a threat perspective, so also should it extend that analysis to others that could potentially impact it.
In practice, this means making the following determinations: 1) the impact that a compromise of a supplier or partner would have; 2) the motivations and techniques of those that are likely to attack them; and 3) their relative resilience to those attacks.
This assessment must begin with understanding who is in the supply chain and what they do. For an organization of any size, this can take quite a bit of legwork. Therefore, it is advantageous to approach it in a systematic and workmanlike way — for example, by keeping an inventory of who they are, correlated with data you’ve already collected (assessments, business due-diligence, technical tests, and so forth).
This information can extend the “situational awareness” capabilities that a company uses — or are building — for the internal environment to cover critical areas of the supply chain or other areas where a compromise could have cascading impact.
For example, if a company subscribes to an intelligence feed that provides information about indicators of compromise or threat actor information, it can extend its detection capability to the supply chain by linking that information with what it knows of its suppliers and partners.
Depending on the relationship, this process could yield a “heads up” notification, or it could result in an extension of internal countermeasures to cover the points of interaction with that external party.