The Domino Effect

They say you’re only as strong as your weakest link. The mesh network between organizations is the new standard. Do you trust your third parties?

What is a Software Supply Chain Attack?

Per the Cybersecurity & Infrastructure Security Agency, a software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. There are multiple instances of this attack happening throughout the software development lifecycle, from design to disposal. Most people in the cybersecurity community have heard about the SolarWinds and the Kaspersky incidents.

ICT Supply Chain Lifecycle and Examples of Threats

There are multiple variations of this attack, but the main concept is that an attacker will compromise a third party who has direct access to a company’s resources and use the access maliciously. Nowadays, large organizations usually have hundreds (if not thousands) of third parties that have access to their internal resources. These third parties can be consultants, support engineers, vendors, subsidiaries, or even business partners. Third parties tend to execute specific tasks in their day-to-day that require privileged access or some form of remote access to the network via a VPN, for example. The consequences of a supply chain attack can be especially nasty because the attacker has gained a foothold in the environment and may have multiple ways of maintaining persistent access. Furthermore, collecting and exfiltrating sensitive information is an easy task once inside the environment. Detecting and ousting the attackers may take months, and customer trust may erode following the disclosure of the cyberattack and or data leakage.

The SolarWinds case

SolarWinds was one of the publicized cases of supply chain attack in late 2020. Briefly said, attackers were able to infiltrate SolarWinds and distribute to their client a malicious Trojan hidden in what seemed like a normal patch. Multiple reports have been shared in the news, but this CSO Online article summarizes well the size and repercussions of what is known as one of the largest software supply chain attacks. It is said that 425 of the US Fortune 500 and all branches of the US Military were impacted. More than 18,000 impacted clients later, it is still widely unknown to cyber researchers how much data was stolen by the attackers.

What is “The Domino Effect”?

The domino effect is a term I have coined for when the cycle of a hacked third party used to gain a foothold into an organization is reproduced again and again. As of 2022, large organizations seem to form a mesh network in between themselves.

Take this example: A bank has an accounting firm as a third party to perform financial audits, that consulting firm has an external firm to manage their IT ticketing system and finally, that ticketing vendor uses an HR vendor in a different country to process payroll.

Therefore, if that payroll vendor gets hacked, a domino-chain reaction may cause extremely high damage to a lot of clients. The worst part is, the bank may never know the attacker came from 3 previous companies before reaching them. It is extremely difficult to conduct forensic investigations between 4 different companies, and management may be tempted to brush it off. For as long as companies are connected network-to-network via VPN or by other means, these attacks will continue to be successful.

Domino reaction from payroll vendor to bank via network connection.

What is ZTNA and how can it help prevent the “The Domino Effect”?

As defined by Zscaler, Zero Trust Network Architecture (“ZTNA”) is a security framework that operates on an adaptive trust model, where trust is never implicit, and access to applications and data is granted on a “need-to-know,” least-privileged basis defined by granular policies. In practice, this usually translates to strong identity enforcement, deep packet inspection and the idea that a specific device, location, or network isn’t a proof of trust. Additionally, connected networks should be kept at a minimum to prevent lateral movement in case of a compromised host.

To provide a clear example, the old enterprise architecture required users to gain access to the corporate network to allow them to consume applications, effectively opening multiple doors to the data center and then, dropping these users on the same network, allowing for attackers and lateral movement.

When application access requires network access, the network needs to be extended to where users, devices, and workloads are located.

Modern ZTNA architecture does not provide network-wide access to users. Access is granted only to applications and only after following rigorous policy controls, identity validation, risk assessment and traffic inspection.

Realistically, there will always be someone or something that will be able to compromise an endpoint and gain a foothold in an organization. Risk zero does not exist. However, it is of the upmost importance to contain that compromised host and deny any lateral movement attempt. Stopping that domino effect.

In a ZTNA architecture, trust is never implicit and attackers can be stopped.

In a ZTNA architecture, trust is never implicit but access to applications can be granted after verification.

In conclusion

Blindly trusting third parties can have severe repercussions. Introducing these third parties on your network can cause severe damage, and current architecture models may allow them to move laterally to a different host. Organizations have created mesh networks between themselves, and this increases the risk of successful supply chain attacks. The best method to prevent the introduction of an attacker inside the network of an organization is to implement a Zero Trust Network Architecture.

Thanks to Brad Lisoweski for the peer review of this article.