Getty Images

What can IT providers learn from the Tortoiseshell Group attack

Following recent news around the Tortoiseshell Group attack targeting IT providers in Saudi Arabia, Alex Bransome discusses what IT providers can learn from the attack and advises on ways to reduce the risk of supply chain attacks

Compromise via a supply chain attack is one of the biggest threats that organisations face today.

A supply chain attack occurs when unauthorised access to an organisation’s systems and data is achieved via a third party who already had access to those systems for a legitimate business purpose. Perhaps a third party has been provided remote access to facilitate a support agreement, for example with IT support providers, who have recently been the target of such attacks. 

The recent discovery of the Tortoiseshell Group highlights the need for more awareness around this type of supply chain attack.

The Tortoiseshell Group at the time of writing have not been associated with any known advanced persistent threat (APT) group, or nation states, but it’s conceivable that this is an advance cyber crime group.

This group have been found to be exclusively targeting IT service providers in Saudi Arabia, with the likely intention of carrying out supply chain attacks on the IT service providers customers. 

This attack however is not limited to IT service providers. In our increasingly connected world, business to business access arrangements are commonplace between many organisations, especially with the growing number of complex point-solutions in use that support our day to day operations. 

These include technical systems such as CCTV, alarms, door access control and telephony systems, as well as outsourced business services, functions and contracted relationships, such as human resources (HR), payroll and manufacturing. 

Attackers will always take the path of least resistance. If that involves compromising an easier third party to get to their target, that will be by far their preferred route.

Cyber cime groups are driven by monetising their successful attacks. Compromising a vendor that will have established access and extended levels of trust with multiple customer organisations looks very attractive to them. 

Furthermore, combining a supply chain attack such as this with “big game hunting” ransomware tactics is a potential gold mine for the attackers and a truly terrifying prospect for victims.

Reducing the risk of supply chain attacks

Acknowledging that supply chain and third-party arrangements will differ hugely between organisations and types of services being delivered, there is no one-size-fits-all solution to solve this problem.

The right approach to reducing risk in this area comes through an in-depth, layered security strategy. Ensuring that security is considered at the beginning of any new project or business arrangement is essential to ensure security influences and steers decision-making from the outset. 

Consider some of the following controls:

Vendor and third-party due diligence: Before embarking on any agreements with third parties or vendors, proper security due diligence should be undertaken to ensure any potential supplier has their house in order when it comes to security. Findings at this stage will help to define the level of risk the organisation is potentially opening itself up to. 

Certifications such as ISO 27001, ISO 9001 and Cyber Essentials can all provide assurance that a third party has been independently audited and certified to a trusted, known security standard.

However, it’s important to bear in mind that being compliant doesn’t always mean being secure. The reverse of this is also true – just because an organisation does not have a recognised security certification, it does not automatically mean they are operating in an insecure manner.

Security-focused request for information (FoI) questionnaires can be used to ask a series of questions around a third parties security posture and strategy.

Scope properly and question everything: Any arrangement with third parties should begin by scoping exactly what level of access is required. The simplest, quickest or most convenient way of doing things is not always the most secure way of achieving the desired outcome.

During the scoping discussions, question what level and to what access is needed. When is that access needed and for how long? And critically, why is that access needed in the first place? 

The building of a threat model can further help to realise the potential threats this access could introduce and enrich further risk management and scoping processes. 

Access control fundamentals: Fundamentally working on the principle of “least privilege” and “need to know” is best practice to restrict as much access were possible.

During the scoping exercise the level of access needed should have been justified, now this level of access can be tailored and restricted technically where possible. 

This includes ensuring that any accounts provided are subject to a strong password policy, as well as removing email access, internet access or access into corporate file shares or data repositories where not required.

Enforce strong access controls: For situations involving remote access, multi-factor authentication (MFA) is fundamental, ideally via a time-based, one-time password (TOTP) mobile app or hardware token as these are the strongest forms of MFA currently available. 

Restricting remote access to only the third parties corporate IP address range is also advisable, certainly if it is reasonable to expect that a third party will only be accessing the environment remotely from their office locations. MFA and IP restrictions significantly reduce the impact in a situation where credentials issued to the third party are compromised. 

Network segmentation and monitoring: If network access is part of an arrangement, then networks should ideally be segmented into multiple trust zones, with third-party zones being treated as untrusted.

This network segmentation can then be leveraged to heavily restrict the network traffic, ports and protocols that can traverse from the untrusted third-party zone into critical networks and trusted zones.

These traffic paths should then be monitored for suspicious activity and if found produce alerts in security monitoring systems for review.

Periodically review and revisit: Once an assessment has been made, the controls have been decided on and implemented to bring the risk down to an acceptable level, it must not be considered job done. Ensure that third-party risk is periodically reviewed, at least annually and more frequently if possible.

Re-assessing vendor and third-party security due diligence demonstrates an organisations commitment to ensure that third parties are continuing to maintain acceptable levels of security, while providing the organisation reassurance against supply chain attacks.

Leverage the power of the cloud: Finally, many of these recommendations come with their own sets of challenges, when we are all already busy enough.

I am a strong believer in security being a facilitator of the business and not something that holds us back. This is where the power and flexibility of the Microsoft Cloud can ensure third party access is secured appropriately and still ensure the day to day operations run efficiently.

Read more about supply chain attacks

Read more on Data Protection Services