As seen from recent security incidents involving cloud-based systems (for instance- numerous cyber incidents in the healthcare sector), reliance on cloud services can amplify cybersecurity risks associated with third parties and the supply chain. For example, some organizations allowed external contractors access to their Snowflake accounts for customization. Some contractors had very lax security posture (using the same laptop for downloading pirated software and gaming), yet they were given unlimited access (via user credentials) to live user accounts without any additional security means (such as MFA). This allowed threat actors who breached the contractors’ laptop to access multiple user accounts without the need to crack passwords, or to use social engineering. They were literally given the (access) keys to the kingdom.
The cloud is, essentially – A supply chain in itself
There are several reasons why the cloud has made the supply chain risk so much greater than before, and in the process, facilitated cyber attacks by less skilled hackers. The first is that cloud technology itself utilizes a technology stack comprising of several products and technologies made by companies (and sometimes, non-profit organizations) external to the organization. This introduces multiple new entry points that attackers can exploit, and it exponentially increases the attack surface. The fact that the organization no longer controls its own infrastructure but uses one by a vendor, requires a shared responsibility model between the cloud provider and the organization that consumes cloud services, which is inherently more complex to manage. Moreover, poor IT hygiene can be somehow overcome in on-prem environments with limited connection to the outside world (and some additional security layers such as firewall and compartmentalization), then with the use of cloud these bad habits create much greater security risk. For example, in the same Snowflake campaign, several attacks abused credentials to access demo accounts of employees who have left the organization years ago, but their accounts were still active and “protected” only by the same username and password. In other attacks, companies shared data with 3rd party vendors who then failed to delete it when it was no longer needed, stored it in their cloud environment and then the data was stolen, impacting the company who hired their services (who, in most cases, did not even realize its’ data was at risk ).
Identity is the modern firewall
Security vendors have tried to adopt traditional security thinking and implement it in cloud environments. However, due to the different usability, implementing “firewalls” or “segmentation” isn’t practical. The reason is that organizations must provide access to employees (login in from anywhere), partners and users. These users can then “hop” between different systems and roles according to their permissions. Attackers can exploit this “chain of roles” to traverse between systems. What’s even worse- using such attack technique would not raise any alert. Attackers can abuse one set of credentials to enter one system, then try to identify which other permissions this user has, hop to the next system and so on, until they reach their final goal- the crown Jewels (link to blog).
Identifying supply chain risks and preparing for the breach before it materializes
Because of the complexity and risk involved in cloud-based supply chain, it is prudent to prepare for a breach in advance.
Companies and organizations must acknowledge the risk and factor it in any time they contract a new vendor. And yet, it is impossible to vet and monitor all these external vendors, so organizations must deploy their own threat detection means and run ongoing simulations to identify and block potential attacks, some of which might originated from the supply chain.
Summary
3rd parties have always presented risks to organizations, but the cloud has exacerbated this risk to phenomenal levels. One contractor with access to several user accounts can seriously compromise the entire organization. Using Skyhawk Purple Team CTEM solution for enhanced preparedness, alongside Skyhawk Cloud Threat Detection and Response (CDR) can ensure that the supply chain risks, and their potential impact, will be reduced by employing:
- Verified Alerts and Automated Responses: Skyhawk Security enhances the effectiveness of its Autonomous Purple Team by ensuring that all alerts are pre-verified. This means that security teams receive only actionable intelligence, significantly reducing the risk of responding to false positives- which are often triggered by the work of non-malicious 3rd parties.
The platform’s automated responses are also verified, allowing for immediate and precise remediation of threats. This integration of verified alerts and automated responses helps prevent security incidents from escalating into breaches, providing peace of mind that your cloud environment is secure. This is a key component of CTEM, and Skyhawk Security delivers it.
- Tailored AI driven incident detection solutions: Skyhawk Security’s multi-layered cloud incident detection AI approach is designed to work hand-in-hand with the Autonomous Purple Team. Custom-built machine learning models, updated daily, ensure that malicious activities are detected within minutes, preventing an incident from becoming a full-scale breach (which, in itself, can impact additional parts in the supply chain).
To learn more about Skyhawk’s cloud security solution, book a Purple Team Assessment today! We can get started in just one hour.
