Voice over IP (VoIP) company 3CX recently announced that its Electron software was compromised in a supply chain attack. Attackers, believed to be North Korean-affiliated state actors Labyrinth Chollima, were able to install trojanized malware called TAXHAUL onto the 3CX desktop app to deploy further malicious activities on clients leveraging the vulnerable application.
With more than 242,000 publicly exposed 3CX phone management systems and 600,000 companies as customers of 3CX, this software supply chain attack has the potential to create widespread security problems if anti-virus tools do not flag and uninstall the 3XC executable and subvert its sleep function.
This post examines five best practices for mitigating the risks of similar software supply chain attacks.
The announcement of a high-impact software supply chain security incident is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, prepare for the next incident by developing a proactive approach now. Here are five best practices to consider:
A centralized inventory of all third-party vendors and suppliers adds governance and process to vendor management, and it reduces the likelihood of rogue vendor relationships introducing risk to your IT operations. Inventorying your vendors should be done in a centralized platform – not spreadsheets – so that multiple internal teams can participate in vendor management and the process can be automated for everyone’s benefit.
You can build a central vendor inventory by importing vendors to your third-party risk management platform via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.
Once vendors are centralized, conduct inherent risk scoring assessments to help you determine how to assess your third-party vendors on an ongoing basis according to the risks they pose to your business.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Collecting 4th-party technologies deployed in your vendor ecosystem during the inventorying process helps to identify relationships between your organization and third parties based on certain technology usage and will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can do accomplish this through a targeted assessment or via passive scanning.
In the case of the 3CX software supply chain attack, having a map of vendors that utilize the Electron solution for VoIP would help you zero in on which vendors to assess for potential malware exposure. Focus on top-tier or business critical vendors first, as a disruption in their operations has the potential to impact your organization more acutely.
Proactively engage impacted vendors with simple, targeted assessments that align with known industry standards for supply chain security, such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps.
Good solutions will provide workflow automation, review and analysis, supporting evidence management, and built-in recommendations to speed remediation and quickly close those gaps.
As part of the assessment process, require software vendors to produce a software bill of materials (SBOM). SBOMs can not only detail the components that make up a piece of software, but also explain the quality assurance (QA) and security assessment processes utilized during the software development process.
Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential.
You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise. Correlate all monitoring data to assessment results and centralize in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.
Automating incident response is key to reducing mean time to detect (MTTD) and mean time to respond (MTTR) to third-party incidents, which can reduce the impact of the incident on your operations.
As you continually improve your incident response plans:
By centralizing third-party incident response into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.
Taking a manual, reactive approach to third-party software vulnerability detection and incident response will only increase your likelihood of a business disruption. Instead, implement the five best practices in this post to be better prepared for your next supply chain security challenge.
For more on how Prevalent can help reduce supply chain risk at every stage of the vendor lifecycle, read our white paper The Third-Party Incident Response Checklist, or request a demo for a strategy session today.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024