Morey Haber On Supply Chain Security: How Businesses Can Protect Themselves When Their Vendors Are Compromised 

In a supply chain attack, the adversary targets an organization’s suppliers and vendors, in the hope of gaining access to that organization’s data while disguised as the vendor. Sometimes, rather than focusing on a specific organization and targeting their suppliers, the attacker will target a specific vendor and use them as a platform from which they can target all of that vendor’s customers. This is known as an “island hopping” attack, as the attacker “hops” from the vendor to their customers, damaging systems and stealing data as they go. 

“Threat actors are realizing that, while going after one company and holding it for ransom […] can do a lot of damage, if they attack vendors that have household names that can be used as leverage against large quantities of other organizations, then the rewards for them can be quite profound,” says Morey Haber, Chief Security Officer at BeyondTrust. 

BeyondTrust is a leading identity and access security provider that specializes in privileged access management technologies. In his current role, Morey is responsible for security operations and governance at BeyondTrust within both their cloud-based and on-premises privileged access management solutions. With over 25 years of experience in IT and information security, Morey is a renowned speaker, author, and thought-leader in the identity security space. 

In an exclusive interview with Expert Insights, Morey discusses how BeyondTrust recently discovered a breach in Okta’s support unit and what the Okta breach tells us about how cyberattacks are shifting to target the supply chain. He also gives us his top tips on how organizations can secure themselves against supply chain attacks, and how vendors can protect their customers in the event they experience a breach. 

You can listen to our full conversation with Morey on the Expert Insights Podcast:

Cyberattacks Are Shifting To Target The Supply Chain

Last month, BeyondTrust discovered an identity attack on Okta, another leader in the identity and access security space. The attack involved the compromise of Okta’s support system, which enabled the attacker to access sensitive data uploaded by Okta’s customers. And unfortunately, we’re seeing an increasing number of supply chain and island hopping attacks such as this.

“[The Okta breach] really amplifies the need to monitor an organization’s supply chain for threats and think beyond just the assets you own, in terms of modern security incidents and breaches,” says Morey. “Now, while this is kind of unique in many ways—you can read the detailed findings from Okta, and even our own blog—it is re-reaffirming to everyone that security monitoring cannot just be limited to the assets that you own.”

The reason we’re seeing an increase in these attacks is simply that cybercriminals are realizing how lucrative they can be, Morey explains. 

“Every organization has vulnerabilities, has an attack surface, and has risk. However, threat actors are realizing that, while going after one company and holding it for ransom is good for them, bad for us, and can do a lot of damage—and we’ve seen that in the gaming industry—if they attack vendors that have household names that can be used as leverage against large quantities of other organizations, then the rewards for them can be quite profound.” 

While these attacks continue to become more prevalent, it’s important for organizations to remember that it isn’t just security companies being targeted; these attacks work by targeting any type of organization that provides a service to other organizations. Because of this, says Morey, we have to be vigilant from a cybersecurity perspective in securing not only our own organizations, but our interactions with others. 

“Supply chain attacks need more than just security assessment questionnaires. That’s no protection method—it’s just asking the vendor if they’re doing the right thing. I think we’re going to see more maturity in terms of getting logs. Some organizations will allow you to collect their logs; others charge you. 

“But we’ll also see monitoring tools. We already see that from the outside in terms of perimeter-based reporting; things that give you an ‘A, B, C, D’ score. But we need more tools to understand the risks of our supply chain vendors. And whether that comes from vulnerability configuration, verification of security assessment questionnaires, that maturity is still early. And I think that’ll be the biggest difference in the next coming years.”

How To Detect And Block Supply Chain Attacks: A Two-Pronged Approach 

In order to successfully stop supply chain attacks, organizations need to take a two-pronged approach to their security. The first of these is implementing the right technologies to help identify specific indicators that could alert organizations to a potential breach in one of their suppliers, says Morey. 

“Many [indicators of compromise] are very obtuse, but many of them are very simple,” he says. “For example, if you are collecting logs—and everybody should be to protect your organization—you are looking for foreign geolocation IP addresses, you are looking for things like privileged commands being executed without multi-factor authentication, you are looking for anomalous behavior.” 

“There are brand new identity products out there designed to do this from the get-go, to look for this type of unknown, anomalous behavior […] Successful API requests without authentication, things being used without MFA, flaws in the ‘joiner, mover, leaver’ process in terms of accounts being created or modified that didn’t go through change control—those are all IOCs. And those are the things that we have to focus on for modern identity security.”

The second prong necessary to prevent supply chain attacks is a security mindset, which must be embraced across the entire organization. 

“As a security vendor, we are creating security tools to help protect organizations, but we also fight the second half of the war with people trying to compromise us—just like the Okta support breach. What this means is that developers, sales, marketing—everyone—has a security mindset; we are very security minded because of the products we make,” says Morey. Unfortunately, not all organizations have that mindset built into them natively. But that shouldn’t stop them from trying to foster one.

“It starts with training, it starts with leadership, it starts with understanding and teaching the risks of a compromise to the organization. What would it mean if you were breached? What would happen to your clients? Is it a game over event? And how do you protect against it? 

“Most security organizations have the benefit of thinking that way. But for everybody else, it is continuous education.”

How Vendors Can Protect Their Customers: Prevention And Communication

Until now, we’ve explored how organizations can protect themselves in the event that one of their vendors is compromised. However, when it comes to supply chain attacks, the responsibility for prevention and detection doesn’t lie solely with the end-user organization; it also lies with the vendor. And there are two things that vendors need to do in order to protect their customers, should they find themselves victim to a breach. 

The first of these is to communicate openly with their customers about the breach, so they know what signs of compromise to look out for and can ensure their systems are secure. This can also help to minimize reputational damage to some extent—but often, vendors should be prepared to lose customers if they experience a breach. 

“Bluntly, we have seen other cybersecurity vendors in the past get attacked and do proper open communications and be fully honest,” says Morey. “Unfortunately, their brands and their reputations were tarnished to points of no return. In many cases, some of those vendors even changed their names—their publicly traded names—in order to try to hide the stigma of them being in the news in the past.”

To avoid this, vendors must implement best security practices in order to prevent a breach from occurring in the first place, and continuously monitor their systems to quickly identify and contain a breach when one occurs, Morey says. 

“There really is no room for mistake. You have to only grant exceptions internally—in terms of internal processes—when absolutely necessary; it shouldn’t be the norm. [You need] strict change control, and to go for SOC 2 compliance for your cloud solutions, ISO certification on your methodologies, and then ensure and test that everything is basically operating to the best of your ability.” 

“Everybody’s going to get penetrated; it’s just a matter of time. Taking the best security practices for everything that you own would not have stopped the Okta support breach because it was completely out of your control. But what you cando is that monitoring phase.”

“Think of the things that can impact you. Be a little bit mischievous in your own mind; think bad, do good. Think of all the places that you can be attacked—including the supply chain—and make sure you have some way of monitoring it.”

“That’s the best you can do; it’s not a matter of if, it’s a matter of when. This entire podcast regarding the Okta support breach and the ramifications for clients of all sizes is proof that you can do everything right, but something bad could still happen on the outside.”

Listen On Spotify:

Listen On Apple Podcasts:

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.