Recently, the Wiz research team hosted a webinar titled How to Protect Your Cloud Environment from Supply Chain Attacks. In this post, we’ll share a recap of what the team covered.
To start with, just a quick look at supply chain attacks at a high level. Supply chain attacks occur when attackers gain access to a 3rd party vendor’s software. By breaching the 3rd party and inserting malicious code, it lets attackers get into more secure targets and get access to thousands of organizations that use that vendor solely through their one breach.
The cloud has introduced new risks and attack vectors
The cloud brings a wide range of benefits for organizations, but it is a fundamentally different world than on-prem. As a result, we’ve seen a rise of new types of risks and attack vectors in cloud environments. One that has seen increasing notoriety over the past few years is supply chain attacks. While supply chain attacks are not specific to the cloud (one of the most famous being the SolarWinds attack for example), the cloud has brought new considerations to supply chain attacks.
One example of this is OMIGOD. The OMIGOD vulnerabilities highlighted a new type of consideration with supply chain risks: vulnerabilities on software that you didn’t choose to be in your environment in the first place.
There are two major types of supply chain risks in the cloud
The cloud environment has the classic supply chain risk (software-based, from a third-party vendor), but they look different in the cloud world. Because the cloud is more complex, more agile, and has more compute types, it’s exceedingly hard to do asset management, which exacerbates the difficulties with handling software-based supply chain risks.
In addition, there’s another type of supply chain risk that's new to cloud: identity-based supply chain risk. This type of risk arises not from installing third-party software in your environment, but instead from granting permissions within your environment to third parties.
Software-based supply chain risks are different in the cloud
When it comes to the cloud, software comes in many different form factors. In a standard environment, it’s common to have 3rd party agents running on VMs, as well as third-party AMI images, container images, and/or Lambda functions.
With all of these different forms of third-party software, it becomes difficult to monitor and track even what you’ve deployed in the cloud intentionally. Not to mention that OMIGOD showed us that sometimes 3rd party software is being run for you by your cloud provider – meaning that you didn’t put it in there intentionally! Wiz research showed that approximately 60% of surveyed environments were affected by OMIGOD, making this sort of risk widespread.
All these elements mean that creating and maintaining a cloud asset inventory is a huge challenge for security teams. And without such an inventory, it’s easy to miss insecure third-party software in your cloud environment.
Identity-based supply chain risk is new and serious
Beyond new looks for familiar supply chain risks, the cloud brings with it an entirely new type of supply chain risk: identity-based. Identity-based supply chain risk comes from granting excessive permissions to third-party vendors.
Wiz performed an analysis of 1500 AWS accounts, looking for the 40 most popular third-party vendors, and found some compelling statistics. Nearly everyone relies on third-party vendors for some element of their environment: Wiz research shows that only 4% of organizations have not granted permissions to third-party vendors. The risk doesn’t come from granting permissions themselves however; it comes from granting excessive permissions. 82% of environments had at least one vendor with overly high permission levels. 76% had one or more vendor with permissions that gave full control over the customer’s cloud, which represents a major ATO risk.
The takeaway here is that it’s quite common to grant excessive privileges to third-party vendors, and also very hard for security teams to detect these privileges. That’s a bad combination.
What can you do about supply chain risks?
To properly mitigate supply chain risks, security teams need a cloud supply chain strategy. Each organizations’ strategy will have some unique elements, but there are a few common approaches that should be adopted:
Detect: Create a process for detecting third-party risk – asset inventory, visibility into effective permissions. You need to understand what’s in your environment as a starting point.
Certify: Add internal processes for analyzing and approving third-party vendors. Ensure that you review third-party vendors before they’re added. Check for the policies/permissions they need.
Reduce risk: Implement a consistent solution for reducing risk of software-based and identity-based supply chain risks. For software-based, it’s a cloud asset management solution. Security teams must have visibility into these software assets and continuously analyze them to ensure that they are properly patched and performing as expected. For identity-based, it's implementing an ability to analyze identities in environments, and ensuring that vendors have the most limited form of access that still lets them accomplish their function.
Watch the full webinar to further explore these topics and learn about three deep dive examples of common excessive privileges that contribute to identity-based supply chain risks, and how to mitigate them.