What we can learn from the Storm-0558 breach about mitigating supply chain risks: A healthcare CISOā€™s perspective
Aug 14, 2023Recent news coverage about the Microsoft Office 365 supply chain breach inspired us to sit down with Steve Vogt, former CISO of Affinity Health Plan and currently with Molina Healthcare, to hear his perspective on mitigating supply chain risks. These views are his alone, not that of his employer.
“While challenges addressing traditional third-party vendor management have been around for years, supply chain attacks have increased in both volume and sophistication,” says Steve. “This makes it one of the largest areas of risk for any organization, and the recent breach of 25 governmental agencies through a Microsoft vulnerability confirms the widespread threat of supply chain attacks.”
Understanding the Storm-0558 breach
Microsoft and CISA recently disclosed a security incident impacting multiple customers of Exchange Online and Outlook.com. According to Microsoft, this incident stemmed from a threat actor attributed to China.
Storm-0558 acquired a private encryption key (MSA key) and used it to forge access tokens for Outlook Web Access (OWA) and Outlook.com. Additionally, the threat actor reportedly exploited two security issues in Microsoft’s token verification process.
Microsoft announced that they remediated the issue by revoking the impacted encryption key and publishing attacker IOCs, but there are indications.
Why is this attack so impactful?
“Identity providers’ signing keys are probably the most powerful secrets in the modern world,” says Steve.
“They are much more powerful than TLS keys,” he says. “Even if an attacker gets access to the google.com TLS key, they would still need to somehow impersonate a google.com server to gain significant impact.”
With identity provider keys, attackers can gain immediate single-hop access to everything—any email box, file service, or cloud account. This makes the threat far more dangerous.
What can organizations do to limit their exposure?
“There are clear steps you can take to limit your exposure to this attack,” says Steve.
He recommends the following steps to limit your exposure:
- Identify whether compromised keys were used in your environment
- Identify all potentially affected applications in your environment
- Search for forged tokens usage and leverage the Indicators of Compromise (IoCs) published by Microsoft on their blog. Look for any activity that originates from the IP addresses provided by Microsoft.
- Make sure that none of the applications use a cached version of the Microsoft OpenID public certificates. If they have, refresh the cache.
“The full impact of this incident has the potential to be much larger than we initially understood it to be,” says Steve. “We will all stay tuned as more news comes out regarding this attack.”
What can you do to mitigate the risk of similar attacks at your organization?
“The most important thing is to follow Cyber Supply Chain Risk Management (SCRM) best practices,” Steve says. He also adds that you should begin any third-party relationship by conducting pre-contact due diligence in line with your RFIs, RFPs, and other processes.
Cyber security standards to establish at the early stage in a relationship with a third-party provider include:
- Full disclosure about any data breach history to determine whether the vendor is vulnerable to cyber attacks
- Disclosure of any fourth-party technologies, to gain visibility into technology concentration risk and uncover peripheral technologies that could provide backchannels to bad actors
- Build security requirements into all supplier contracts, ensuring that third- and fourth-parties implement and maintain cybersecurity controls
Practice Continuous Monitoring Throughout Your Cyber Supply Chain
Using a third-party risk scoring solution will give you insights into the third party’s internal processes. These solutions allow you to monitor the vendor’s score, and if the score falls below an acceptable threshold, then you can engage the vendor.
It is critical to add language to contracts regarding monitoring and remediation expectations. Practicing continuous third-party monitoring can help you identify new vulnerabilities, data breaches, and other security exposures affecting suppliers.
Do Not Forget Fourth-party, Fifth-party, and Sixth-party Risks
It can be difficult to track how your organization's information is stored and shared throughout your extended supply chain.
Each organization in your cyber supply chain works with anywhere from several to hundreds of SaaS products, outsourced IT contractors, and other external companies, some of which could have access to your company's information.
The last thing that senior management wants to hear is that the organization has been exposed to a data breach because of fourth- or fifth-party vendor negligence. Here are a few best practices you can use when evaluating and mitigating fourth-party risk and beyond:
- Identify mission-critical vendors in your cyber supply chain
- What level of access does the vendor have to regulated data such as PII, PFI, PHI?
- If the vendor is hosting the organization's data, what security controls does the data center have?
- Does the vendor have its own cyber supply chain risk management program in place?
- Does the organization base its information security and third-party risk management programs on widely accepted frameworks?
- Map your extended cyber supply chain
- Request to update your contract with the relevant third party to limit data sharing or access to IT infrastructure with the high-risk fourth party
- Request additional information about the fourth party’s security controls and infrastructure
- Consider alternative third-party suppliers when contracts are up for renewal
- Conduct continuous monitoring of the fourth party to reduce the risk of a compromise that could ultimately affect your organization
- Periodically reassess supplier risk
- Does your SCRM program conduct risk assessments throughout the lifecycle of the contract or only at the beginning?
- Are the scope and cadence of risk assessments determined based on risk findings from the vendor onboarding process?
- Are you able to effectively integrate changes in the vendor’s residual risk profile into your broader third-party risk management workflow?
- Do you evaluate fourth- and fifth-party risk as part of your standard risk assessments?
- Implement a Supplier Incident Response Plan
- Maintain diligence during offboarding
- Compliance issues if a contract has expired and the vendor still has access to IT systems and data
- Potential data breaches if a vendor has stored PII or PHI of your employees or vendors
- Insider threats when contractor employees retain access to data and systems
NIST Security Standards pertaining to supply chain risk management
Consult the following NIST guides to learn more about risk assessment and mitigation:
- NIST Special Publication 800-161 r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
- NIST C-SCRM Risk Exposure Framework
- NIST Software Security Supply Chain Guidance