Saturday, March 25, 2023

A New Way To Avoid A Solar Winds Like Attack: The SoT Framework

 


Do you all remember the infamous Solar Winds attack that occurred some time ago?  That kind of Cyberattack was deemed to be what is known as a “Supply Chain” attack.  No, it has nothing to do with UPS or FedEx, but the aim here is that the Cyberattacker can use just one point of entry to infect literally thousands of victims with malware, ransomware, Trojan Horses, etc. 

With the case of Solar Winds, the attacking group exploited a vulnerability found in one of the tools that was use to disperse software updates and patches to all of its clients.

In response to this, there have been many cries in the Cyber industry to come up with some sort of guidance or framework, that will help to alleviate this same kind of threat vector from happening again. 

As a result, a Cyber based organization known as MITRE (this is the same group that came out with the infamous “ATT&CK” framework.  It is a complete knowledge base of known threat vectors and their corresponding signatures, and it can also be used to create threat models for the future.

Well, they have come out with a new framework that should help curtail Supply Chain attacks, and it is called the “System of Trust”, also known as “SoT” for short.  Within it, also comes a new tool called the “Risk Model Manager” (RMM”).  It was actually first released at the RSA conference last year, and the details of it can be seen at the link below:

https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security

The actual RMM tool will be formally announced at the RSA conference that is set for this year.  More information about this is right here:

https://www.rsaconference.com/USA/agenda/session/Creating%20the%20Standard%20for%20Supply%20Chain%20Risk%20%20MITREs%20System%20of%20Trust

The actual SoT platform is hosted entirely on the AWS, and it deals with 14 Cyber risk areas, which include some of the following:

*The financial information and data of the third-party vendor.

*The kind of Cyber practices that are enforced and followed.

*Any other risks that should be taken into account.

Of course this is not the complete list of 14 areas, but the above mentioned are some of the key areas of focus for this new framework. It should be noted that while any vendor can use this framework (at least this is my understanding of it so far), one of its main objectives is to also to help vet out third party vendors as businesses still continue to outsource their processes to others for handling.

In turn, once a third party vendor has been decided upon by a company, this framework can also be used to ascertain how they use their own software packages to distribute services to clients.  At the present time, there some 40+ vendors that are working with MITRE to help get it ready for widespread adoption on a global scale.  Some of these include the following:

*Microsoft

*BlackBerry

*CISA

*Cisco

*Dell Technologies

*Intel

*Mastercard

*NASA

*Raytheon

*Schneider Electric

*Siemens

*The Open Group.

These above mentioned heavy hitters are fine tuning the SoT framework by inputting various kinds and types of into a scoring algorithm, and from there, determining the Cyber advantages as well as weaknesses that a third party vendor may have in their systems.  Also, these companies are testing the SoT framework for their own internal uses as well.

Eventually, it is the main intention of MITRE to offer this framework as an open-sourced project, so that businesses can fit and mold it based upon their own security requirements.

It should also be noted that MITRE also came out with a newer framework, called the “D3FEND” model, and this is used by many organizations today in an effort to take an honest assessment of their own security posture.  More information about this can be seen at the link below:

https://www.darkreading.com/endpoint/d3fend-framework-seeks-to-lay-foundation-for-cyber-defense

My Thoughts On This:

One of the primary differences of the SoT versus the other frameworks created by MITRE is that this one is much more holistic in nature.  In other words, it does not look at a specific component or Cyberattacker, rather, the entire IT and Cyber practices of a potential third party vendor comes into the microscope for very minute scrutinization. 

Probably of the biggest obstacles for the SoT framework is that it is still so new, that widespread adoption of it yet has not picked up. But it is expected that this will change for the positive as the big-name companies start to adopt it themselves.

But I have one caveat here. Any company can adopt all of the frameworks that they want to (and there are hundreds of them), but none of it means anything until it has been adopted in full use and practice.  There are organizations out there that still inky use them partially. 

But also remember that frameworks can go only go so far.  In the end, true Cybersecurity comes down to employees, and their ability to report suspicious behavior to the higher ups in a confidential manner.

In this regard, employees should never be regarded as the weakest link in your chain.  They are the strongest, and should be treated as such.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...