Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

3CX Software Supply Chain Attack: Best Practices to Reduce Third-Party Risk

Follow these five best practices to improve visibility and reduce the impact of software supply chain attacks.
Scott Lang
VP, Product Marketing
April 13, 2023
Blog 3cx breach 0423

Voice over IP (VoIP) company 3CX recently announced that its Electron software was compromised in a supply chain attack. Attackers, believed to be North Korean-affiliated state actors Labyrinth Chollima, were able to install trojanized malware called TAXHAUL onto the 3CX desktop app to deploy further malicious activities on clients leveraging the vulnerable application.

With more than 242,000 publicly exposed 3CX phone management systems and 600,000 companies as customers of 3CX, this software supply chain attack has the potential to create widespread security problems if anti-virus tools do not flag and uninstall the 3XC executable and subvert its sleep function.

This post examines five best practices for mitigating the risks of similar software supply chain attacks.

Five Best Practices for Mitigating the Impact of Software Supply Chain Attacks

The announcement of a high-impact software supply chain security incident is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, prepare for the next incident by developing a proactive approach now. Here are five best practices to consider:

1. Develop a centralized inventory of all third parties

A centralized inventory of all third-party vendors and suppliers adds governance and process to vendor management, and it reduces the likelihood of rogue vendor relationships introducing risk to your IT operations. Inventorying your vendors should be done in a centralized platform – not spreadsheets – so that multiple internal teams can participate in vendor management and the process can be automated for everyone’s benefit.

You can build a central vendor inventory by importing vendors to your third-party risk management platform via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.

Once vendors are centralized, conduct inherent risk scoring assessments to help you determine how to assess your third-party vendors on an ongoing basis according to the risks they pose to your business.

8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

2. Build a map of third parties to determine technology concentration risk

Collecting 4th-party technologies deployed in your vendor ecosystem during the inventorying process helps to identify relationships between your organization and third parties based on certain technology usage and will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can do accomplish this through a targeted assessment or via passive scanning.

In the case of the 3CX software supply chain attack, having a map of vendors that utilize the Electron solution for VoIP would help you zero in on which vendors to assess for potential malware exposure. Focus on top-tier or business critical vendors first, as a disruption in their operations has the potential to impact your organization more acutely.

3. Assess third parties’ business resilience and continuity plans

Proactively engage impacted vendors with simple, targeted assessments that align with known industry standards for supply chain security, such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps.

Good solutions will provide workflow automation, review and analysis, supporting evidence management, and built-in recommendations to speed remediation and quickly close those gaps.

As part of the assessment process, require software vendors to produce a software bill of materials (SBOM). SBOMs can not only detail the components that make up a piece of software, but also explain the quality assurance (QA) and security assessment processes utilized during the software development process.

4. Continuously monitor impacted vendors and suppliers for cyber-attacks

Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential.

You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise. Correlate all monitoring data to assessment results and centralize in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

5. Test your third-party incident response plan

Automating incident response is key to reducing mean time to detect (MTTD) and mean time to respond (MTTR) to third-party incidents, which can reduce the impact of the incident on your operations.

As you continually improve your incident response plans:

  • Leverage a centralized event and incident management questionnaire to reduce response times and simplify and standardize assessments
  • Track questionnaire completion progress in real time to reduce the potential for impact
  • Enable vendors to proactively report on incidents to add context and speed response times
  • Use workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Issue remediation guidance to the vendor to get down to an acceptable level of risk to your organization

By centralizing third-party incident response into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.

Next Steps for Better Software Supply Chain Security

Taking a manual, reactive approach to third-party software vulnerability detection and incident response will only increase your likelihood of a business disruption. Instead, implement the five best practices in this post to be better prepared for your next supply chain security challenge.

For more on how Prevalent can help reduce supply chain risk at every stage of the vendor lifecycle, read our white paper The Third-Party Incident Response Checklist, or request a demo for a strategy session today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo