Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Third-Party Risk Management, Cyber Security

Cyber Threat Briefing: An Organization’s Susceptibility to Supply Chain Attacks

Cyber Threat Briefing: An Organization’s Susceptibility to Supply Chain Attacks
Written by

Hugh Raynor, Senior Cybersecurity Consultant and Craig Moores, Risk Advisory Senior Director

Published on

23 Feb 2022

Cyber Threat Briefing: An Organization’s Susceptibility to Supply Chain Attacks

 

In a new report published by the World Economic Forum, entitled Global Cybersecurity Outlook 2022more than 40% of CISOs said their business had been negatively impacted by a supply chain breach in the past year. 90% of CISOs stated that they saw SMEs as the weakest link in their supply chain. 

While a lot of businesses are investing more in their cyber defenses and putting ever-tighter controls in place, threat actors are looking for weak links in the chain, such as SMEs, in order to gain access. Is there anything we can do about it, or is it simply out of our control? In our latest cybersecurity briefing, Risk Advisory Senior Director, Craig Moores, and Senior Consultant, Hugh Raynor, sat down to talk about the emerging challenge of supply chain attacks and how it will shape security strategies moving forward. 

What is motivating the rise in supply chain attacks?

According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kickstarted by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organizations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyber attack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving? 

Our session started with Hugh putting himself into the shoes of a threat actor. Are they going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or will they choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks. 

Advanced persistent threats (APTs), which were discussed in our last cybersecurity briefing, are unique in that they are usually quite organized and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021. These are the kinds of supply chain attacks that government organizations and public entities need to be mindful of. For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiraling them into chaos.  

Outsourcing and walking the tightrope of third-party risk

Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. As Hugh explains, these dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric. 

It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organization’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. It’s vital for businesses to remember that even if their supplier relationships are built on trust and understanding, if that supplier falls victim to a breach, then they too will be made vulnerable. 

By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread. 

The impact of broadening attack surfaces

Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to reevaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not. This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play. 

It’s very difficult for organizations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. This is where supply chain assessments come in, ensuring that each organization along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board. 

What are the main attack methods and vectors? 

Our session then turned to the methods used by cybercriminals to instigate a supply chain attack, beginning with phishing attempts which, despite their apparent simplicity, are still one of the most prevalent and most effective tactics employed. 

A phishing attack is where the attacker poses as a trusted vendor or another department via email to lure a staff member into parting with their credentials. They will then hopscotch around the network from device to device, dumping credentials until they land on a machine that has access to, say, source code repositories. Then the game is on, and modifications can be made to the code in order to introduce that same vulnerability to the supply chain.

This method of credential dumping means that actors are able to effectively stockpile credentials for other forms of attack once the supply chain vulnerability has been instigated. This demonstrates the importance of multi-factor authentication, but even then there is a risk that this can be broken and exploited, producing rolling codes that allow actors to bypass authentication methods. 

 

What can organizations do to identify and prevent supply chain attacks? 

The difficult thing about supply chain attacks is that the real point of risk is often outside of an organization’s reach. As mentioned previously, it’s near impossible for businesses to audit every endpoint across their entire supply chain, which could consist of dozens of separate businesses and hundreds of employees. What organizations can do, however, is monitor traffic. Once an organization enters into a relationship with a supplier, it will be able to start monitoring the size and frequency of the traffic it expects in the form of product updates and regular maintenance. Any deviation from this expected flow of data traffic should result in a red flag that triggers a further investigation. This should be a part of any modern organization’s due diligence process when dealing with third-party software vendors. 

However, businesses should be mindful of not overloading themselves with information when it comes to logging and monitoring traffic. This is where ‘intelligence’ and automation come into play, spotting anomalies automatically, so that time and resources can be devoted to dealing with potential incidents rather than just combing through endless data logs. 

To learn more about supply chain attacks, including what they are, how they work, and the steps your business can take to protect itself in an increasingly high-risk landscape, catch the full talk here