Cyber Threat Briefing: An Organization’s Susceptibility to Supply Chain Attacks
In a new report published by the World Economic Forum, entitled Global Cybersecurity Outlook 2022, more than 40% of CISOs said their business had been negatively impacted by a supply chain breach in the past year. 90% of CISOs stated that they saw SMEs as the weakest link in their supply chain.
While a lot of businesses are investing more in their cyber defenses and putting ever-tighter controls in place, threat actors are looking for weak links in the chain, such as SMEs, in order to gain access. Is there anything we can do about it, or is it simply out of our control? In our latest cybersecurity briefing, Risk Advisory Senior Director, Craig Moores, and Senior Consultant, Hugh Raynor, sat down to talk about the emerging challenge of supply chain attacks and how it will shape security strategies moving forward.
What is motivating the rise in supply chain attacks?
According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kickstarted by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organizations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyber attack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving?
Our session started with Hugh putting himself into the shoes of a threat actor. Are they going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or will they choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks.
Advanced persistent threats (APTs), which were discussed in our last cybersecurity briefing, are unique in that they are usually quite organized and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021. These are the kinds of supply chain attacks that government organizations and public entities need to be mindful of. For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiraling them into chaos.
Outsourcing and walking the tightrope of third-party risk
Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. As Hugh explains, these dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric.
It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organization’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. It’s vital for businesses to remember that even if their supplier relationships are built on trust and understanding, if that supplier falls victim to a breach, then they too will be made vulnerable.
By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread.
The impact of broadening attack surfaces
Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to reevaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not. This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play.
It’s very difficult for organizations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. This is where supply chain assessments come in, ensuring that each organization along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board.
What are the main attack methods and vectors?
Our session then turned to the methods used by cybercriminals to instigate a supply chain attack, beginning with phishing attempts which, despite their apparent simplicity, are still one of the most prevalent and most effective tactics employed.
A phishing attack is where the attacker poses as a trusted vendor or another department via email to lure a staff member into parting with their credentials. They will then hopscotch around the network from device to device, dumping credentials until they land on a machine that has access to, say, source code repositories. Then the game is on, and modifications can be made to the code in order to introduce that same vulnerability to the supply chain.
This method of credential dumping means that actors are able to effectively stockpile credentials for other forms of attack once the supply chain vulnerability has been instigated. This demonstrates the importance of multi-factor authentication, but even then there is a risk that this can be broken and exploited, producing rolling codes that allow actors to bypass authentication methods.
What can organizations do to identify and prevent supply chain attacks?
The difficult thing about supply chain attacks is that the real point of risk is often outside of an organization’s reach. As mentioned previously, it’s near impossible for businesses to audit every endpoint across their entire supply chain, which could consist of dozens of separate businesses and hundreds of employees. What organizations can do, however, is monitor traffic. Once an organization enters into a relationship with a supplier, it will be able to start monitoring the size and frequency of the traffic it expects in the form of product updates and regular maintenance. Any deviation from this expected flow of data traffic should result in a red flag that triggers a further investigation. This should be a part of any modern organization’s due diligence process when dealing with third-party software vendors.
However, businesses should be mindful of not overloading themselves with information when it comes to logging and monitoring traffic. This is where ‘intelligence’ and automation come into play, spotting anomalies automatically, so that time and resources can be devoted to dealing with potential incidents rather than just combing through endless data logs.