What is a Supply Chain Attack and how can it help you?
A supply chain attack is also known as a “value-chain attack” and it occurs when cybercriminals attack your systems via an external partner or service provider that has access to your network. This attack targets less-secure parts of the supply chain and seeks to cause damage to an organization. The supply chain attack dramatically changes the attack surface of an enterprise because more service providers and suppliers have access to it.
The Key Takeaways
- When hackers target organizations via an outside service provider, or partner, a supply chain attack is possible
- Supply chain attacks are well-known examples, such as the SolarWinds breach and FireEye leak.
- The recent supply chain attack is a sign that many organizations aren’t prepared for such an attack.
- To reduce supply chain risk, ensure that you do your due diligence before you contract a vendor. Partner with managed security services providers or implement the least privilege model.
How it works
It is important to understand the supply chain in order to understand how supply chains work. A supply chain is a collection of activities that involve the manufacturing, processing, and distribution of goods. It allows for resources to be moved from suppliers or vendors to the end-user. It is made up of interconnected players that meet the demand and supply of a product.
A supply chain attack is a tampering of IT resources such as computers and networks to install undetectable malicious to cause harm to other players in a supply-chain system.
Cybercriminals have the ability to access resources and sophisticated tools to cause chaos in cyberspace. Businesses rely on third parties to establish supply chain trust. Hackers can breach the chain of trust to gain access to systems and information. Most often, supply chain attacks start with advanced persistent threatss which identify supply chain players with exploitable vulnerabilities.
Malicious actors are attracted to supply chain attacks. If criminals hack into popular applications or services, they can gain access to all companies that use the product. Hackers often install rootkits, malware or hardware-based spying elements to interfere with product development.
Supply chain attacks can happen in any industry, including the financial sector, the oil industry, and government agencies.
Supply Chain Attacks are more popular today
Companies create intelligence supply chains that meet changing market and customer expectations. They offer greater resilience, speed and transparency. To achieve greater flexibility and closer-knit chain networks, suppliers, manufacturers, and governments are digitally transforming their traditional supply chains.
Supply chain transformations in the current period are creating more connections with the outside world. Data is moving more quickly and efficiently between different players, which allows for greater business agility. This trend, however, is increasing cybersecurity risk by expanding the attack surface.
Security is not about protecting the company’s perimeter. Organizations operate in complex and interconnected worlds. Security is about protecting all the relationships within a supply chain. According to the saying, you can only be as secure as the weakest link of a supply chain.
Threat to Open Source Supply Chain
Sonatype’s 2020 State of the Software Supply Chain Report states that supply chain attacks against open-source software projects pose a serious threat to organizations. This is considering that 90% of all applications are open source code and that 11 percent of the products have known flaws.
The 2017 Equifax hack is a good example. This incident saw attackers exploit an unpatched Apache Struts (a free and open-source MVC framework that allows you to create elegant, modern Java web apps) vulnerability. It cost Equifax $2 billion.
An attacker will continue to create vulnerabilities and deliberately compromise supply chains by open-source development.
Examples of Supply Chain Attacks
1. SolarWinds Incident
The SolarWinds attack is a prime example of a supply-chain attack. Through a compromised Orion update, SolarWinds’ Orion program (which is a partner to these organizations), a group thought to be Russia’s Cozy Bear gained access government and other organizations. Criminals were able to gain access to systems belonging to the US Treasury and Commerce. This discovery prompted an emergency meeting at the US National Security Council. The attack could have also affected 425 of US Fortune 500, the top 10 US telecommunications firms, and the top five US accounting companies. There were also hundreds of universities and colleges around the world.
2. FireEye Breach
Another notable case was the attack by nation-state hackers using FireEye’s update to its popular network monitoring software. FireEye has major government and enterprise customers around the globe. FireEye provides top-quality research on state-sponsored threats actors and reliable incident response capabilities. High-skilled threat actors were able to gain access to government agencies and other companies through the breach.
Washington Post reported that the hackers are the hacking arm Russia’s SVR foreign Intelligence Service, also known as Cozy Bear and APT29. FireEye’s customers were the target of the criminals. They specifically targeted government agencies.
Preventing Supply Chain Attacks
These incidents have shown that many organizations are not ready for supply chain attacks. These steps can help you prevent future supply chain attack:
1. In-depth Due Diligence
Enterprises should not only negotiate a contract with vendors, but also conduct due diligence to manage supply-chain risk. These processes include establishing formal programs for managing third party risks. Due diligence procedures can include remote assessments, questionnaire assessments, documentation reviews and cybersecurity ratings.
Questionnaire assessments should always be accompanied with another process, such as onsite security inspections. Enterprises shouldn’t believe vendor responses, but should verify that suppliers comply with security requirements. Software vendors can be requested by businesses to supply a bill of materials listing all code components found in their software products. This information is useful in identifying vulnerabilities associated with application components.
To ensure compliance with approved security protocols, organizations should establish and enforce strict vendor controls. They should also conduct periodic site audits at partner locations in order to improve security.
2. The least privilege
The organization should insist on the least privilege. Let’s say vendor-supplied software requires internet communication. To prevent malicious command and control server communication, users can limit access permissions to certain sites to increase their security.
3. Security through Design
Software vendors need to design security features in their software to prevent unauthorized code access or modification. They should periodically test and strengthen the security of their software.
4. Partnering with Managed Security Service Provider
Security service providers can offer expertise to organizations. Security service providers offer dynamic malware protection and automated threat forensics against known and emerging threats in supply chain.