Protecting Your Business From A Supply Chain Attack

Uploaded on 2022-03-26 in TECHNOLOGY--Resilience, FREE TO VIEW

A common go-to strategy that a cyber criminal uses to gain access to a corporate network is a simple phishing exercise. That’s because with minimal effort or resources, they can target thousands of end-users who work within your supply chain, which offers a good chance of success.

When criminals have gained access to one of your suppliers’ networks, they typically try to access other devices and aim to obtain key login credentials that will provide them access to even more valuable internal systems. Their ultimate goal is to access a machine or system from which source code can be modified.

And from this point, your supplier is at the mercy of the hackers, and soon so will your organisation!

However, through understanding how criminals operate, it is possible to protect your organisation’s supply chain from cyber attacks.

What Is Motivating The Rise In Supply Chain Attacks?

According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kick-started by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organisations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyberattack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving? 

Let’s put ourselves into the shoes of a threat actor. Are we going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or do we choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks. 

Advanced persistent threats (APTs) are unique in that they are usually quite organised and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021.

These are the kinds of supply chain attacks that government organisations and public entities need to be mindful of.

For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiralling them into chaos.  

The Tightrope Of Third-party Risk

Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. These dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric. 

It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organisation’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread. 

Broadening Attack Surfaces

Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to revaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not.

This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play. 

It’s very difficult for organisations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. But this is where supply chain assessments come in, ensuring that each organisation along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board. 

Craig Moores is Risk Advisory, Senior Director at SureCloud

You Might Also Read: 

Multiple Location Supermarket Suffers Supply Chain Attack:

 

« Phishers Use Ukraine Invasion To Solicit Cryptocurrency
Hackers Breach Multifactor Authentication »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CamCERT

CamCERT

CamCERT is the national Computer Emergency Response Team for Cambodia.

Luxembourg Institute of Science & Technology (LIST)

Luxembourg Institute of Science & Technology (LIST)

LIST is a mission-driven Research and Technology Organisation. Areas of research include IT and aspects of IT security.

MerlinCryption

MerlinCryption

MerlinCryption develops infrastructure security software, delivering advanced encryption, authentication, and random data generators, for Cloud, VoIP, eCommerce, M2M, and USB hardware.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Volatility Foundation

Volatility Foundation

Volatility is an open source memory forensics framework for incident response and malware analysis.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

SEPPmail

SEPPmail

SEPPmail is a patented e-mail encryption solution to secure your electronic communication.

Eclypsium

Eclypsium

Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networks.

DataCloak

DataCloak

DataCloak is an innovation company that focus on providing enterprise data-in-motion security solutions based on zero-trust security technology.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

GitProtect.io

GitProtect.io

​GitProtect is a fully manageable, professional GitHub and Bitbucket backup and recovery software that protects repositories and metadata from any event of failure.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

CertX

CertX

CertX is a Swiss functional safety, cybersecurity and artificial intelligence certification body.