Supply Chain Attacks are on the rise , So far this year alone, four major supply chain attacks have taken place and this number only seems to be increasing. So how do you defend yourself against such attacks?
The Supply chain network is a frequent target for Cyber Criminals, as a weak link within the supply chain can grant them access to a larger organization in custody of the data sought after.
What is a Supply Chain Attack?
A supply chain attack, or third-party attack, is an attack strategy that targets an organization through vulnerabilities in its supply chain. These vulnerable areas are usually linked to vendors (with poor or weaker security practices).
A data breach through a third-party vendor is possible because vendors require access to sensitive data to integrate with internal systems. When a vendor is compromised, this shared pool of data is breached.
Because vendors store potentially sensitive data for multiple different clients, a single supply chain attack can results in multiple businesses suffering a breach.
More Technical Details:
Supply chain attacks work though piggybacking legitimate processes to gain access into a business’s systems.
It starts with defeating a vendor’s security defences. This process is usually much simpler than attacking a victim directly due to the weaker cybersecurity practices of many vendors.
Once injected into a vendor’s ecosystem, the malicious code needs to embed itself into a digitally signed process of its host.
This is the key to gaining access to a vendor’s client network. A digital signature verifies that a piece of software is authentic to the manufacturer, which permits the transmission of the software to all networked parties.
By hiding behind this digital signature, malicious code is carried over the software update traffic between a compromised vendor and its clients’ networks.
When a victim installs the compromised software update from a vendor, the malicious code is also installed with the same permissions as the digitally signed software. Once installed, a remote access trojan (RAT) is usually activated to give access to each infected host.
Here are some examples of (recent) Supply Chain Attacks:
July 2, 2021, the REvil ransomware group successfully exploited a zero-day vulnerability in the on-premise Kaseya VSA server, enabling a wide-scale supply chain cyber attack which affected over a thousand businesses around the globe.
April 2021, Password manager PASSWORDSTATE from the company ClickStudios was breached and informed it’s 29K users of an infected update. April 2021, Supply Chain Attack potential found in GitHub release functionality. GitHub says this is intended behaviour.
March 2020, Cyber Security company FireEye and a decent chunk of the US Government fell victim to the SolarWinds attack.
June-October 2018, ASUS devices received malware through an automatic update from ASUS itself.
September 2017, Equifax was breached and had sensitive data stolen of 147 million of their customers
How do you then best protect your Organization from Similar attacks ?
There is no absolute, bullet-proof way to prevent supply chain attacks. However , it is possible to minimize the risk of being affected by one, as well as the impact.
As for minimizing the risk, due diligence in the process of selecting/acquiring (IT) components and services is in order. The acquisition process is usually driven and dominated by time-to-market considerations, upfront cost analysis, and less tangible but nevertheless very substantial factors of fashion-ability, this is feeling compelled to take a certain path out of the, often hyped-up, perception, that this is ‘modern’, ‘the future’, and fear of ‘missing the boat’. The perception that everybody’s doing ‘A’. so you should too. ‘A’ may or may not be a good thing, but the fact that ‘A’ is hip and happening is or should not be an intrinsic reason to go with ‘A’.
Much less consideration is given to the hidden costs and risk of both failures in the acquired component, as well as dependencies (e.g., fatal lock-in) introduced by one. Deep vendor-lock in, often due to lack of openness in data formats, communication protocols and API’s, is a very real thing. If you drive a truck into a one-way street, there’s no turning it around later.
To mitigate these risks (and keep related costs in check) an exit strategy should be an integral part of component/supplier selection.
As for the impact of an incident delivered through the supply chain, resilience should be part of the fabric of the implemented business processes. The Zero Trust aims precisely to provide the ability to detect incidents and address issues early, and to keep them contained in any case. Specifically, containment of incidents by applying logical segmentation and adding security controls ‘surgically’ helps prevent small incidents turning full catastrophe.
So the Main ways which are best used in combination to protect your organization from Supply chain attacks are: –
Identifying Assets That Are Likely to Be Targeted
Although all data are very important to companies, some might be vital to them. For example, customer data is one of the most important assets for all organizations in terms of data security. For your company’s data security, you can prioritize the customer data security in your investments and security practices, and start with controlling the privileged users and applications that have access to that kind of data.
Limiting the Access to Sensitive Data
As the access to the technology gets easier, the risk of sustaining a supply chain attack increases. One of the most important reasons is the technological products and services that organizations acquire and integrate from third parties. Since they are much more vulnerable to cyber attacks, small-sized enterprises should also pay utmost attention to the authorization of companies, from which they provide technological products and services, to access critical data.
Conducting Risk Assessments for Third Party Software
The most common method of supply chain attacks used by cyberbullies is third-party software. This method requires high-level information and resources, and might not be realized by companies for a long time. That’s why the security levels of programs and updates used in the companies’ systems should always be assessed.
Identifying Insider Threats
Your employees might have malicious intent just like cyber attackers, or their negligence might result in serious security problems. By using methods such as two-factor authentication (2FA) and dynamic data masking, you can prevent both insider and outsider cybersecurity threats.
In a sense, all these processes for protecting company data from supply chain attacks are leading IT professionals to apply several security approaches in terms of cybersecurity and one of them is called Zero Trust. As being one of the efficient method in cybersecurity, Zero Trust, as the name suggests, enables companies to act on the idea “Never trust, always verify”, and to protect themselves from malicious people and software (or hardware and firmware) at a maximum level.
Making use of Privileged Access Management
Offering an integrated security system against cyber attacks that are increasingly growing and varying, privileged access management (PAM) also includes all the steps required by the zero trust method. In this way, privileged access management protects the inner legacy system of your company and identifies the software and updates that can lead to supply chain attacks since they are included in the system externally. This method needs private and multiple verification for each access demand inside or outside the system, so it meets the most basic requirements of the Zero Trust model.
Privileged access management (PAM) includes many technologies that make it quite difficult for cyber attackers to infiltrate the infrastructures of companies. Among these technologies are privileged session manager eliminates access management complexity and offers a central solution, dynamic password controller enables a fully encrypted password management infrastructure, two-factor authentication (2FA) allows for location and time-based verification, dynamic data masking enables enhanced masking capability, and other high-level security measures.
Privileged access management not only offers broad protection for your company’s system with its advanced security technologies, but also reports users that can cause risk, unauthorized access, and any other insider or outsider threat to you with its advanced services that enables to protect against potential threats.
In conclusion It is clear, Now is the time for proactive, threat-informed defense.