Supply Chain Attacks: The Next Big Thing?

Introduction

Recent large-scale breaches have catapulted supply chain attacks into the media and security spotlight, and their perpetrators into notoriety, but what is a supply chain attack? How do you defend against them, and how have some forward-thinking organisations used these changing market conditions to create a competitive advantage?

A supply chain attack is a form of cyber attack where the initial target organisation is different from the ultimate victim.

Once an initial organisation has been breached, the attacker then uses established business links to penetrate that organisation’s customers or suppliers.

Supply chain attacks are particularly concerning because the breach happens outside the target organisation’s control and challenges the defences not only of suppliers, but suppliers of suppliers and so on.

There are three main types of supply chain attacks, although a single attack often incorporates multiple forms of cyber threat. What starts as a phishing attack on the initial organisation can quickly morph into a ransomware or business email compromise attack on a secondary organisation. Due to a combination of factors, security experts are predicting this type of attack will increase by up to 400% in 2022 alone.

In this paper we will cover what you need to know about supply chain attacks, how to defend against them and how to use your cyber defences to get ahead of your competition.

The Three Types of Supply Chain Attacks, and How They Work

A supply chain attack is any time the links between organisations are used to cascade, extend or multiply an initial cyber attack. These can usually be categorised into three different methods:

Trust – A trust-based supply chain attack leverages the trust built up between two organisations, after one has been breached.

When emails from legitimate corporate email addresses are exchanged with business documents like invoices, purchase orders and bank details, they are generally processed with a low degree of scrutiny.

This is the trust an attacker will attempt to exploit once they have breached an initial organisation, often using legitimate but breached corporate email accounts to launch business email compromise attacks and phishing campaigns.

The charity Save the Children recently lost more than US$1 million after an attacker penetrated an unnamed supplier and altered legitimate invoices before they were sent.

Although the charity’s cyber security was not breached in any way, the invoices were doctored to contain the attacker’s own bank details, and several invoices were paid to the fraudulent bank account before the breach was identified.

Hardware – A hardware supply chain attack occurs when a piece of malicious hardware is inserted into the supply chain without the knowledge of any of the legitimate parties involved.

Examples have been noted of foreign chips being inserted into devices from e-cigarettes and rechargeable headphones to cheap cables and used to capture data from the computers they are later plugged into.

In an alarming example of this type of attack, leaked documents revealed the American NSA’s practice of intercepting Cisco hardware while in transit, and implanting an additional chip which provided ongoing, persistent access to the target’s network.

Hardware supply chain attacks are rare. While they can be extremely hard to detect and devastatingly effective, their physical nature makes them less scalable and harder to enact than other types of supply chain attacks. As a result, they are usually only carried out by nationstate actors with specific targets.

Software – This type of supply chain attack - when malicious code is inserted into legitimate software - is the most damaging today due to the breadth and scale of the software supply chain.

When we consider the number of applications in use on a network, and the frequency of patches and updates, we can see how many opportunities exist for malicious code to enter an organisation.

This exact method was used in the famous 2020 attack on SolarWinds, a business that sells network monitoring software.

Once the attacker managed to breach the company’s cyber defences, they infiltrated Orion software’s update service and distributed malware to more than 18,000 customers in the company’s supply chain, including the US National Security Agency and National Nuclear Security Administration.

By targeting SolarWinds Orion’s updates rather than SolarWinds itself, the attacker was able to increase their reach by a factor of 1,800,000%. They were also able to penetrate organisations with much more resilient defences, none of whose employees did anything wrong.

Supply Chain Attacks, The Next Big Thing?

Supply chain attacks are expected to increase several times over in 2024 alone for the following reasons:

Ease – While a few famous cyber attacks such as the SolarWinds and Cisco breaches mentioned above are highly sophisticated, an estimated 99.99% of attempted cyber crime is comprised of crude scatter gun–type attacks like phishing.

Even when their attacks are successful, most unsophisticated attackers lack the ability to fully monetise their access. As a result, they often use stolen corporate credentials to launch further phishing or business email compromise attacks, leveraging the trust the stolen account has built up to increase the attacks effectiveness.

Defensive Disparities – An attacker going after a specific target with strong, resilient cyber defences will often begin by breaching a supplier with comparatively weaker defences.

Once the weaker target has been breached, the attacker uses the supply chain as a back door to the original target, bypassing many of their defensive measures. While most businesses will never be specifically targeted by a highly sophisticated attacker, these types of attacks often affect thousands of unintended victims.

Multiplication Effect – Launching an attack through the supply chain can significantly multiply the outcomes for the attacker— this is particularly seen in trust and software attacks, such as in the SolarWinds attack where an initial, single, breach was multiplied to 18,000 breaches through the insertion of malware into software patches.

Media Attention – The size and impact of recent supply chain attacks have gained a lot of attention within the cyber security community.

While these attacks were carried out by highly sophisticated and well financed groups, their success has already drawn the attention and development efforts of less sophisticated actors.

A group known as REvil were the first to change their business model in response to the SolarWinds attack and others like it.

Although previously well known for infecting organisation with ransomware, REvil attacked a software supplier named Kesaya. Rather than infecting Kesaya directly, REvil added their ransomware to Kesaya’s software updates, ultimately infecting 1500 organisations .

Five Defensive Strategies to Counter Supply Chain Attacks

At first glance it can appear incredibly challenging to defend against supply chain attacks; after all, organisations must rely on their suppliers’ defences, and even their suppliers’ suppliers’ defences and so on, none of which are under their direct control.

It is, however, important to remember that there are several different stages of cyber defence. The NIST cyber defence framework defines these functions as Identify, Protect, Detect, Respond and Recover. Only traditional elements of the Protect function fall under the control of suppliers. All activities relating to identifying risks and detecting, responding to, and recovering from cyber incidents remain completely with the organisation’s control.

And even though traditional Protect activities like anti-virus and firewall management do fall outside the organisation’s control, these can be supplemented with other, less traditional protection strategies, such as:

1. Critical supplier due diligence

In the wake of supply chain attacks, more and more organisations are working to understand their suppliers’ cyber security practices.

A critical supplier is one that forms a key part of the value an organisation creates for its customers, and any cyber incident that affects a critical supplier will affect the organisation’s ability to conduct business.

Evaluating a critical supplier’s cyber security practices will help an organisation understand the risk of a cyber incident affecting that supplier, and factor this into the decision-making process.

2. High-risk supplier due diligence

As well as critical suppliers, an organisation must consider its highrisk suppliers, which in a supply chain attack context are those it is digitally connected to. This includes software suppliers who provide patches into the environment, as well as suppliers with whom systems are integrated.

3. Supplier reputation

It may not be possible or practical for an organisation to investigate the cyber practices of all its suppliers, so supplier reputation should be considered where full due diligence is not feasible. While a good reputation is not a guarantee of strong cyber security, it can often lower the risk, particularly in the supply of software.

4. Supplier consolidation/simplification

Another way to defend against supply chain attacks is to simplify or consolidate suppliers, particularly software suppliers. As the total number of suppliers decreases, so does the likelihood of a supply chain attack. The impact of a supply chain attack generally stays the same even if a supplier provides multiple pieces of software to the organisation, so a supplier consolidation can significantly reduce the risk of supply chain attacks.

5. IT Providers

Working with an established IT provider can save an organisation from having to evaluate their supply chain alone. By purchasing products and services from a trusted partner, organisations can be confident they will be from vetted, reputable vendors who present the smallest possible supply chain risk.

How to Use Changing Market Conditions to Get Ahead in a Cyber Conscious World

As supply chain attacks become more common, organisations are more carefully investigating the risk within their supply chains.

Increasingly, cyber security is being treated as a business sustainability factor and emphasised in the procurement decision-making process. To further drive this trend, many government and government-aligned organisations are setting minimum security standards for their suppliers, often driven by NIST or Essential 8 frameworks.

Such standards are appearing more frequently in private sector B2B procurement processes.

In fact, many organisations have begun to use their cyber security practices to differentiate themselves from competitors.

When substantiated by external frameworks and certification/audit, a clear, transparent statement of practices creates an irrefutable message of maturity and sustainability which resonates with governmentaligned organisations and larger B2B customers.

Conclusion

Modern supply chains are increasingly interconnected and increasingly digital.

The supply of software updates and patches is so commonplace that many organisations do not consider the software vendor a supplier.

These software flows and other forms of trusted data exchange are increasingly being targeted by cyber criminals to multiply and amplify their efforts. Security experts expect supply chain attacks to increase greatly over the next several years, largely due to the success and media attention they have received.

Organisations must remember that even when breaches originate with a supplier, many of the traditional cyber defences are still within their control. Where they are not, various non-traditional techniques can be employed.

The final countermeasure for businesses is transparent communication throughout the supply chain, with customers and suppliers being open about their security practices so strategic relationships can be selected based on shared risk appetite.

Many organisations have begun to use this to their advantage, building a clear and transparent external message of high-quality security practices, thus separating themselves from their competition by demonstrating a low risk and strong professional presence.

Previous
Previous

The Vulnerability That Has The Security Community in Meltdown: Log4Shell explained

Next
Next

Solving the Password Problem Simplify Your Life (Without Compromising Your Security or Privacy)