Risk managers must look beyond their own networks to ensure cyber resilience throughout their supply chain. Dirk Schrader, VP of security research at Netwrix explains how.
Global supply chains comprise a complex web of government agencies, suppliers, customers, partners and more.
To work together effectively, these entities rely on a variety of technologies, including communication, collaboration and data transfer software.
However, this deep connectivity makes the entire chain of organisations more vulnerable to devastating data breaches if one constituent entity is compromised by a cyberattack.
The rate of these supply chain attacks (or island-hopping attacks) is rising.
In fact, a 2023 Netwrix report found that 17% of organisations that suffered a cyberattack in the cloud discovered incidents in their supply chain — an increase from only 6% in 2020.
Given the amount of damage these attacks can cause, it is vital that risk managers and their suppliers understand and address the primary attack vectors and implement effective mitigation strategies.
The two main attack vectors for supply chain attacks
In a supply chain attack, bad actors compromise one organisation and use that foothold as an access point to infiltrate its partners and customers.
Analysis of recent supply chain attacks reveals two primary attack vectors that risk managers and their organisations should be aware of.
One supply chain attack vector involves compromising a vendor that provides software, such as an application, library or platform, and surreptitiously changing the source code.
When the modified software is deployed in customer environments, the adversaries can capture login credentials, steal or corrupt data, deploy malware, and cause application outages.
”Supply chain attacks can be devastating for affected businesses, resulting in revenue and productivity losses, reputation damage, and loss of customer trust.”
For example, cybercriminals hacked into SolarWinds in 2020 and deployed malicious code into the company’s IT management products, which were used by thousands of global government agencies and businesses.
The second attack vector involves infiltrating the IT infrastructure of a managed service provider (MSP) or small or medium business (SMB) in order to use it as an access point to larger organisations in its supply chain.
For example, by compromising an MSP that provides maintenance and other computing services to its customers, an adversary can slip into the networks of larger organisations that might be difficult to compromise directly.
These supply chain attacks can be devastating for affected businesses, resulting in revenue and productivity losses, reputation damage, and loss of customer trust.
Trends to watch out for
The rate of supply chain attacks is expected to continue increasing throughout 2023.
Unfortunately, many businesses lack the IT skills and resources they need to mitigate their vulnerabilities.
To address this gap, some may turn to MSPs and other partners for support — but this strategy also expands their supply chain, increasing their risk.
Instead, risk managers must be empowered with adequate resources in order to ensure defences keep pace with modern threats.
“Many risk managers may be reluctant to require their partners to perform comprehensive risk assessments and use modern security protocols.”
Another important risk factor has to do with the business relationships within supply chains.
Many elements of a supply chain are maintained through strong business relationships that rely heavily on implicit trust. Accordingly, many risk managers may be reluctant to require their partners to perform comprehensive risk assessments and use modern security protocols.
They may not even regularly review the access rights of their partners. These business practices can significantly increase the risk of falling victim to supply chain attacks.
How risk managers can protect against supply chain attacks
To successfully defend against supply chain attacks, risk managers should focus on integrating threat detection and prevention measures across all three layers of their attack surface: data, identities and infrastructure.
Organisations should strictly limit access by external personnel to internal systems and information according to the least-privilege principle, and closely monitor the actions of third parties for behaviour that could be malicious or damaging.
For a more robust strategy for mitigating the risk of supply chain attacks, risk managers can adopt a zero-standing privilege (ZSP) approach, in which users are granted only the specific permissions required for a particular task, for only as long as needed to complete it.
A ZSP strategy is particularly important for MSPs, who typically need privileged access to each of their customer’s environments.
”Risk managers should focus on integrating threat detection and prevention measures across all three layers of their attack surface: data, identities and infrastructure.”
Storing these powerful login credentials in a password vault puts them at risk of being misused or compromised; with a ZSP approach, there are no such standing credentials to put the supply chain at risk.
Supply chain attacks that compromise software, on the other hand, are best addressed at the infrastructure layer of an organisation’s attack surface, especially if it is the original developer of a crucial piece of software.
To mitigate this attack vector, risk managers need to establish a comprehensive change management process to identify compromised or altered software.
In addition, they should also closely monitor all external IP connections, since attackers can use those connections to gain access to their targets. A well-maintained software supply chain from development to use helps to minimise that risk.
In addition, organisations installing software updates from vendors where clean and securing sourcing cannot be established, should monitor the installation for suspicious behaviour like outgoing connections and enumeration activity originating from the device on which the software is installed.
”rRsk managers need to establish a comprehensive change management process to identify compromised or altered software.”
More broadly, organisations must be more proactive about risk management, including performing regular risk assessments throughout their IT systems and mitigating any security vulnerabilities that are uncovered.
Equally important, risk managers should require these same precautions from all partners, suppliers and other entities throughout their supply chain.
Although supply chain attacks are increasing, the good news is that defence measures for mitigating the risk from these threats are effective against other kinds of cyberattacks as well.
Indeed, risk assessment and mitigation, threat detection and response, change management, and a ZSP approach are all core strategies for improving an organisation’s security posture against internal and external threats.
However, only a strategy that encompasses all three layers of the attack surface can ensure the most robust and effective protection possible.