Supply Chain Attacks: How To Prepare For This Rising Cyber Threat
Back in July 2021, the cybersecurity world was rocked by what experts called “the biggest ransomware attack on record”. We’re of course referring to the Kaseya ransomware incident.
Many of you reading this may well be familiar with the concept of ransomware: malicious software that encrypts your data, holding it to ransom until a payment is made. If you’re lucky.
But a lot of media focused on how Kaseya was a “supply chain attack”. So, what exactly is that? And why are these kinds of attacks so dangerous? Let’s dive in.
What is a Supply Chain Attack?
A supply chain attack is a kind of cyber attack whose goal is to find and exploit poorly cyber-defended links in a given supply chain in order to compromise other organisations within that chain. So rather than attacking an organisation directly, a hacker will establish a foothold within one of their suppliers, spreading vulnerabilities down – and sometimes up – that supply chain.
Supply chain attacks can be surgically deployed to compromise a particular organisation within a supply chain (with varying levels of collateral damage) or they can be deployed in a scattergun fashion to cause maximum, unbridled chaos across the supply chain in question – and possibly beyond.
Supply chain attacks are a rising threat, too. The European Union Agency for Cybersecurity (ENISA) predicted a four-fold increase in supply chain attacks before the end of 2021.
Examples of Recent Supply Chain Attacks
- Kaseya (2021): Florida-based Kaseya is a managed service provider, meaning they look after IT matters on behalf of their clients. As part of their service, the firm regularly pushes essential software and security updates to their clients’ devices. However, a hacker managed to infect a security update to install malware on client devices instead. The sophistication of the attack is what made it so scary, and it affected up to around 2,000 organisations.
- SolarWinds Orion (2020): In 2020, a group of hackers believed to be Russian state actors compromised the systems of a company called SolarWinds, who produce a widely used network monitoring platform called Orion. With this illicit access to SolarWinds’s systems, they laced Orion updates with malware that enabled the hackers to steal files, disable system features, and profile each infected client device. It affected hundreds of Fortune 500 companies, facets of the US Military, the Pentagon, and essential infrastructure organisations and universities.
- CCleaner (2017): Many of us have used CCleaner in the past to keep our computers free from junk files, unused registry entries, and to save drive space. However, if you care about cyber security, that will most likely have changed in March 2017, when unknown hackers infiltrated Piriform (the company initially behind the tool) and initiated a complex multi-stage cyber attack that installed data-stealing malware on over 2 million machines worldwide. The attack infected machines at Google, Microsoft, Cisco, Sony, VMware, and more.
- Target (2013): In this now infamous case, US retailer Target suffered an eye-watering security breach where hackers stole around 110 million sets of customer credit and debit card details over Black Friday 2013. They achieved this by pelting Target’s suppliers with phishing emails – one of which took the bait. This led to the criminals gaining control of Target’s point of sale systems – and all of the card details that passed through them.
It’s worth noting that these examples reveal a mixture of end goals on behalf of the criminals. Target’s attack was particularly focused on gaining access to their payment systems. The SolarWinds attack was most likely harnessed to create vulnerabilities within a number of government and military targets. And the CCleaner attack was most likely employed to create maximum, untargeted, data-stealing chaos!
Types of Supply Chain Attacks
Before we go on, let’s investigate some of the most common types of supply chain attacks:
- Trojanised Updates: As with the Kaseya, SolarWinds, and CCleaner examples above, hackers can poison routine software updates with malware that infects those down the supply chain.
- Watering Hole Attacks: This is where criminals observe which websites a business frequents so they can infect those websites, in turn infecting their target. They may also achieve similar outcomes through phony website redirects.
- Third-Party Breaches: Like the Target example above, a breach at a third-party supplier can spell doom for others in the supply chain – whether the attack is targeted at them or is intended to be more scattergun.
- Open-Source Code Tampering: The code that makes up open-source tools is freely available, and open-source software is commonly built and maintained by enthusiasts. However, if a bad actor does manage to push a malicious piece of code into a release or update, it could spell disaster for users.
How to Defend Against Supply Chain Attacks
1. Define What You Need to Protect
Before you start investigating your supply chain’s defences, take stock of your current internal cybersecurity risk profile. Take a look at your recent security alerts and logs. Are there any particular types of security incidents that seem to hit you regularly? Where do they seem to originate from? If a particular supplier’s email address or IP address has been flagged as a source of cyber-risk in the past, then pay them particular attention in our forthcoming steps. Also consider your team’s own cyber-preparedness – if you haven’t provided recent cyber security training, they could let vulnerabilities slip through without knowing.
Also take stock of your cyber security priorities. What kind of attack could cripple your business the most: data theft, malware infections, hacking attempts, insider threats, or the myriad other ways that cyber attacks can manifest? Yes, these are all a worry, but to which extent could each be a problem for you?
2. Map & Audit Your Whole IT (& Non-IT) Supply Chain
Next, you need to do a bit of due diligence and map out your entire upward and downward supply chain. What information (belonging to your or your clients) passes to each organisation? Once you know who makes up your supply chain, it’s time to gather what you can about each organisation’s cyber security defences. This may be as simple as picking up the phone to their IT department and asking about what security measures they have in place.
When you chat with them, remember the role they play in your business. Do they handle any particularly sensitive personal information belonging to your clients or your team? What value (and potential risk) does that data hold? Do your suppliers’ suppliers have any access to your data or systems? Do any suppliers or clients have digital access to your systems or data? How is this access implemented?
3. Judgement Time
Time to put your judge’s wig on. Now you know the levels of cybersecurity that make up your supply ecosystem, ask yourself – where might danger be lurking? How seriously does each supplier seem to take cybersecurity when you read between the lines? Are there any alarming holes in their knowledge or defences? Have they suffered any major cyber incidents in the past? If so, what did they learn/implement from that?
The aim here is to precisely understand the risks posed by each supplier, so you can make a judgement call about whether you should stick with them or not. Also consider how business-critical their services/products are: if you’d struggle without them, would you be willing to shoulder a little risk? Or is the potential danger just too high?
4. Define Your Security Bottom Line
Armed with an idea of where your supply chain risks lie and how your contacts are defending themselves, try to carve out some realistic, minimum-security requirements that you expect from suppliers. This will further help you decide which current suppliers to keep and which ones to reconsider; and it’ll also give you a yardstick to judge future suppliers by too.
Are there any cybersecurity “must-haves” you require from your suppliers? Are there any cyber-deal-breakers that will immediately put them on the “no” pile? Are there any security measures that aren’t mandatory, but are nice for a supplier to have? And, perhaps most importantly, how realistic are these requests within your niche?
5. Go On a Supplier Diet
The more suppliers you have, the larger your supply chain’s cyber attack surface – especially if those suppliers provide IT-related services or products. So, if you can, try and reduce the number of suppliers you work with.
Start by revisiting the products/services you buy and the suppliers you work with. Are any providers surplus to requirements? Do any of your suppliers’ offerings overlap in any way? If possible, try to source the same products/services from a smaller pool of suppliers in order to minimise risk.
6. Keep Shadow IT On a Tight Leash
But despite all of this external supplier vetting, we need to remember that supply chain security isn’t all external. Your own team could be welcoming supply chain risks into the fold via shadow IT, even with the most innocent of intentions.
Observe the software and hardware that your teams use on a daily basis. Are they purely using the software and devices that you have provided for them? Or are they using other free software, freemium tools, or rogue hardware that hasn’t had your stamp of approval? These tools all come with their own upward supply chains, so they could be bringing vulnerabilities to your door under the radar.
If your team are using third-party tools that you haven’t approved, ask them about the functional gaps that they’re filling with those tools. If the solutions in question solve their problem well, you could investigate the security measures and risks inherent in those solutions and officially adopt them if they pass muster. Alternatively, if those solutions feature poor security or they don’t fully solve the issue, you may be able to expand on tools you are already using in order to fill that gap.
And going forward, set and maintain tight controls over the software and SaaS tools that your team use to minimise any supply chain security surprises.
7. Give Out Privilege Carefully
When you’re giving away access or edit privileges within software, devices, or data, always operate under the principle of least privilege (POLP). This is where you give each team member juuuust enough access to a system for them to do their jobs – no more, no less.
It’s surprisingly common for organisations to give highly privileged credentials out without much thought. But far from being a case of generously “giving the team everything they need”, it can actually come back to bite you.
When team members are allowed to access functions or data they don’t need, it can cause confusion, data security issues and/or cyber damage. At the tamer (yet still highly problematic) end of the scale, a nosy team member could wind up peeping at sensitive data out of curiosity. But at the more damaging end of the scale, if a cybercriminal wants to compromise your systems, they don’t have to be selective about whose credentials they choose – everyone has an “all-access pass”.
Additionally, when you don’t overburden your team with access, it can improve productivity and reduce staff overwhelm.
Supply chain attacks are a growing cybersecurity risk, but we admit that they can be a lot to take in. So, if you are unsure or feel you need help, talk to the experts at Just Cyber Security.
Cyber security is about securing every digital function within your business – not just your interactions with suppliers. Our knowledgeable team provide a full suite of cybersecurity services, including managed security, cyber awareness training, penetration testing, and more.