Navigating the supply chain security challenge: Defending against 5 common attack vectors
Cyber attacks on supply chains more than quadrupled in just a year (from 2019-2020), and 84% of IT decision makers around the world believe that “software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years.” Yet, surprisingly, only 36% of those surveyed have vetted the security posture of their suppliers within the last year, according to CrowdStrike’s 2021 Global Security Attitude Survey.
5 common supply chain attacks and how to defend against them
While you may have invested greatly in cybersecurity controls and are confident about your company’s own security safeguards, it is imperative to evaluate the security posture of your third-party providers, especially those who can access your network or data (e.g., raw material suppliers, billing and payment vendors, electronic health record platforms, website host servers, cloud service providers, etc.). Understanding five common attack vectors will allow you to know where to amplify detection efforts and prepare response plans.
1. Conducting Business Email Compromise (BEC) campaigns:
Commonly, BEC is often associated with financial transfers, where criminals leverage the fact that business is often conducted via email. They will pose as an authoritative source (e.g., often a company executive, buyer, or financial administrator) and leverage fear or immediate actions to convince the target to take actions. Attackers recently have shifted their strategies, however; now they attempt to intercept email official correspondence and inject their objectives into this conversation. Using this approach, the adversary could attach a malicious document, change an account number, or request remote access to systems.
HOW TO DEFEND:
• It is important that your employees know never to reuse passwords, and that a compromise in
a service that is completely unrelated to your business may have direct impacts.
• A best practice is to enable multi-factor authentication for any business critical system, with priority on any systems or applications that are externally facing.
• Ensure everyone who may be involved with a “critical and urgent” financial transfer (often
CEO and CFO) has established a process that does not use email.
2. Using vulnerability information gleaned from OSINT tools:
Open Source Intelligence (or OSINT) tools have significantly matured in the past few years, sometimes allowing attackers to identify your suppliers, vendors, or other associated third parties. Using this information, they will target these companies — often leveraging known vulnerabilities in remote services to gain access. Once inside, they will use this access to steal data or source code, implant backdoors, or move to aforementioned BEC attacks.
HOW TO DEFEND:
• When it comes to defending against publicly available vulnerabilities, it all comes back to an intense focus on continual patch management and increasing visibility into the enterprise’s attack surface for your security team.
• Having visibility only into the endpoint is not sufficient; visibility of what’s happening on your network using an advanced network detection and response (NDR) tool is imperative.
• Security organizations must have experienced hunting capability, expert insights into context, and the backing of advanced analytics to sort through the noise and gain this visibility into the network where the traffic is visible when bypassing signature based solutions.
3. Unleashing “living off the land” or fileless attacks:
This is another popular tactic, which can best be described as gaining additional access using the tools that already exist in the computing environment. This makes detection and reconstruction of the compromise timeline increasingly difficult. Systems that are often targeted are IT/helpdesk tools, system patching infrastructure, security vulnerability scanners, and “system accounts” with global administrative permissions. Once the attacker has compromised these environments, they often have the access required to compromise the targeted systems and/or data undetected.
HOW TO DEFEND:
• Creating an application safe list, logging, and behavioral detection are needed to stop these kinds of attacks.
• Common techniques are well documented at https://lolbas-project.github.io/ and https://attack.mitre.org/.
4. Leveraging embedded systems to wreak havoc:
Not all supply chain risks require active targeting or hijacking of email conversations. The systems and applications used to run our businesses have their own supply chain ecosystem. The closer you look, the more complex (and perhaps hidden) things become. Network-aware embedded systems, Operational Technology (OT), and IoT devices may include libraries or other software that may have vulnerabilities, and often do not have a clear upgrade or patching schedule.
HOW TO DEFEND:
• Any such flawed device typically is indexed by sites such as shodan.io and binaryedge.io and easily discoverable.
• You may become a target simply due to vulnerabilities that exist in deployed systems, so proper recognition of this risk, segmentation, and monitoring should be considered an essential part of your security plan.
• These vulnerabilities should be reviewed regularly with the purpose of adding compensating controls if available to reduce further exposure.
5. Targeting service providers to gain a foothold in the network:
Similar to embedded systems, the usage of third-party service providers could introduce risk to your business. Third-party developers, for example, might leave source code on public repositories, “development” or “test” data that was not properly sanitized may exist on unprotected database servers, or a security issue that occurs in their environment may have
catastrophic downstream impacts to your ability to conduct business.
HOW TO DEFEND:
• Reliance on a service provider of any type requires a company to be very diligent in ensuring that the provider has a well-defined Security Program that includes periodic penetration testing using attack scenarios that include simulated access to a customer environment.
• For your own company, you should be doing the same and make sure the scope includes the simulated access to your service provider’s connection.
Where do we go from here?
Consider that today’s supply chain is now less of a linear chain moving parts from manufacturing to market and more of a web that extends and branches in every direction. With digital services such as cloud providers in the mix, we’re now talking about a multi-faceted ecosystem to run your core business. Accenture Security perhaps sums up the situation best: “In the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.” (State of Cybersecurity Report 2020).
As cyber adversaries focus their efforts on supply chain security gaps as an easier way to get past a cybersecurity-mature organization’s controls and/or strike many entities at once (as was the case with the SolarWinds software supply chain attack), it is worth considering a collective defense approach to security.
A real-time collective defense platform — which creates a radar-like view of the threat landscape based on the NDR tool — allows collaborators from across the same sector to see the same threats, with the same context, at the same time. This shared visibility means that participants can pool resources to triage the same threat facing all, creating a multiplier effect and raising the security posture of all in your company’s supply chain ecosystem, as well as that of the sector at large.
