What is a supply chain attack?
Supply chain attacks have come into sharp focus for enterprise security teams over the last few months, due in no small part to the fallout from SolarWinds.
Unprecedented in both depth and breadth, Russian state-backed actor group APT29, otherwise known as Cozy Bear, are suspected of compromising the software company SolarWinds and using this to infiltrate everything from the US Treasury Dept to NATO and numerous other organisations.
The compromise represents one of the largest discovered breaches to date, with experts saying it will take years to fully understand and remediate.
Supply chain attacks explained
A supply-chain attack is, in essence, when a threat actor uses the compromised technical asset of a third-party, either software or hardware, to move laterally into another organisation’s infrastructure.
Typically, this is a targeted act to infiltrate a larger company. However, it’s not unheard of for the payload of an opportunistic attacker to unexpectedly receive access to additional environments.
Such attacks are multi-phased, meaning after the initial foothold in a supplier is gained, attackers exploit weaknesses in a variety of different assets to gradually get closer to the target system. This could be anything from a specific database to steal, to hijacking access to a particular set of controls.
Given today’s ever-increasing attack surface and the number of suppliers used by large companies, this leaves a huge range of potential points of incursion for the determined attacker. MITRE has mapped these potential risk points as part of its Supply Chain Attack Framework, aimed at bringing some structure to organizations looking for clarity to an otherwise complex issue.
What can I do about supply-chain attacks?
Supply-chain attacks are successful because they give an attacker a relatively straightforward and persistent presence on a target system that would otherwise have been hard to access. The assumed trust enjoyed by suppliers comes with privileges, including entry to systems which are otherwise protected with layers of security countermeasures.
This transfers a burden of responsibility for the cyber risk of highly targeted companies, onto their suppliers, who are often smaller and have less security resources.
To mitigate this risk, large organisations can do a few things.
First, they need to ensure the gravity of supply chain risk is effectively communicated to their suppliers and compliance with standards enforced. Government-backed certifications such as Cyber Essentials, developed by the NCSC, remove a high proportion of risk for little outlay.
Second, organisations need to have visibility of the cyber risk presented by individual companies in their supply-chain so they can highlight issues.
For this reason, large companies should consider carrying out regular audits of the security posture of suppliers. Because of the fluid nature of cyber risk, these need to be done on a regular basis.
Traditionally this might have been difficult, requiring security analysts to specifically test the infrastructure of each supplier.
However, nowadays this can be achieved by using a progressive platform which automates a continuous view of the digital exposure posed by third parties. This is done by understanding the mass of publicly available information that constitutes modern cyber-risk, everything from compromised internal email addresses to technical infrastructure.
Such solutions essentially take an attacker’s view of suppliers. This is valuable because, if organizations don’t benefit from looking at suppliers this way, they can be sure threat actors certainly will.