A strong and successful supply chain is a fundamental need in any business. This core essential process is what allows businesses to deliver their goods and services to their customers or clients. Businesses put a lot of work into building their supply chain and gaining trust with the partners they interact with.
On an IT level, businesses rely on third-party software to get their work done. There are cyber criminals out there who want to take advantage of supply chain trust. This is where supply chain attacks come into play.
The fundamentals of supply chain attacks
Large corporations invest a lot of resources into cyber security and prevention of cyber-attacks. This makes it harder and more time consuming for threat actors to make their way through. These days, supply chain attacks make more sense to cyber criminals. By successfully infiltrating and planting malicious code into third-party vendor software, and going undetected, they can potentially infect the IT system of every single user of that software.
The cyber security of vendor software pales in comparison to that of a much larger organisation, like government agencies or banks for example. Threat actors know this and exploit this. They also exploit the trust between the vendor and their clients.
If a business regularly uses a piece of software to get its job done, and it has trust in that software, it often won’t think twice about whether there is a virus embedded within it. Malicious actors will embed their code in a release, or a software update or even a security patch. They may even embed it in open-source code that the vendor uses in their software development lifecycle.
This is how it works; how their attack vector is established. Trusted vendor software is given a green light and is installed as per normal on IT systems. The cyber criminals can then remotely activate the malicious code they have embedded. By that time, the code is already within the IT system and has access to the digital assets within it, including any sensitive data. It may work silently, stealing information in the background. It may launch ransomware attacks. It depends on the intentions of the cyber criminals.
These sophisticated attacks are often meticulously planned and are on the rise. The European Union Agency for Cybersecurity this year predicted a four-fold increase over the next year.
The SolarWinds example
The SolarWinds supply chain attack illustrates clearly how cyber criminals can infect many organisations in a single attack. Last year Russian hackers (later revealed to be working for Russia’s foreign intelligence agency) hacked into the software company SolarWinds. Embedding code into their project management tool Orion, which 18,000 networks use, cyber criminals were able to make their way into US federal agencies including NASA, the State Department, the Department of Defense, and the Department of Justice.
According to security experts, it may be decades before the true damage of this attack is known. It’s hard to tell what information was stolen, and they believe that there is malicious code still lying dormant which can be used to launch future attacks.
Mitigating supply chain risk
Real damage can be done to business confidence and business brand when sensitive data has been compromised by a cyber-attack. Some businesses never recover from this damage. The risk introduced by the pandemic hasn’t helped. Therefore, supply chain risk must be taken seriously and preventative measures put in place to armour businesses.
While cyber security tactics such as endpoint security are helpful, it is not enough to protect an organisation from a supply chain attack.
Implementing strong supply chain security with cyber security experts and managing supply chain risk on an ongoing basis is essential. This involves investigating every third-party software vendor an organisation has in their supply chain.
Compliance with strict cyber security standards before software vendors are approved is essential. Skilled security experts know what to look for and will tailor their assessments and questionnaires to vendors appropriately depending on the level of access their software requires on their IT system.
Once software vendors are approved it should still be monitored on an ongoing basis by security experts. Testing of whitelisted application installations should be undertaken to ensure everything is running as expected as well as looking for anything peculiar. Unless an application is whitelisted, it should not be allowed to run on an IT network.
Supply chain cyber threats are here to stay. Talk to INTELLIWORX today to see how they can help with your security vulnerabilities and risk management of supply chain attacks.