The outdated saying, “A series is simply as robust as its weakest hyperlink”, straight applies to enterprise cybersecurity. Companies lately usually depend on dozens and even a whole bunch of suppliers and contractors, who, in flip, use the companies and merchandise of but extra contractors and suppliers. And when these chains contain not uncooked supplies however complicated IT merchandise, guaranteeing their safety turns into considerably tougher. This reality is exploited by attackers, who compromise a hyperlink within the chain to succeed in its finish — their fundamental goal. Accordingly, it’s important for enterprise leaders and the heads of IT and data safety to grasp the dangers of supply-chain assaults with the intention to handle them successfully.
What’s a supply-chain assault?
A supply-chain assault includes a malicious actor infiltrating a corporation’s techniques by compromising a trusted third-party software program vendor or service supplier. Forms of this assault embody the next:
- Compromising well-known software program developed by a provider and utilized by the goal group (or a number of organizations). The software program is modified to carry out malicious duties for the attacker. As soon as the following replace is put in, the software program will include undeclared performance that enables the group to be compromised. Effectively-known examples of such assaults embody the compromise of the SolarWinds Orion and 3CX Final 12 months, the to-date largest try at such an assault was found — XZ Utils. Happily, it was unsuccessful.
- Attackers discover company accounts utilized by a service supplier to work throughout the goal group’s techniques. The attackers use these accounts to infiltrate the group and perform an assault. For instance, the American retail big Goal was hacked by way of an account issued to an HVAC supplier.
- Attackers compromise a cloud supplier or exploit the options of a cloud supplier’s infrastructure to entry the focused group’s information. Essentially the most high-profile case final 12 months concerned the compromise of greater than 150 purchasers of the Snowflake cloud service, resulting in the information leak of a whole bunch of thousands and thousands of customers of Ticketmaster, Santander Financial institution, AT&T, and others. One other large-scale, big-impact assault was the hack of the authentication service supplier Okta.
- Attackers exploit permissions delegated to a contractor in cloud techniques, reminiscent of Workplace 365, to realize management over the goal group’s paperwork and correspondence.
- Attackers compromise specialised gadgets belonging to or administered by a contractor, however linked to the goal group’s community. Examples embody smart-office air-conditioning techniques, and video surveillance techniques. For instance, constructing automation techniques grew to become a foothold for a cyberattack on telecom suppliers in Pakistan.
- Attackers modify IT gear bought by the goal group, both by infecting pre-installed software program or embedding hidden performance into the gadgets’ firmware. Regardless of their complexity, such assaults have truly occurred in follow. Confirmed instances embody Android system infections, and extensively mentioned server infections on the chip degree.
All variations of this method within the MITRE ATT&CK framework come underneath the title “Trusted Relationship” (T1199).
Advantages of supply-chain assaults for criminals
Provide-chain assaults supply a number of benefits for attackers. Firstly, compromising a provider creates a uniquely stealthy and efficient entry channel — as demonstrated by the assault on SolarWinds Orion software program, extensively utilized in main U.S. companies, and the compromise of Microsoft cloud techniques, which led to electronic mail leaks from a number of U.S. authorities departments. For that reason, this kind of assault is particularly favored by criminals attempting to find info. Secondly, the profitable compromise of a single standard software or service immediately offers entry to dozens, a whole bunch, and even hundreds of organizations. Thus, this sort of assault additionally appeals to these motivated by monetary acquire, reminiscent of ransomware teams. Some of the high-profile breaches of this kind was the assault on IT provider Kaseya by the REvil group.
A tactical benefit (to criminals) of assaults exploiting trusted relationships lies within the sensible penalties of this belief: the purposes and IP addresses of the compromised provider usually tend to be on allowlists, actions carried out utilizing accounts issued to the provider are much less ceaselessly flagged as suspicious by monitoring facilities, and so forth.
Harm from supply-chain assaults
Contractors are often compromised in focused assaults carried out by extremely motivated and expert attackers. Such attackers are sometimes aiming to acquire both a big ransom or useful info — and in both case, the sufferer will inevitably face long-term unfavorable penalties.
These embody the direct prices of investigating the incident and mitigating its influence, fines and bills associated to working with regulators, reputational injury, and potential compensation to purchasers. Operational disruptions attributable to such assaults also can end in vital productiveness losses, and threaten enterprise continuity.
There are additionally instances that don’t technically qualify as supply-chain assaults — assaults on key expertise suppliers inside a particular business — that however disrupt the provision chain. There have been a number of examples of this in 2024 alone, probably the most hanging being the cyberattack on Change Healthcare, a serious firm liable for processing monetary and insurance coverage paperwork within the U.S. healthcare business. Purchasers of Change Healthcare weren’t hacked, however whereas the compromised firm spent a month restoring its techniques, medical companies within the U.S. had been partially paralyzed, and it was just lately revealed that confidential medical information of 100 million sufferers had been uncovered because of this assault. On this case, mass consumer dissatisfaction grew to become an element pressuring the corporate to pay the ransom.
Returning to the beforehand talked about examples: Ticketmaster, which suffered a serious information breach, faces a number of multi-billion-dollar lawsuits; criminals demanded $70 million to decrypt the information of victims of the Kaseya assault; and injury estimates from the SolarWinds assault vary from $12 million per affected firm to $100 billion in whole.
Which groups and departments must be liable for supply-chain-attack prevention?
Whereas all of the above could counsel that coping with supply-chain assaults is totally the accountability of knowledge safety groups, in follow, minimizing these dangers requires the coordinated efforts of a number of groups throughout the group. Key departments that must be concerned on this work embody:
- Info safety: liable for implementing safety measures and monitoring compliance with them, conducting vulnerability assessments, and responding to incidents.
- IT: ensures that the procedures and measures required by info safety are adopted when organizing contractors’ entry to the group’s infrastructure, makes use of monitoring instruments to supervise compliance with these measures, and prevents the emergence of shadow or deserted accounts and IT companies.
- Procurement and vendor administration: ought to work with info safety and different departments to incorporate belief and company information-security compliance standards in provider choice processes. Must also repeatedly examine that provider evaluations meet these standards and guarantee ongoing compliance with safety requirements all through the contract interval.
- Authorized departments and threat administration: guarantee regulatory compliance and handle contractual obligations associated to cybersecurity.
- Board of administrators: ought to promote a safety tradition throughout the group, and allocate sources for implementing the above measures.
Measures for minimizing the chance of supply-chain assaults
Organizations ought to take complete measures to scale back the dangers related to supply-chain assaults:
- Completely consider suppliers. It’s essential to evaluate the safety degree of potential suppliers earlier than starting collaboration. This consists of requesting a assessment of their cybersecurity insurance policies, details about previous incidents, and compliance with business safety requirements. For software program merchandise and cloud companies, it’s additionally really useful to gather information on vulnerabilities and pentests, and typically it’s suggested to conduct dynamic software safety testing (DAST).
- Implement contractual safety necessities. Contracts with suppliers ought to embody particular info safety necessities, reminiscent of common safety audits, compliance together with your group’s related safety insurance policies, and incident notification protocols.
- Undertake preventive technological measures. The danger of significant injury from provider compromise is considerably decreased in case your group implements safety practices such because the precept of least privilege, zero belief, and mature identification administration.
- Manage monitoring. We advocate utilizing XDR or MDR options for real-time infrastructure monitoring and detecting anomalies in software program and community visitors.
- Develop an incident response plan. It’s vital to create a response plan that features supply-chain assaults. The plan ought to be certain that breaches are shortly recognized and contained — for instance by disconnecting the provider from firm techniques.
- Collaborate with suppliers on safety points. It’s very important to work carefully with suppliers to enhance their safety measures — such collaboration strengthens mutual belief and makes mutual safety a shared precedence.
Deep technological integration all through the provision chain affords corporations distinctive aggressive benefits, however concurrently creates systemic dangers. Understanding these dangers is critically vital for enterprise leaders: assaults on trusted relationships and provide chains are a rising risk, entailing vital injury. Solely by implementing preventive measures throughout the group and approaching partnerships with suppliers and contractors strategically can corporations cut back these dangers and make sure the resilience of their enterprise.
