Last year, the European Union Agency for Cybersecurity analyzed 24 cyberattacks that had taken place and it was discovered that "strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers." This report shows the clear impact attacks had: disruption of operations, system downtime, reputational damage, and monetary loss.
How supply chain attacks work
Just like any cyberattack, adversaries aim at finding ways to compromise a network's components or protocols. This could include actions like injecting malicious code into software or introducing malware into devices that would connect to the network. What sets supply chain attacks apart is that these data breaches or malware infections occur due to trusted vendors.
This often happens when vendors introduce new software updates to the system that are meant to patch security loopholes but end up being counterproductive by introducing new security vulnerabilities that can be targeted by attackers. An organization's network can also be compromised by a third-party because it failed to adhere to cyberhygiene practices.
Here are four ways a supply chain attack can happen:
- Compromised certificates: Attackers can take advantage of trust certificates that third-party vendors provide with their products by disguising the malicious code as the company's certificate and introducing it into the network.
- Compromised software or infrastructure: Attackers hack software building applications and introduce vulnerabilities during the development of the application.
- Compromised devices: Hackers often corrupt devices with malware so that it can be introduced into the network when the device connects.
- Compromised firmware: Hardware is normally dependent on firmware to ensure a smooth job of booting and initializing hardware components. So, firmware is another way through which hackers introduce malware to the network.
How to combat supply chain attacks:
- Implement least privilege: A common mistake organizations make is to give all employees, third parties, and partners uniform access to network resources, including sensitive ones. As a result, supply chain attacks are easier to execute than they should be. Implementing least privilege strategies and assigning all people and software necessary permissions only will help mitigate risks to your organization.
- Audit shadow IT: Your employees might be using shadow IT services that hackers can easily leverage to compromise your network. So you should be thoroughly auditing shadow IT services being used.
- Implement network segmentation: We recommend dividing your network into zones or segments based on business functions. This will separate sensitive resources from each other and will help contain any malware that has managed to enter your network.
- Know your vendors and fourth parties: Your organization should be aware of each service provider who is a part of your supply chain. And the buck does not stop there. You need to be aware of the contractors and vendors who are partners with your third-party connections, since a vulnerability anywhere in the supply chain can affect you as well.
- Use honeytokens: Honeytokens are effective decoys that lure attackers away from the real assets. Misleading an attacker like this buys your IT team time to find and fix the loophole through which the attacker entered the network and protect other assets in the network.
- Practice DevSecOps: A good regimen of security practices starting at the development phase of an application can keep your entire network safe:
Make SSL encryption mandatory.
All scripts, files, packages, and XML files should be signed off with a digital signature.
Configure software to not accept unsigned input or commands.
- Other cyberhygiene practices that can help you defend against supply chain attacks:
Conduct periodic risk assessments of all vendors.
Conduct risk awareness training for all employees.
If your budget allows it, invest in automated threat hunting and incident response plans that can detect and ward off threats quickly.
Classify assets and information shared with third parties, and define relevant procedures for accessing and handling them.