Every organization interacts with other organizations: suppliers, partners, customers, government agencies and more. As a result, you can suffer a breach even though your organization was not directly targeted. For example, adversaries were able to release the infamous NotPetya malware to thousands of companies worldwide by compromising the supplier of a popular accounting software solution.
These supply chain attacks (also known as island-hopping attacks) are increasing because by breaching one organization in a supply chain, cybercriminals gain a path into multiple partners and customers. Indeed, among organizations that experienced cyberattacks in the cloud in 2022, 15% discovered incidents in their supply chain, up from only 6% in 2020.
This article explores the two primary vectors for supply chain attacks, reveals experts’ predictions for what to expect in 2023 and offers strategies for protecting against these attacks.
The Two Main Attack Vectors
Analysis of recent supply chain attacks reveals two primary attack vectors. The first involves infiltrating the comparatively weaker IT infrastructure of a small or medium businesses (SMB) or managed service providers (MSP) and using that breach as an entry point to larger organizations. For instance, hackers got access to data of the Centers for Medicare and Medicaid Services (CMS) though an attack on CMS’s subcontractor, Healthcare Management Solutions, which was responsible for processing Medicare eligibility and entitlement records. As a result, the personally identifiable and protected health information of 254,000 Medicare beneficiaries may have been compromised.
The second main attack vector in supply chain attacks is based on the use of third-party software, including libraries, packages and full solutions. The impact can be devastating; for instance, in 2020, the software provider SolarWinds was hacked, enabling the cybercriminals to deploy malicious code into its IT management products, which are used by thousands of organizations and government agencies worldwide.
What to Expect
Cyber experts’ predictions for 2023 include a clear expectation that supply chain attacks will keep increasing. One key reason is that many organizations today simply do not have sufficient skilled IT pros and cybersecurity capabilities internally, and therefore more and more of them are turning to MSPs and other partners for help, expanding their supply chains. Another reason is the elements of supply chains are often connected through long-standing personal relationships. Because of the implicit trust, organizations often fail to require regular risk assessments, review of access rights and modern security protocols, increasing the risk of adversaries gaining access to partner organizations and avoiding detection for a long period of time.
How to Protect Your Organization
To defend against supply chain attacks, organizations need to focus on threat prevention and detection measures across all three layers of the attack surface: data, identities and infrastructure.
The first attack vector, in which adversaries compromise a SMB or MSP to infiltrate its larger partners and customers, is best mitigated in the identity layer. Organizations should strictly limit the access they grant to external personnel and closely monitor their activity for any suspicious behavior. Ideally, organizations should adopt a adopt a zero standing privilege (ZSP) approach in which users are granted the minimum access required to complete the task at hand, and for only as long as needed.
Meanwhile, the managed service providers (MSPs) being targeted need to strengthen their security practices with a defense-in-depth strategy. In particular, data from different customers needs to be segregated and encrypted with a different key per customer. In addition, the credentials used by customers must be stored separately, so MSPs should eschew the idea of a central password vault and adopt a ZSP approach as well.
Defense against the second attack vector, the software supply chain, occurs mainly at the infrastructure layer. Organizations need a comprehensive change management process that includes file integrity monitoring (FIM) to spot altered software. In addition, they should closely monitor all IP connections to the outside world.
More broadly, organizations need to be fastidious about risk management. They should run regular risk assessments of their own IT systems and mitigate the security vulnerabilities they find, and require their partners and suppliers to do the same.
In addition, all organizations should develop effective communications across their supply chains. This includes information about not just the outcomes of risk assessments, but plans for sharing information about threats and breaches. Be sure to include all the key W’s: who is going to communicate what information to whom and when.
Conclusion
Supply chain attacks are increasing. The good news is that the security measure for protecting against those attacks are also effective against a wide range of threats. Indeed, the foundation of any strong security strategy is attending to all three layers of the attack surface — data, identities, and infrastructure — through measures like risk assessment and mitigation, change management, threat detection and response, and strict enforcement of least privilege through approaches like ZSP.
_________________________________________________________________________________
Dirk Schrader is Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like Healthcare, Energy or Finance. As the Field CISO EMEA he ‘speaks the language’ of Netwrix’ customers & prospects to facilitate a fit for purpose solution delivery. Dirk has published numerous articles addressing cyber risk management, IT security tactics and operations, and reported hundreds of unprotected, vulnerable critical medical devices to authorities and health providers around the globe.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply