Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mitigating Risk of Supply Chain Attacks

As I’ve written before, sophisticated adversaries are finding vulnerabilities wherever they can, and often that means looking to an organization’s supply chain for weaknesses in defenses. They’ll use an organization’s partner or supplier as a ‘stepping stone’ to gain access to their ultimate target.

As I’ve written before, sophisticated adversaries are finding vulnerabilities wherever they can, and often that means looking to an organization’s supply chain for weaknesses in defenses. They’ll use an organization’s partner or supplier as a ‘stepping stone’ to gain access to their ultimate target.

Several supply chain attacks have made headlines in recent months, including:

• The CCleaner malware campaign that began with a compromise of a build server to infiltrate more than two million machines

• The NotPetya campaign launched through a compromised software update delivered via MeDoc (Ukrainian accounting software)

Operation Cloud Hopper that used IT managed service providers (MSPs) as a point of access to target organizations across a wide range of industries around the world.

By analyzing these attacks and others that were reported in 2016 and 2017, we can identify three notable trends.

1. The most common motives are data and intellectual property (IP) theft. Cases such as the theft of IP from technology companies in the CCleaner malware campaign, the theft of medication procurement information in the ePrica pharmaceutical software breach and the targeting of Israeli companies in the OilRig campaign (believed to have been conducted by Iranian threat actors, though unconfirmed), indicate that threat actors are likely using supply chain attacks for competitive, political and geostrategic intelligence reasons. The fact that such attacks often involved the delivery of backdoor trojan malware that allowed for data harvesting, exfiltration or privilege escalation on victim systems reinforces this finding. Actors were able to maintain a presence on target networks, gather valuable user credentials and exfiltrate data to attacker-controlled servers.

2. Supply chain attacks are typically targeted. In contrast to mass, indiscriminate campaigns, supply chain attacks tend to be highly focused operations with predetermined targets of interest. This trend likely reflects the motives of these campaigns, which were largely conducted for intelligence gathering or cyber espionage purposes. However, the NotPetya campaign shows that in a handful of cases, where the motives were financial gain or disruption rather than espionage, the attacks were wider reaching.

Advertisement. Scroll to continue reading.

3. Technology suppliers are the most popular targets for initial compromise. As demonstrated by the use of CCleaner, MeDoc and MSPs, most of the supply chain attacks over the last two years involved the compromise of a technology or software supplier. Adversaries realize that such suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers that mean compromised software versions (containing malware) will be whitelisted or overlooked by customer security teams and systems.

With these trends in mind, there are several mitigation measures and best practices that you can adopt to improve your organization’s security posture and reduce the risk of supply chain infections.

1. Understand, manage and monitor the digital risk your suppliers present. Many suppliers don’t have adequate security maturity levels so you need to be proactive. The SANS Institute recommends a range of measures that include: due diligence and external auditing of potential suppliers; defining a supplier management policy that classifies vendors and identifies appropriate controls based on access granted to sensitive data; and integrating suppliers with your assessment and audit practices to outline both internal best practices and those required from vendors and partners. Each of these measures should be reviewed regularly throughout the year.

2. Use technology to limit suppliers’ unnecessary access to company systems. Suppliers are often given much broader access to company networks than internal users are offered. Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs. In addition, network isolation and segmentation can keep supply chain traffic separate from other internal traffic and prevent attacks, like NotPetya and Cloud Hopper, from moving laterally across the network to reach their intended target.

3. Prepare for unintended targeting. The NotPetya attack showed that not all supply chain attacks are targeted. Implementing foundational security principals can mitigate risk from bad actors that prey on the weakness that result from interconnectivity of systems and ubiquity of applications. Best practices include backing-up critical data and systems on a regular basis and implementing a ‘defense in depth’ strategy that includes: host-based firewalls and IP-whitelisting; network segmentation and restricting workstation-to-workstation communication; patching, monitoring for known security vulnerabilities, and disabling unneeded legacy features; and access control.

Activity over the last two years shows that no industry is safe from what has become a steady stream of supply chain attacks. But by analyzing the motives of these bad actors and the tactics, techniques and procedures they use, there’s a lot we can learn to mitigate our digital risk.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.