Gaining access to a company that provides products or services for other organizations is an effective way for hackers to attack many targets at once. As a result, businesses that are part of a supply chain are becoming an increasingly attractive target for cyber attackers, especially those acting under the direction of foreign governments.
Several major cyber security incidents during the past year demonstrate the large-scale effect of an attack on an entire supply chain. The attack against IT services provider SolarWinds was one of the largest and most effective, as it was conducted by hackers working for the Russian intelligence service. This attack compromised Solar Winds’ updates, which 18,000 customers subsequently downloaded. The attackers then targeted about 100 of those customers, some of which were US government agencies.
Another recent major attack against US supply chains exploited a vulnerability in Kaseya’s software, which attackers used to conduct a ransomware attack affecting thousands of this company’s customers throughout the world. This attack included threats of future attacks if the victims disclosed the attack to law enforcement agencies or other third parties. These threats are a recent development in ransomware that demonstrate the attackers’ strong desire for secrecy.
Other attacks against supply chains are much less likely to draw attention than these major incidents, but they can still be very effective. Furthermore, an attack that’s tightly focused on a limited number of targets can also be harder to detect. These factors create a trade-off between casting a wider net to compromise more systems and minimizing the risk of detection. As a result, malicious actors are using more care in designing their campaigns, often choosing a more targeted strategy.
Bigger attacks certainly get more attention, but some supply chain compromises warrant closer examination due to their potential impact on the supply chain. These small-scale attacks can be just as effective in creating discrete pathways into a network, especially through developer and mobile environments. Many supply chain compromises are currently focusing on developer environments due to the high privileges these users often have. Mobile environments also provide attractive attack vectors due to the difficulty in tracing the source of these attacks. The high probability of success for these attacks make it likely that they’ll remain a threat to supply chains for the foreseeable future.
The expected growth in the frequency and sophistication of supply chain attacks increases the need to detect these attractive vectors. Rapid advances in the technology that supply chains use will increase their complexity, thus making it more difficult to defeat these attacks. Organizations should therefore examine strategies from protecting themselves from the likelihood that one of their suppliers will eventually fall victim to a cyber attack.
The first step in this process is to establish a clear security pathway between an organization and its suppliers, ensuring strong defenses at all links in the supply chain. These defenses largely consist of managing access control, which is relatively straightforward in modern security systems. The next step is use a design that offers resiliency in the event a supplier is compromised, meaning that the effects of an attack tend to be limited to the initial target.
Information security teams can also increase their network protection by understanding what’s on their networks and how they connect to the internet. For example, the SolarWinds attacks succeeded only because those installations had direct access to the internet. Ensuring that supply chain systems don’t have direct internet access creates a major barrier to ransomware and similar attacks.
Horizon flickr photo by Tristan Taussac shared under a Creative Commons (BY-ND) license