On July 25 this year, the FBI warned that supply chains are “increasingly a point of vulnerability for computer intrusions.” The warning comes at a time when supply chain attacks are on the rise. Security Intelligence reported that 62% of organizations surveyed experienced a supply chain attack in 2021. While many of those attacks were minor, more than half of the organizations surveyed claimed to have faced a significant or moderately impactful attack.
Third-party risk, otherwise called supply chain cybersecurity issues first surfaced in 2008, when the SANS institute warned that digital picture frames sold at Walmart had been infected with a virus. That same year, Bloomberg Businessweek reported concerns that counterfeit, defective chips from China were installed in U.S. warplanes and ships.
In 2013, Target’s air conditioning supplier inadvertently opened the door to a data breach that resulted in the theft of 40 million people’s credit card details. Over the last decade, we have seen an increasing number of supply chain cyberattacks. SolarWinds, CodeCov, Log4Shell, and Mimecast are just a few that have grabbed the headlines and shown enterprises just how vulnerable they are to nation-state-grade third-party attacks.
For businesses that rely on supply chains, these numbers are unsettling. No business can survive in a vacuum, but it sometimes seems to be the only choice to avoid damaging cyberattacks.
The Nature of Supply Chain Attacks
There are several different types of supply chain cyberattacks, each of which can compromise security and expose a company’s assets and network to nation-state-grade threat actors.
One frequent type of attack occurs when the threat actor uses access to one company’s network as a corridor into the target company’s network. In this attack, the threat actor may have compromised a vendor network through phishing to access the third-party network. Using compromised credentials, the threat actor then uses the trusted access point extended to the vendor to enter into the target network, where they can install malware or ransomware, breach data, or steal corporate secrets.
In the second type of attack, threat actors implement malicious code into the firmware of hardware components. Once the hardware is integrated and interfacing with other systems, the threat actor uses the malicious code to attack the network.
In other cases, hackers compromise software tools, embedding code into third-party software. This type of attack, made famous by the SolarWinds cyberattack, is particularly wide spreading when done using popular software and plug-ins.
Advanced nation-state-grade attackers may also be able to pre-install malware on devices. In this case, hackers put malware on phones, USB drives, cameras, or other devices. When the device is connected to a computer or network, the malicious code moves into place, where it is poised to attack.
Sources of Third-Party Attack
Software-based third-party attacks usually come from one of three places.
Commercial software is tempting to threat actors. By installing their malware into a software solution that thousands of users will download, they have the opportunity to reach deep into a wide range of companies.
Open-source software can be another dangerous area. Anyone can contribute to the development of the software, making it easy for hackers to move in and introduce malicious code or vulnerabilities.
Both these types of attacks are highly effective. If no one notices the malicious code, threat actors gain access to thousands of potential victims without the need to infiltrate each one of their systems individually.
Foreign sourced threats are another third-party risk. In countries like China, the government has access and control over the software being produced. They can embed malicious code into software, giving foreign governments access to sensitive systems.
Protecting Against Nation-State-Grade Supply Chain Attacks
Protection against supply chain attacks begins with a third-party risk assessment. The assessment should point to any vulnerabilities stemming from third-party activities. When possible, it’s worthwhile to review the software bill of materials (SBOM) of any software that’s been installed or is about to be installed in your system. It could point to components with known vulnerabilities.
Next, companies should encrypt sensitive data, particularly those that interface with third-party integrations. Even if the network is compromised, encryption like Advanced Encryption Standard (AES) is difficult to compromise, keeping the information safe and locked inside.
Attack surface monitoring is another way to identify any supply chain risks. It monitors potential attack points continuously, letting your security team know if something is amiss.
Create a comprehensive incident response plan. If a third-party attack is successful, a well-designed plan should limit exposure to the attack and ensure there is minimal impact on business continuity.
Having a Security Operations Center (SOC) in place with a holistic view of the entire network infrastructure helps the team feel more prepared for any threats.
Our team at HolistiCyber has developed a third-party risk management program, which takes a proactive, offensive approach to protection against supply chain attacks. Our team views your network the same way a threat actor would and then finds ways to close any vulnerabilities.
We begin by assessing the current third-party risk management policy and threat map. From there, we create an updated policy and manage the integrations needed to implement the new policy.
Once the infrastructure is in place, we support onboarding new third-party suppliers. From there, we provide ongoing reporting and follow-up on changing risk levels of third-party vendors, adjusting the program as needed.
If you’re concerned about supply chain threats of any kind, outsourcing to the experts at HolistiCyber can keep your enterprise safe.
Are you looking to close any third-party vulnerabilities? Get in touch today!