The worst thing about supply chain attacks is that the breach is not entirely your fault. Simply by trusting in software and services provided by a third party, they open the door to attack. Attackers look for a softer target in the supplier, gaining access they hope to leverage into more significant attacks.
According to research, supply chain attacks have been highly successful, growing by more than 300% from 2020 to 2021. Attackers have become emboldened because of successful attacks targeting major suppliers such as SolarWinds and Kaseya that affected thousands of their customers downstream.
Even though attackers are targeting vulnerable suppliers, your organization shouldn’t have to pay the price. In this blog, we’ll explore what puts these suppliers at risk and how to protect your organization.
Why Target Supply Chains?
Organizations rely on software and services provided by third parties to help operate multiple aspects of their business. There needs to be a great deal of trust in these providers, as they have to be granted access to organizational systems and data. Compromises to the trust granted to these organizations and software solutions can lead to massive data security breaches. If these vendors experience a cyber attack, all of the organizations they serve are subsequently at risk of a data breach.
Supply chain attacks exploit the trust relationship between vendor and customer, giving attackers elevated privileges and access to internal resources, at times even allowing them to gain access to organizational root or administrator credentials. With this level of access, attackers can ruthlessly pivot throughout the organization to find sensitive data or perform unauthorized actions.
Attackers traveling through the supply chain into different systems may not be solely focused on stealing data. Sometimes, they may be taking measures to engage in repeat attacks. Embedding rootkits and backdoors throughout the organization create persistent access, providing pathways in for an extended period in the future.
How Is My Organization Susceptible?
Organizations become susceptible to an attack of this nature if they are part of a supply chain, granting a level of trust to external software and services. However, there are ways that organizations can increase the risk of an attack, including:
- Excessive Trust – Attackers slide in through trusted systems receiving patches and updates that are not thoroughly vetted because they are “trusted.”
- Insufficient Testing – Similar to granting excessive trust, with the abundance of patches and updates that come out, many organizations lack the time and resources to evaluate and assess everything on a regular basis, or they don’t include third party assets in their testing scope.
- Lack of Code Assessment – For organizations developing code, scanning and analyzing changes in external libraries could detect malicious code before it was included in a build.
- No Intrusion Detection – An attacker may slip in even following best practices. Without the ability to detect it, they can operate and conduct deeper attacks without being stopped.
How to Prevent Supply Attacks
Though no single tool or process will completely prevent supply chain attacks, a multi-layered approach will greatly reduce your risk. Taking the following proactive steps to harden your infrastructure will make it harder for attackers to gain a foothold and help prevent them from gaining traction if they get past the first lines of your defenses.
Decrease Trust Between Systems
Reducing the amount of trust granted between internal systems is vital to reducing the ability for attackers to use a supply chain attack to drive deeper into an organization. Patches should be installed using local administrative/root accounts rather than global ones, which reduces the ability to carry permissions between systems.
Access levels on an endpoint should be defined using the principle of least privilege, so users only have the access necessary to do their job. A least privilege approach to permissions ensures that even if the attack allows attackers to steal credentials, the ability to gain access to other systems and resources is limited, decreasing the impact.
Organizations today typically enforce the principle of least privilege with a combination of identity governance solutions and privileged access management tools. Identity governance tools manage accounts across an organization, securely managing user access by assigning and restricting access based on established roles. Privileged access management (PAM) solutions streamline the administration of privileged access across their IT systems, applications, and infrastructure.
Organizations can also reduce their risk by testing their IT environment and security processes. Vulnerability management solutions can prevent a business from becoming the weak link in the supply chain by identifying security weaknesses that could potentially serve as attack vectors.
Penetration testing can assess if an organization is granting too much trust and how vigilant they are. For example, they can run a social engineering test, simulating a compromised update to see if it’s automatically applied widely. Additionally, red team engagements can run a full attack scenario, testing the organizational defenses to see how well they could prevent, detect, or limit the damage of a supply chain attack.
By adopting a layered, proactive security strategy, businesses can make it significantly more challenging for attackers to pull off an attack, even if they manage to make it past the security perimeter. Fortra offers offensive security bundles to help organizations swiftly mature their security programs with multiple solutions that can identify security weaknesses before a supply chain attack ever occurs.