A major cybersecurity milestone was reached when the European Parliament approved the NIS2 directive. Cyberattacks have been of increasing concern in the last few years. According to Deloitte, cyberattacks have increased by 45% and up to +220% across the European Union. The EU Commission's proposal aims to strengthen the organizations' cybersecurity capabilities to address these threats through increased training and cyber awareness, better incident handling and cyber resilience, and more funding.
The NIS2 directive also classifies any entity that provides services essential to maintaining critical societal/economic activities as "operators of essential services, " placing additional pressure on these organizations to improve their security controls. Non-compliance with the directive may result in hefty fines (up to €10 million or 2% of global annual turnover), temporary bans against management, and the designation of a monitoring officer.
Supply chain software networks operating in the EU were just one of the sectors mentioned in the directive, creating an urgent impetus to implement cybersecurity risk management measures. In this article, we'll explore the risks that companies face and the steps they must take to protect their business from software supply chain attacks.
Topics included in this article
What Are Supply Chain Attacks?
A supply chain attack (also called a value chain attack or third-party attack) occurs when an outside party infiltrates a company's system through third-party software providers or partners with access to its network and information systems. Many companies use third-party providers that have access to their most sensitive data, which has increased the potential attack surface for most enterprise companies. As a result, the risks associated with a supply chain attack have never been higher.
Hackers have more resources and tools at their disposal and can launch devastating cyber attacks, as seen in the SolarWinds attack of 2020.
Examples Of Supply Chain Attacks
The SolarWinds attack was one of the most devastating and widespread cyber attacks in recent years. A group of hackers believed to be affiliated with the Russian government accessed computer systems belonging to multiple US government departments, including the US Treasury and Commerce, in a long campaign that is believed to have started in March 2020.
The attack involved hackers compromising the infrastructure of SolarWinds, a company that produces a network and application performance monitoring platform called Orion, and then using that access to produce and distribute trojanized updates to the software's users.
More than 18,000 customers were impacted, affecting 250 organizations across multiple supply chain layers. This attack highlights the severe impact software supply chain attacks can have and the unfortunate fact that most organizations are unprepared to prevent and detect such threats. Software supply-chain attacks are some of the hardest types of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels.
Another supply chain attack in 2017, known as the NotPetya attack, targeted Ukranian accounting software but quickly spread to other countries, resulting in $10 billion in damage and disrupting operations for several major corporations, including Maersk, FedEx, and Merck.
Similarly, in 2013, Target suffered a major supply chain attack when attackers compromised a third-party vendor's HVAC system. The attackers were able to gain access to Target's payment system, resulting in the theft of millions of customer's credit card data.
Mechanism of a Supply Chain Attack
Supply chain attacks require skill to execute, but the rewards are worth it, as they are very difficult to defend against. When commonly used software is compromised, attackers can gain access to all of the enterprises that use the software. Even supply chain security companies are at risk. In the case of SolarWinds, FireEye, a cybersecurity vendor, was breached. Businesses must assume that any and all of their vendors could be compromised at any time.
Supply chain attacks usually operate by delivering malicious software through a vendor or supplier. The attacker identifies a software vendor that is part of the target company's supply chain, and determines that they distribute software updates to their customers.
The attacker then gains unauthorized access to the vendor's systems, either through exploiting vulnerabilities or compromising credentials, and inserts malicious code into a legitimate software update through backdoors or malware.
The vendor unknowingly distributes the compromised software update to its customers as part of their regular update process, since it appears to be a legitimate update. The victim company, which trusts the software vendor, installs the compromised update as part of their routine software maintenance, thinking it is a legitimate and trusted update.
The malicious code in the update is then executed within the victim company's systems, giving the attacker unauthorized access to their networks, data, or systems. The attacker can now carry out a range of damaging activities, such as stealing sensitive data, gaining control over the victim's systems, or disrupting their operations.
Supply chain attacks are particularly dangerous because they can go undetected for a long time, and the victim may have no reason to suspect that the product or update they received is compromised.
Different Forms of Supply Chain Attack
Supply chain attacks come in different forms, including software, hardware and firmware attacks.
Software Supply Chain Attack
Software supply chain attacks require just one compromised application to deliver malware across the entire supply chain network. Attacks will target an app's source code and deliver malicious code throughout the entire system, often using updates as entry points. These software attacks are extremely difficult to trace as cyber attackers may use stolen certificates to "sign" the code and give it an appearance of legitimacy.
Hardware Supply Chain Attack
A hardware supply chain attack refers to a type of cyber attack where malicious actors compromise hardware in a supply chain to gain unauthorized access, control, or manipulation of the targeted system or device. This can involve tampering with hardware components, such as processors, routers, or other electronic devices, at various stages of the supply chain, from manufacturing to distribution. The compromised hardware can be delivered to the victim as a legitimate-looking product, but may contain hidden malicious functionalities and other types of malware. Once the compromised hardware is integrated into the victim's system, the attacker can exploit it to gain unauthorized access, steal data, manipulate operations, or disrupt critical functions.
Hardware supply chain attacks highlight the importance of robust security measures at every stage of the supply chain to ensure that your entire system is protected.
Firmware Supply Chain Attack
A firmware supply chain attack targets the firmware in your organization’s hardware, which is the low-level software that controls the functionality of hardware devices. In a firmware supply chain attack, malicious actors compromise the firmware during its manufacturing, distribution, or update process, injecting malicious code or tampering with its integrity.
Just like other supply chain attacks, this results in compromised firmware being installed on the victim's devices as legitimate-looking updates or products. Once the compromised firmware is installed, the attacker can gain unauthorized access or control of the targeted device.
What Businesses Are Under Threat From Supply Chain Attacks?
Any business that uses third-party vendors or suppliers is potentially vulnerable to supply chain attacks. This can include software vendors, cloud service providers, shipping companies, and more. However, certain industries are particularly at risk, including government agencies, financial institutions, and healthcare organizations.
According to a recent survey by Anchore, three out of five companies experienced software supply chain attacks in 2021, with only 38% reporting no impact. Over half of the surveyed organizations (55%) faced a significant or moderately impactful attack. It's clear that no one - including SMBs and private sector companies - is completely safe from attack.
How To Defend Against Supply Chain Attacks?
Supply chain attacks are becoming more frequent, and organizations are finding it challenging to secure their digital supply chain. However, there are still some strategies that organizations can implement to prevent supply chain attacks:
Honeytokens are fake resources that pose as sensitive data. When attackers target these decoy resources, they act like tripwires that alert the organization of the attack attempt. Honeytokens not only provide advanced warning but insight into the attack.
Secure Privileged Access Management
Secure Privileged Access Management (PAM) is a cybersecurity strategy that aims to protect critical systems and data from cyberattacks by controlling and monitoring privileged access to these resources. Privileged access refers to access granted to users who have administrative or superuser-level permissions, allowing them to perform sensitive tasks and access sensitive information.
In a cyberattack, attackers often target privileged accounts and credentials as a means of gaining unauthorized access to sensitive data or systems. Secure PAM helps prevent these attacks by enforcing strong authentication and authorisation controls, limiting the number of users with privileged access, and monitoring and logging all privileged activity.
Implement a Zero Trust Architecture (ZTA)
A Zero Trust Architecture assumes all network activity is malicious by default and only permits access to the intellectual property after passing a strict list of policies. The architecture is powered by a Policy Engine, Policy Administrator, and Policy Enforcement Point, which work together to decide whether network traffic should be permitted. The ZTA framework can be adapted to any ecosystem setup requirements, including securing remote endpoints.
Make Cybersecurity Part of Organizational Culture
It's important for staff to always assume that a data breach will occur instead of hoping that it won't. Cybersecurity must become part of an organization's culture, including:
People can be used as gateways to cyberattacks, making them vulnerable to phishing scams and other social engineering tactics. The best way to prevent this is through cybercrime awareness training. This training educates employees about the latest phishing techniques, how to recognise and avoid them, and how to report them. By educating employees, organizations can reduce the risk of cyberattacks caused by human error.
All internal processes can be controlled and protected by instituting Information Security Policies (ISPs). ISPs set the boundaries of all approved internal processes and provide a framework for how data should be accessed, processed, and shared. By enforcing ISPs, organizations can protect their internal processes and reduce the risk of a data breach.
Additionally, access to sensitive resources should be restricted to a specific number of trustworthy staff, which can be achieved through the Principle of Least Privilege. Least privilege limits access to only what is necessary for an employee to perform their job duties, reducing the risk of privilege abuse.
Protecting technology from compromise
Technology is one of the most vulnerable attack surfaces and requires multiple layers of defense to be fully protected; companies should implement measures including:
- Antivirus software: Antivirus software is a critical defense against malware, viruses, and other types of malicious software. To ensure that antivirus software is effective, it should be kept updated with the latest threat intelligence.
- Multi Factor authentication: Multi Factor authentication (MFA) is a security mechanism that requires users to provide two or more forms of authentication before gaining access to a system or application. MFA can block up to 99.9% of automated cybercrime and can also identify unauthorized access attempts.
- Implement attack surface monitoring solutions: Organizations should also protect external vendor technologies as they are the first targets in a supply chain attack. Specialized solutions, like VendorRisk by UpGuard, identify all security vulnerabilities in vendor technologies that could be exploited in a supply chain attack.
- Deploy an intrusion detection system: Intrusion detection systems (IDS) work by detecting indicators of compromise (IoC) that correspond to a pattern characteristic for a particular cyber threat.
All companies must make every effort to protect their systems from cyber-attacks. A cyber attack can not only severely impact the company's reputation and ability to function. It could also lead to hefty regulatory penalties and fines if the company is unable to prove that they have taken every measure possible to protect its data (and that of its customers).