+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is a supply chain attack?

The last 12 months has seen a notable increase in the number and scale of supply chain attacks.  The global interconnected market has opened unexpected access to many organisations through the suppliers they trust. Headline grabbing attacks at organisations like SolarWinds, Kaseya and Mimecast are just the tip of the iceberg – the number of significant supply chain attacks is expected to increase.  What are Supply Chain Attacks and how can you defend against them?

 

What is a Supply Chain Attack?

According to a new report from the European Union Agency for Cybersecurity, ENISA, a supply chain attack is actually a combination of at least two other attacks.  The first is an attack against a supplier which is then leveraged to attack either the end target customer or another intermediate supplier in order to move up the chain and eventually access the systems and assets of the end customer target.

When considering the risks posed by a potential supply chain attack, we need to consider not just being the final victim, but also the risk that we could be the supplier in the chain who is used to gain access to one of our customers – and the resulting reputational damage and costs that could result from that.  This is especially relevant for small businesses that enjoy having larger higher profile customers that could be a target for cyber criminals and for any business that supports or works for critical national infrastructure projects.

How do supply chain attacks work?

ENISA suggests supply chain attacks should be broken down by considering first the attack against the supplier and how that is achieved and then the attack against the customer and how that is perpetrated.  This is shown below in the table:

Supplier

 

Customer

 

How the supply chain is compromised

Supplier assets targeted

Techniques used to compromise the customer

Customer assets targeted

Malware infection [T1587] Pre-existing software Trusted Relationship [T1199] Data
Social Engineering Software Libraries Drive-by Compromise [T1189] Personal Data
Brute Force attack [T1110] Code [T1195.2] Phishing [T1566] Intellectual Property
Exploiting software vulnerability Configurations Malware Infection Software
Exploiting Configuration Vulnerability Data Physical Attack or Modification Processes
Open Source Intelligence (OSINT) Processes Counterfeiting Bandwidth
Hardware [T1195.3] Financial
People People
Supplier

(Source: EINSA and Mitre Attack)

The Lifecycle of a Supply Chain Attack

Supply Chain Attacks, by their very nature, are some of the most sophisticated and well-planned of all cyber-attacks.  They often take place over a long period of time as the criminals identify the supplier they need to compromise and then gain some form of persistent access before leveraging that access to target the end customer.  Because the attackers benefit from the trust given by the victim to their supplier, supply chain attacks can be extremely effective if a highly trusted supplier is compromised.  This was seen in the attack which used SolarWinds software as an attack vector against their clients.

A supply chain attack has two phases, first the attack against the supply chain and secondly the attack against the ultimate target.  The first phase may include the compromise of several organisations as the attackers work their way up the supply chain through each supplier’s supplier until the final supplier is reached who interfaces in some way with the ultimate target.

 

How to defend against supply chain attacks?

According to ENISA, many if not most supply chain attack are carried out by established APT groups who are often nation state actors.  This is not surprising given the planning and logistical complexity of these attacks.  And so, for organisations not running hospitals or nuclear power stations, it may be tempting to think that they will never be on the target list of a Russian APT group.  However true that may be – the risk is greater than you might expect- for two reasons.  Firstly, you may be part of the supply chain for a high-risk target without being aware and so may still be targeted.  Secondly, you could simply be collateral damage.  There are many organisations that use SolarWinds Orion that were not targeted by the APT group focussed on government and military targets, for example. However, once news of the attack broke, many other criminals attempted to use the SolarWinds vulnerabilities to attack their other customers in a gold-rush of cybercrime before SolarWinds was able to roll out security patches to shut down the vulnerabilities.

The interconnected nature of today’s global markets are leveraged to perform supply chain attacks.  Because many customers rely on the same supplier, an attack against one suppler has a multiplier effect as it can be used to access several of their customers.  Paradoxically, the better protected organisations become, the more focus shifts to their supply chain in order to try to find a weak link that can be exploited.

EINSA recommends several steps you can take to help mitigate risks from your supply chain:

  • Know who your suppliers are – document who they are and what products and services they provide
  • Define a risk criteria for each supplier and service to help you focus limited resources on the biggest risks (eg. A single point of failure or the trust given to the supplier’s product within your network)
  • Use your business continuity impact assessment to help assess the criticality of a supplier or service
  • Brief and train your team to be aware of supply chain risks
  • Conduct due diligence assessments of suppliers to ensure their own cyber security practices are at least as robust as your own
  • Define the security requirements for products and services clearly and monitor for compliance
  • Follow Cyber Supply Chain Risk Management principles for all technology suppliers
  • Ensure all supplier provided software patches are promptly applied
  • Adopt zero-trust security models to limit the impact of a compromised third party software in your network.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.