The last 12 months has seen a notable increase in the number and scale of supply chain attacks.  The global interconnected market has opened unexpected access to many organisations through the suppliers they trust. Headline grabbing attacks at organisations like SolarWinds, Kaseya and Mimecast are just the tip of the iceberg – the number of significant supply chain attacks is expected to increase.  What are Supply Chain Attacks and how can you defend against them?

What is a Supply Chain Attack?

According to a new report from the European Union Agency for Cybersecurity, ENISA, a supply chain attack is actually a combination of at least two other attacks.  The first is an attack against a supplier which is then leveraged to attack either the end target customer or another intermediate supplier in order to move up the chain and eventually access the systems and assets of the end customer target.

When considering the risks posed by a potential supply chain attack, we need to consider not just being the final victim, but also the risk that we could be the supplier in the chain who is used to gain access to one of our customers – and the resulting reputational damage and costs that could result from that.  This is especially relevant for small businesses that enjoy having larger higher profile customers that could be a target for cyber criminals and for any business that supports or works for critical national infrastructure projects.

How do supply chain attacks work?

ENISA suggests supply chain attacks should be broken down by considering first the attack against the supplier and how that is achieved and then the attack against the customer and how that is perpetrated.  This is shown below in the table:

(Source: EINSA and Mitre Attack)

The Lifecycle of a Supply Chain Attack

Supply Chain Attacks, by their very nature, are some of the most sophisticated and well-planned of all cyber-attacks.  They often take place over a long period of time as the criminals identify the supplier they need to compromise and then gain some form of persistent access before leveraging that access to target the end customer.  Because the attackers benefit from the trust given by the victim to their supplier, supply chain attacks can be extremely effective if a highly trusted supplier is compromised.  This was seen in the attack which used SolarWinds software as an attack vector against their clients.

A supply chain attack has two phases, first the attack against the supply chain and secondly the attack against the ultimate target.  The first phase may include the compromise of several organisations as the attackers work their way up the supply chain through each supplier’s supplier until the final supplier is reached who interfaces in some way with the ultimate target.

How to defend against supply chain attacks?

According to ENISA, many if not most supply chain attack are carried out by established APT groups who are often nation state actors.  This is not surprising given the planning and logistical complexity of these attacks.  And so, for organisations not running hospitals or nuclear power stations, it may be tempting to think that they will never be on the target list of a Russian APT group.  However true that may be – the risk is greater than you might expect- for two reasons.  Firstly, you may be part of the supply chain for a high-risk target without being aware and so may still be targeted.  Secondly, you could simply be collateral damage.  There are many organisations that use SolarWinds Orion that were not targeted by the APT group focussed on government and military targets, for example. However, once news of the attack broke, many other criminals attempted to use the SolarWinds vulnerabilities to attack their other customers in a gold-rush of cybercrime before SolarWinds was able to roll out security patches to shut down the vulnerabilities.

The interconnected nature of today’s global markets are leveraged to perform supply chain attacks.  Because many customers rely on the same supplier, an attack against one suppler has a multiplier effect as it can be used to access several of their customers.  Paradoxically, the better protected organisations become, the more focus shifts to their supply chain in order to try to find a weak link that can be exploited.

EINSA recommends several steps you can take to help mitigate risks from your supply chain:

• Know who your suppliers are – document who they are and what products and services they provide
• Define a risk criteria for each supplier and service to help you focus limited resources on the biggest risks (eg. A single point of failure or the trust given to the supplier’s product within your network)
• Use your business continuity impact assessment to help assess the criticality of a supplier or service
• Brief and train your team to be aware of supply chain risks
• Conduct due diligence assessments of suppliers to ensure their own cyber security practices are at least as robust as your own
• Define the security requirements for products and services clearly and monitor for compliance
• Follow Cyber Supply Chain Risk Management principles for all technology suppliers
• Ensure all supplier provided software patches are promptly applied
• Adopt zero-trust security models to limit the impact of a compromised third party software in your network.