Or for more information:

01488 648468 Have a chat with one of our team.
Need more information? Please get in touch.
Free Demo

How to protect your organisation against supply chain attacks


Modern companies work with subcontractors and third-party providers in so many ways: from secure cloud collaboration to monitoring corporate security and infrastructure health 24/7.

While these partnerships are beneficial to all parties, there are certain supply chain risks to consider.

Hackers are looking for ways to compromise supply chain networks and cause severe damage to large companies and organisations without attacking them directly.

These indirect yet devastating attacks are called supply chain attacks.

What’s the danger of supply chain attacks?

danger of supply chain attacks

So what is a supply chain attack? Basically, it’s a type of attack where hackers don’t target their initial goal directly.

Instead, they focus on finding and compromising the most vulnerable elements in their victim’s supply chain network: subcontractors and third-party providers an intended victim works with.

There are several ways of compromising a supply chain: from sending phishing emails in order to steal a supplier’s identity to injecting malicious code into a third-party software.

Software supply chain attacks pose the most danger since they are harder to detect. These attacks don’t target third-party provider accounts or corporate networks, but the third-party software used by a victim.

Such an attack can be performed by exploiting existent vulnerabilities in this software or by modifying this software with malicious code insertion.

The main focus for the attackers are:

  • Website builders
  • Third-party software providers
  • Third-party data storage vendors

For instance, hackers may target a software vendor and try to modify one of its products and inject their malicious code into it.

As the compromised software spreads among the clients of this provider, so does the malware.

As a result, hackers get a chance to cause damage to numerous companies and organisations by compromising just one supplier.

However, cyber supply chain attacks aren’t limited to compromising third-party software solutions. Attackers may also try to hack a supplier’s system and steal their credentials to get access to the main target’s network.

The supply chain silent threat hides in the difficulty of making sure that all your third parties take their cybersecurity seriously and responsibly enough. Especially, considering the fact that supply chain attacks are currently on the rise.

The rising threat of supply chain attacks

security standards

The practice of using suppliers and subcontractors to indirectly hit a larger target is becoming more common.

According to a recent report, by Vanson Bourne and CrowdStrike, two-thirds of surveyed companies suffered from a software supply chain attack in the past year. And the average cost of such attacks is estimated to be as high as $1.1 million.

However, what’s even more concerning is 71% of respondents admitted not holding their subcontractors to the same security standards they use. Also, the vast majority of surveyed experts and decision makers — nearly 80% — believe software supply chain attacks to be dangerous enough to consider it their biggest cyber threat.

Here are some examples of recent software supply chain attacks:

CCleaner — Hackers managed to compromise a legitimate application, using it to perform a backdoor attack, infecting over 2 million CCleaner customers worldwide. It’s noteworthy that hackers specifically targeted 18 large companies, including Sony, Intel, Asus, and VMWare. They modified one of the application functions to make it decode and load the malware.

M.E.Doc — Hackers compromised the update server used by the tax-accounting application M.E.Doc. Being used for spreading NotPetya ransomware, the supply chain attack affected operations of banks and companies worldwide, literally paralyzing entire networks. Companies such as FedEx and Maersk reported losing around $300 million each as a result of the attack.

PyPi — Hackers targeted the popular programming language — Python — by compromising PyPi servers and replacing original libraries with altered packages that included a check-in beacon.

Kingslayer — Hackers created a backdoor by targeting administrator accounts and replacing the legitimate application with its malware-containing version. As a result of this attack, at least one US defence contractor was compromised. Although, the exact number of infected companies remains unknown.

Transmission — Hackers compromised legitimate servers used for distributing the popular BitTorrent client. They injected a client’s installer with macOS ransomware.

In each of these cases, attackers picked a trusted, legitimate product or service and exploited it to harm a larger target.

In addition, there are numerous examples of large companies not taking third-party access management seriously enough:

Amazon — In 2017, hackers attacked several third-party vendors working with Amazon and used their credentials for posting fake deals on the platform.

Target — One of Target’s third-party vendors was hacked via phishing. Using the stolen credentials of that vendor, hackers get access to the Target’s billing network.

All these examples lead us to the main question: is it possible to mitigate the risks of supply chain attacks?

How to protect your organisation against supply chain attacks

How to protect your organisation against supply chain attacks

The lack of control over third parties is one of the main reasons supply chain attacks are even possible. Therefore, adapting your standard security procedures to include all of your vendors, suppliers, and third-party providers is advisable.

Here are some of the best practices for managing supply chain risks:

Vet your subcontractors — Don’t grant third parties access to your network until you vet their current security practices. Request and examine their cybersecurity policy and ensure they follow the same security and compliance standards that you do. Also, when deploying a new product from a third-party software provider, check if the developers used the security development lifecycle process.

Set protocols and SLA — Set specific rules for every aspect of cooperating with vendors: from accessing data to sending emails. Keep your cybersecurity standards consistent along the entire supply chain to make it harder for attackers to find a weak spot.

Deploy access management solutions — Use advanced identity and access management solutions for making sure that only legitimate users have access to your organisations’s critical assets and sensitive information. Also, consider using a one-time password scheme or integrating your access management solution with a ticketing platform.

Monitor your network — Having full visibility of vendor actions within your organisations’s network is crucial for ensuring a high level of cybersecurity. You can look for a specific third-party vendor monitoring solution or use a universal toolset for monitoring user activity and managing access.

Perform regular audits — Auditing third-party vendors’ activity on a regular basis is just as important as auditing your network. You can not only detect suspicious actions but also see if people are following security practices and uncover any new weak spots and vulnerabilities in your supply chain.

Conclusion

Understanding the difficulty of attacking large companies directly, hackers take advantage of indirect attacks by targeting their victim’s supply chain. They use various tactics: steal identities, compromise admin accounts, infect legitimate software and applications with malicious code, and so on.

In order to mitigate the risks of supply chain attacks, companies should reconsider their current security policies. Third-party vendors and suppliers are insiders as well and need to be included in the corporate Insider Threat Program and follow the same security practices and standards.

————————————————

Guest post: Marcell Gogan is a specialist within digital security solution business design and development, virtualization and cloud computing R&D projects, establishment and management of software research direction – working with Ekran System. He also loves writing about data management and cybersecurity.

———————————————–

Kahootz was one of the first cloud collaboration tools to receive pan-Government (UK) security accreditation and is used by government bodies such the UK’s Ministry of Defence and Department of Health and Social Care.

To discover how Kahootz meets the 14 Cloud Security Principles as defined by the UK Government, download our guide below.

Start your FREE 30-day trial.

Join hundreds of thousands of people across public sector organisations, enterprises and not-for-profits
who are using Kahootz to collaborate anytime, anywhere. No upfront commitment required.