Supply Chain Attack: What It Is & How To Detect It

Supply Chain Attack
Image by vectorjuice on Freepik

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. It can occur in any industry, from the financial sector, and oil industry, to the government sector. It can also happen in software or hardware.

Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec’s 2019 Internet Security Threat Report states that supply chain attacks increased by 78% in 2018. 

What is a supply chain?

A supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer. Links on the chain begin with the producers of the raw materials and end when the van delivers the finished product to the end user. It includes every step that is involved in getting a finished product or service to the customer.

The steps may include sourcing raw materials, moving them to production, then transporting the finished products to a distribution center or retail store where they may be delivered to the consumer. Entities involved in the supply chain include producers, vendors, warehouses, transportation companies, distribution centers, and retailers.

The supply chain begins operating when a business receives an order from a customer. Thus, its essential functions include product development, marketing, operations, distribution networks, finance, and customer service.

When supply chain management is effective, it can lower a company’s overall costs and boost its profitability. If one link breaks, it can affect the rest of the chain and can be costly.

Supply chain management is a crucial process because an optimized supply chain results in lower costs and a more efficient production cycle. Companies seek to improve their supply chains so they can reduce their costs and remain competitive.

Understanding supply chain attack

A supply chain attack is a type of cyber attack that targets organizations by focusing on weaker links in an organization’s supply chain. By targeting a weak point in a supply chain, a cyber attack may be more likely to succeed — with attackers taking advantage of the trust that organizations may have in third-party vendors.

Supply chain attacks could occur in any industry that has contracts with third-party vendors, such as in financial or government sectors. They have been rising in relevance due to new types of attacks and the high status of the targets hit. Because weak links in a supply chain are an easier target for cybercriminals, organizations should be more aware of the security implemented within each step of their supply chain.

Cybercriminals will use supply chain attacks to tamper with the manufacturing processes of a company either by hardware or software. Malware could be installed at any stage of the supply chain. This cyber attack can also cause either disruptions or outages of an organization’s services.

Supply chain attacks allow for specific targeting, and the number of victims can grow quickly if the attacked vendor has a lot of customers. They are difficult to detect, as they rely on software that has already been trusted and can be widely distributed. In addition, there is not one dedicated part of an organization that manages third-party vendors, so if a risk comes to one, it’ll get pushed from one team to another.

What do supply chain attacks do?

The goal is to infiltrate and disrupt a weak point of a system within an organization’s supply chain with the intent to cause harm. One typical way of doing this is by attacking a third-party supplier or vendor connected to the actual target. Attacks are typically made on third parties that are considered to have the weakest cybersecurity measures by the attacker.

When the weakest point in the supply chain is identified, the hackers can focus on attacking the main target.

Supply chain attack vectors

Supply chain attacks can be either hardware- or software-based attacks. More specifically, it can occur by compromising software building tools, stealing code-sign certificates, specialized code shipped into hardware components or installing malware on a third party’s devices.

A supply chain attack may begin with an advanced persistent threat (ATP) that is used to determine the weakest point in an organization’s supply chain — generally, a third-party vendor or application. Once that weak point is discovered — in a software supply chain attack, for example — malware in the form of worms, viruses, spyware or a Trojan horse is injected into the system.

The malware could be used to modify code sources the third party uses and to then gain access to the target’s data.

These cyber-attacks could occur at any location in the supply chain.

Supply chain risks

Supply chain attacks can pose a large risk to organizations today. Organizations affected can include financial and government systems, as well as other industries, such as retail, pharmaceutical, and information technology (IT) systems.

A large risk that will open an organization up to supply chain attacks is sharing data with third parties, vendors or suppliers. Even though sharing that data in a supply chain may be essential for operation, it also comes with an inherent risk. Likewise, increasing the number of vendors an organization includes in its supply chain increases the number of attack vectors.

How to detect a supply chain attack

To effectively detect supply chain attacks, an organization should first have a systematic verification process in place for all the possible pathways into a system. An inventory of all the assets and data pathways within a supply chain should be made, which should help in detecting potential security gaps within a system.

The next step would be to create a threat model of the organization’s environment. The threat models can include assigning assets to adversary categories. The categories can then be rated, which will help in determining how severe a threat of an attack could be. These scores should be continually updated. Assets should be classified from most at risk to least at risk.

All new updates should be tested as they come out. Tests to detect supply chain attacks should be able to find malware file activity, registry keys, and mutual exclusion (mutex) files. This process should also be done with automated tools.

Example of supply chain attacks

There are several ways a supply chain can be attacked. Theft of a vendor’s credentials can lead to the infiltration of the companies affiliated with the vendor.

For example, Target was the victim of an attack in 2013. Its security measures were breached when one of its third parties’ security credentials was compromised. The credentials typically included login, passwords, and network access to Target’s computer. The vendor’s questionable security practices allowed hackers to gain entry into Target’s system resulting in the theft of 70 million customers’ personally identifiable information.

The aftermath of the breach led to the CEO’s resignation and enormous costs for the company which topped $200 million.

How to prevent a supply chain attack

The U.S. passed the Comprehensive National Cybersecurity Initiative (CNCI) and the Cyberspace Policy Review, which provides federal funding for the development of multipronged approaches for supply chain risk management (SCRM). Likewise, the U.K. Department for Business, Innovation & Skills (BIS) outlined an effort to protect small and medium-sized enterprises (SMEs) from cyber attacks like supply chain attacks.

There are also several ways to help prevent supply chain attacks. Some of these processes include the following:

  • Evaluating the risks of third parties. An organization can ask vendors to perform self-assessments to aid in ensuring that they are secure vendors to support.
  • Reducing the number of individuals within an organization who have the authority to install third-party software. This would decrease the attack surface.
  • Including supply chains in response and remediation plans in order to enable fast response and minimize damage if a cyber attack does occur.
  • Reviewing who has access to what sensitive data. Limit access to sensitive data to only those who need it.
  • Making sure the organization’s data is terminated from the vendor’s systems after a contract termination with a vendor.
  • Investing in tools provided by security firms and cybersecurity firms can provide automated threat forensics and malware protection against advanced cyber threats.

In addition, one could use the Mitre ATT&CK framework, which provides up-to-date cyber threat information to organizations that want stronger cybersecurity strategies.

References

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like