Like experienced fishermen, cybercriminals have a toolbox full of techniques to exploit. When one method becomes less effective, they switch to a different type of bait. In recent years, supply chain attacks have become a rising threat, increasing by over 425% in just a few years. What are supply chain attacks, and how can your organization protect itself?
How Supply Chain Attacks Work
Supply chain attacks are cyberattacks that use third-party vendors to infiltrate a target organization’s systems. This can include disruptions, such as collapsing a company’s network by attacking the ISP. Most of the time, the term refers to software supply chain attacks, where bad actors take advantage of a product’s vulnerabilities to attack customer computer systems.
Software Dependencies and Open Source Libraries
When software developers create programs, they rarely write all the code from scratch. Many pull from code libraries for specific functions. These external references are called dependencies. They’re like time-saving templates.
What if a cybercriminal can find a vulnerability in one of those dependencies? Every application that includes the code is now vulnerable.
Compromised Updates
If hackers can somehow modify an application’s source code, they can introduce malware or create openings to exploit later. When the vendor’s customers download the latest update, the malware can spread onto their networks. Ransomware attacks or data breaches then happen quietly from the inside, where they’re much harder to detect and contain.
Direct Cyberattacks and Third-Party Data Breaches
Sometimes, hackers target software vendors directly. The cybercriminals may use a phishing attack to trick their way into the vendor’s database, where they steal sensitive customer data.
That data often includes usernames, passwords, email addresses, and potentially payment card details. Phishing emails are far more persuasive when they appear to come from someone in your organization, like the CIO or an IT manager.
Platform Vulnerabilities
The third way that software supply chain attacks work is by compromising the vendor’s platform. This can impact SaaS (software), PaaS (platform), and IaaS (infrastructure) providers.
Say a bad actor wants to get access to Enterprise A’s secure files, which are stored in the cloud. Instead of stealing the login credentials of a high-ranking Enterprise A executive, the attacker could target the cloud-storage vendor instead.
Some supply chain attacks succeed because of underlying vulnerabilities or faulty software updates. Other times, customers misconfigure the software, not enabling important access control measures.
Why Supply Chain Attacks Are a Threat to Enterprises
Effective enterprise risk management depends on being able to identify, categorize, and minimize threats. Normally, your organization can pull from a lot of internal data for risk assessments. You can design controls and implement changes to make your policies, processes, and systems more secure. But how can you do the same for a third-party vendor?
Supply chain attacks add risk to enterprise organizations that is harder to quantify or control. Unlike your own team, you can’t usually see the day-to-day operations of third-party companies. You have to rely on independent audits, which don’t always tell the whole story.
What Supply Chain Attacks Look Like: Recent Examples
Supply chain attacks don’t just involve small IT service providers. They can hit well-known software developers, potentially impacting thousands of enterprise customers.
Okta Data Breach
You wouldn’t expect a firm dedicated to identity and access management to be involved in a data breach, but its services are exactly why it’s such a tempting target for cybercriminals. The breach exposed Okta’s entire customer support database, giving hackers access to email addresses, names, and session tokens from countless clients. Affected Okta customers included 1Password, T-Mobile, OpenAI, Cloudflare, FedEx, Zoom, and many other brands.
MOVEit Vulnerability
Taking advantage of a vulnerability in the widely used MOVEit file transfer application, bad actors were able to infiltrate more than 11,000 organizations. These include some of the largest and most secure entities in the world:
- British Airways
- Medibank
- Deloitte
- PwC
- U.S. Department of Energy
- Honeywell
Some businesses faced massive data breaches. Others were the victims of ransomware attacks. Colorado State University faced multiple attacks after the exposure.
SolarWinds Malicious Software Update
During a months-long precision attack, state-backed cybercriminals inserted malicious code into an Orion security update. The infected update installed a backdoor into the systems of SolarWinds’ 18,000 customers. Hackers went undetected for months, compromising Cisco, Intel, Microsoft, the NSA, the US State Department, Visa, Mastercard, and other organizations.
How To Protect Your Organization Against Supply Chain Attacks
Third-party attacks have forced enterprises to rethink their cybersecurity strategies. The right question isn’t how to prevent supply chain attacks. Instead, staying secure means learning to monitor, manage, and mitigate vendor risk.
1. Zero Trust Security
Change how your organization treats vendor authentication and relationships. Don’t give any software, app, or tool trusted status. Require all users to provide authentication (with MFA) for access, every time.
2. Threat Intelligence and Real-Time Monitoring
Treat your network as if a data breach is always possible. Monitor system resources, user log-ins, access logs, and program activity for suspicious patterns. Real-time defenses require a combination of advanced anti-malware software and reactive IT teams.
3. Vendor Compliance Monitoring
Don’t take vendor promises at face value. For high-risk systems, require software providers to use a real-time third-party compliance tracking platform.
Verify vendor controls with detailed reporting. Periodic network security scans are also essential.
4. Software Supply Chain Management
It’s not enough for vendors to have SOC 2 compliance or ISO 27001 certification when you sign the agreement. You need to make sure vendors remain compliant while you’re using their services. Supply chain management involves creating a comprehensive vendor inventory and acting quickly to address compliance failures or announced breaches.
5. Incident Response Practice Sessions
Data breaches should never catch enterprises unprepared. Create incident response policies and practice relevant scenarios periodically. Know what to do in a ransomware situation to minimize the damage to your systems and data.
Strengthen Your Defenses Against Supply Chain Attacks
The more vendors your organization has, the greater the risk of supply chain attacks affecting your data or operations. Comprehensive third-party management is more important than ever.
Compyl streamlines supply chain security by centralizing vendor information, automating risk prioritization, and enhancing the quality of assessments and mitigation strategies. See how this cutting-edge vendor risk management solution can strengthen your cybersecurity today.
