The supply chain is a vital enabler of business across the globe. Third-party vendors add functionality, help move goods, and generally enrich and facilitate manufacturing and processes. But the supply chain is also an Achilles heel, with cybersecurity attackers looking for weaknesses in the chain to exploit and target these important relationships.
A recent survey from BlueVoyant on supply chain dynamics and visibility highlights the part that the vendor ecosystem plays in cybersecurity risk, finding that a staggering 97% of firms were “negatively impacted” by a cybersecurity breach at a supplier. The blame for this shocking statistic lies in the lack of visibility across the chain leading to poor enforcement of robust security measures.
Vendors are essential to making modern business work well, so how does an organization manage and secure this most vital resource?
The nature of supply chain security attacks is insidious and far-reaching. This was no better illustrated than in the recent SolarWinds cyber-attack. SolarWinds is a software supplier to many corporate and government clients. Hackers exploited a vulnerability in the company’s upgrade delivery system, inserting malware. When the next SolarWinds upgrade was delivered to clients, the malware was installed along with the SolarWinds software.
Supply chain security attacks are all too common. Back in 2013, the Target supply chain hack made global waves, costing the company a reported $202 million in customer claims, legal, and other financial costs.
In the first quarter of 2021, U.S.-based supply chain attacks increased by 42%. A report from ENISA into supply chain vulnerabilities found that in 58% of attacks, access to data was the main focus. Also, 62% of attacks relied on manipulating the trust of customers in the supply chain.
As supply chains come under increasing threat, how can an organization reach out across this disparate web and tighten security? To understand how to fix this we need to understand how supply chains are being abused by hackers.
There are several reasons behind the exploitation of supply chains by cybercriminals, each builds upon the previous to create a perfect storm:
Supply chains are by their nature separate entities to the lead organization; this leads to visibility issues. The BlueVoyant study's main finding was that a lack of visibility across the supply chain is a fundamental vulnerability in data governance and management. The study concluded:
“Vendor risk visibility and continuous third-party monitoring remains concerningly low despite heightened awareness of the risk and substantial budget increases to tackle the problem.”
Many modern supply chains are highly complex, typically having multiple tiers, making visibility even more difficult and obfuscating or complicating security measures. Security measures may also become isolated, being less impactful across the chain. This chain complexity creates a massive attack surface with multiple touchpoints that can be exploited by cybercriminals. If a hacker can circumvent security at a crucial point in that chain, say by using social engineering or phishing, it can have knock-on effects across the entire chain through to the root organization.
A further ENISA report points out that 95% of phishing emails need human intervention to begin the process that leads to a malware infection. The supply chain vendor is a trusted relationship. This is not lost on cybercriminals who abuse this trust, infiltrating third-party vendor emails and brands, that are then used to send out convincing phishing emails across the chain.
Social engineering is used within supply chains to target and exploit the email accounts of employees in accounts payable and the finance department. Vendor Email Compromise (VEC) uses stolen login credentials to infiltrate important email accounts. The Agari Cyber Intelligence Division (ACID) found that the hacking group “Silent Starling” was infiltrating vendor email accounts to trick companies into paying fake supplier invoices. This type of email compromise is seeing success for the cybercriminals so is likely to become a favored tactic.
MSPs are seen as an exploit engine by cybercriminals as they often have many clients. A 2020 Datto report “Global State of the Channel Ransomware Report” describes an attack on Universal Health Services (UHS) that started at an MSP targeted by a phishing campaign to steal credentials. The credentials were then used to infiltrate the entire client network and install ransomware.
All these pieces come together to build an ideal playground for cybercriminals to attack.
One of the most illuminating findings of the BlueVoyant report was that even with money pumped into cybersecurity, failings in supply chain security are still occurring. The likely explanation for this is that the security measures being used are simply not effective across a disparate, but internet-connected, supply chain. Any link in the chain can be exploited and used to infiltrate the entire vendor network. Trust can then be exploited. As phishing is behind many cyber-attacks, it is vital to focus efforts on email security. Every email across a supply chain should be viewed using a zero-trust lens. To ensure that emails are secure across the entire supply chain, and to prevent malware including ransomware from propagating throughout the chain, an intelligent, cloud-based email security platform that can work across the entire supply chain, should be deployed. SpamTitan uses a defense-in-depth approach to protect against supply chain phishing threats, using machine learning to identify even zero-day phishing threats. By deploying intelligent email security, the supply chain can be hardened against phishing and social engineering so that all vendors benefit.
Sign-up for email updates...