A little over 50 years ago, on July 20, 1969, humans first landed on the moon. Among the many amazing feats involved, it took just over eight years from the time President John F. Kennedy issued his famous challenge for the American space program to Neil Armstrong coming down the ladder with a small step and a giant leap. Critical to that success was a strong supply chain that could stand up to global scrutiny and extreme time pressure. Today, you can apply the same attitude to supply chain cybersecurity.

And, you can manage supply chain disruptions by putting supply chain cybersecurity best practices in place. But, planning ahead is key. And, working ahead to find out who are company decision-makers and how to get approval up the chain saves precious time and helps you remain calm under pressure.

How to Cut Down on Cybersecurity Supply Chain Risks

Whether your supply chain is directly targeted or a link in your chain is the target, the impact is usually the same. In both cases, resisting the attack is your shared goal. So, taking these prudent steps will give you confidence that your supply chain cybersecurity is solid, and you’ll know how to recover from a hit to one or more critical suppliers. 

1. Select Vendors With Care

The first step is selection and inventory. Inserting the supply chain cybersecurity function into the vendor selection process provides value in two ways. First, the security team can help surface critical issues as selection criteria. Second, the security team is aware of that vendor’s role from the beginning of the partnership. You need to extend the same awareness to your existing vendors. Therefore, building an inventory of your current vendors completes this essential first step.

2. Assess Your Own Readiness

Equipped with your inventory, it’s time to move on to assessment. In this step, apply the same cyber resilience criteria you use to evaluate your own readiness to evaluate your critical vendors’ readiness.

To do this well, or even to do this at all, requires establishing a collaborative relationship with your counterparts. Both groups need to establish mutual respect and leverage the strength of the business partnership. Don’t let your team be boxed into the ‘security cop’ role; build on the partnership that the business units should be fostering.

This partnership will help in the next step, too — remediation. The other reason you want to be a partner and not the security cop is that security cops are often relegated to conducting an assessment that mirrors a compliance framework or questionnaire. While these are essential tools, we all know being compliant does not mean being secure. Compliance on paper is only slightly effective in reducing the impact of supply chain cyber attacks. A true team effort will hopefully lead to frank discussions about strengths and weaknesses.

Ransomware, for instance, continues to run rampant. You can help suppliers emphasize encryption for private data crucial to your operation or might invest in a solid backup scheme. This will both improve their supply chain cybersecurity posture and blunt the impact of a ransomware attack.

Going further up the value chain with your supplier, you might need to help them with their software development life cycle (SDLC). You should know their SDLC is not vulnerable to known attacks targeting code sharing repositories, such as the Octopus Scanner malware. Octopus Scanner is open source supply chain malware that targets Apache NetBeans and infected multiple GitHub projects earlier this year.

3. Boost Cyber Resilience 

Having completed your assessment, the next step is remediation. In this step, it is vital to build on the frank discussions you had about strengths and weaknesses and use them to bolster security on both sides. Use the strengths of both organizations to shore up both sets of weaknesses. Don’t assume it’s a one-way street where you dictate a solution. This way, you increase cyber resilience. Together, you are stronger than each of you are alone. After all, that’s the premise for your companies working together in the first place.

4. Have a Run Book Handy

The fourth and final step is to create a run book for incident response. A run book is more than just a phone number to call when work with this supplier is disrupted. The best practice would be to run through tabletop exercises with examples of supply chain attacks and practice responding together. This way, both of your teams know what to do when real incidents occur.

Another approach, for the really deep partnerships, would be to red team each other. Fair warning, though, even if your contract with the supplier includes the right to perform vulnerability scanning or penetration testing, do not do this without defining the test parameters in advance. This could create a problem that could damage your partnership.

Now that you have done the hard work in your four-step supply chain cybersecurity process, stay calm. The incident response plan for your supply chain is ready.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…