Light Dark
September 28, 2021 By Douglas Bonderud 4 min read
Banking & Finance
Data Protection
Endpoint
Government
Healthcare
Incident Response
Retail
Security Services

The past two years have delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to ‘new normal’ operations.

Increasing reliance on digital supply solutions, however, has also set the stage for increasing supply chain attacks. These attacks are expected to increase four-fold in 2021.

Here’s what enterprises need to know about supply chain threats. Check out the current state of supply chain security, plus what steps you can take to reduce total risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. Sometimes, experts also refer to these as third-party or value-chain attacks.

For threat actors, the appeal of supply chain attacks is trust. Applications and services used by enterprises have often been trusted and vetted by security teams. So, they often have access to sensitive or valuable internal data. If attackers can move sideways from connected supply chain apps into the larger enterprise network itself, they could steal, encrypt or destroy critical data and cost companies millions in both repair costs and reputation damage.

As networks grow, this problem compounds. Third-party suppliers are often using software from other business partners, who in turn have their own outside app connections. Therefore, a supply chain attack may start several companies removed from the intended target, making it harder to spot.

A successful supply chain attack can be a major blow. When networking tools supplier Solar Winds was compromised in late 2020, more than 18,000 companies worldwide were affected.

The State of Supply Chain Cybersecurity in 2021

As noted above, supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions. It also creates a larger attack surface for threat actors. If a vulnerability does crop up, it also makes it more difficult to find and remove supply chain threats before they become bigger issues.

Notable 2021 Supply Chain Attacks

Supply chain attacks are off to a strong start in 2021. For example, in April 2021 DevOps tool provider Codecov disclosed that their Bash script uploader was compromised by malicious actors. This allowed the attackers to capture information stored by Codecov customers in continuous information (CI) environments. Third-party investigators also found that attackers might have been able to “raid additional resources” and gained access to user credentials, which could, in turn, lead to even larger breaches.

In July 2021, the REvil gang compromised software supplier Kaseya’s network management package and used this software as a way to spread ransomware across Kaseya’s customers. According to NPR, more than 200 U.S. companies found their networks paralyzed by ransomware attacks after the Kaseya compromise.

Worth noting? Recent research from the European Union Agency for Cybersecurity found that 66% of attacks focused on supplier code. This meant even strong internal defenses may not be enough to mitigate the impact of supply chain attacks.

Common Supply Chain Attack Methods

The goal of supply chain attackers is to compromise trusted services. From there, they can gain access to more valuable corporate resources. One common compromise approach is phishing. Successful phishing attacks can reveal account and password data, in turn allowing attackers to examine source code without triggering network defenses. Malware is also commonly used to infiltrate networks and exfiltrate key source code, which attackers can then modify and re-insert.

Some of the most common supply chain threat vectors include:

  • Third-party software providers
  • Data storage solutions
  • Development or testing platforms
  • Website building services.

In each case, these software solutions and services require access to critical aspects of enterprise infrastructure. That opens up a potential pathway for malicious actors.

Best Practices for Supply Chain Security

When it comes to supply chain attacks, attackers are always looking for the weakest link. As a result, even robust enterprise defenses may not be enough to protect key assets. After all, the trusted nature of these third-party apps means they’re often not subject to the same scrutiny. This creates an opening for attackers: If they go far enough back along the supply chain, chances are they’ll find a vulnerability they can exploit and start moving upward toward critical apps.

To help reduce the risk of supply chain threats, security best practices are critical. These include:

1) Assessing current strategies – Better supply chain security starts with current strategies: Are they effective at mitigating supply chain threats? Do they align with compliance requirements? Can they adapt to evolving risk realities?

2) Testing, testing, testing – Regular penetration testing and vulnerability scans can help identify potential supply chain security weak points. From there, you can close down potential compromise pathways.

3) Identification and encryption – By identifying and encrypting highly sensitive data in their environment, enterprises can reduce the reach of supply chain attacks that do occur. Even if malicious actors gain access, they won’t be able to leverage protected assets.

4) Third-party risk management – The supply chain software landscape is more complex today than ever before. Therefore, companies must conduct an in-depth analysis of supplier security practices. They need to break down internal operational silos to ensure all departments are on the same page when it comes to protection.

5) Zero trust frameworks – By moving to an ‘always verify, never trust’ framework, enterprises can create a functional front line of defense. Zero trust requires even familiar apps and services to pass authentication checks before gaining network access.

The right security tools also play a role in reducing supply chain attack risk. Here, enterprises are often best-served by solutions that leverage blockchain for secure transactions, artificial intelligence for improved threat detection and cloud-based threat analysis for rapid risk assessment.

Solving for Supply Chain Attacks

Bottom line? It all comes down to trust.

Supply chain applications are necessary for enterprises to deliver services at scale. However, the same trust that reduces complexity also increases total risk. To mitigate the impact of supply chain attacks, enterprises must take control of third-party connections using both tools and tactics designed to detect unexpected actions, discover malicious code and deny access to potential threats.

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature