Cyber Talk: Supply Chain Attack

Stephane Nappo, VP Global Chief Information Security Officer at Société Générale posted: "Even the bravest cyber defense will experience defeat when weaknesses are neglected."

What is a supply chain attack?

A supply chain attack takes advantage of this weak points as malicious hackers aim to infiltrate businesses where they least expect it. It occurs when a malicious actor compromises an external provider or trusted vendor that has access to the internal data of a business to infiltrate the digital infrastructure and commit cyberattacks across a supply chain. Attackers make use of the fact that software is used across a multitude of organisations to inject malicious code on a wide scale to contaminate assets.

How to detect a Supply Chain Attack?

Supply chain attacks are difficult to detect as they are injected through software vulnerabilities, malware via a USB connection such as a camera or phone, firmware, a vulnerability on a network device, unsecure network protocols, unprotected server infrastructure, or unsafe software practices. The following are some steps that can help set up a foundation for detection:

  1. The first step to successfully detecting a supply chain attack is to create an inventory of all assets within the network. This would help establish an understanding of the organisation’s workflow and data pathways.
  2. Assigning a threat actor to all assets with a risk score will help create a priority system for attack detection.
  3. Adjust the risk scores accordingly, from least-at-risk to most-at-risk. This will help with developing security controls.
  4. Stay up to date with vendor updates and reported vulnerabilities. Not installing firmware and software updates means that any known vulnerabilities are still not protected against.
  5. Deploy firewalls and intrusion detection/prevention systems to detect unexpected behaviours.
  6. Monitor and log any activity from suppliers and analyse these logs regularly.
  7. Finally, fully understand the levels of access a supplier has to the environment. If a system has a backdoor, is the principle of zero trust applied?

How to respond to a Supply Chain Attack?

The ideal way to respond to a supply chain attack is to formulate a response plan in preperation for any cyber incidents. Incident management covers all proactive and reactive aspects of an attack including readiness, response, and recovery. The plan should include real-world potential damage that can be incurred in the business and should be updated and followed regularly throughout the organisation. The two most crucial aspects of a successful response plan are structure and communication.

Almost all supply chain attacks should be considered with urgency as the attack can very easily infect all parts of a network that use the system. Supply chain attacks require:

  • Quick response
  • Rapid containment
  • Swift eradication of the threat
  • Assessment of impact and risk
  • Appropriate recovery

How to protect against a Supply Chain Attack?

There are a variety of measures that can be taken to protect agaisnt supply chain attacks:

  1. Refrain from carrying any crucial data in less secure elements of your network infrastructure.
  2. Ensure that any assets that are deemed as low-level priority are monitored as they are less secure than higher-priority assets. This is because supply chain attacks are carried out on less secure systems whether it is hardware or software.
  3. Use a robust integrity policy that will only allow authorised apps to run.
  4. Deploy endpoint detection and prevention solutions that will automatically identify and remove any unwanted activity.
  5. Invest in a security operation centre analyst that will identify problems and react to threats.
  6. Implement vendor access control by restricting a vendor's access to the system. This would help mitigate potential risks as the least privileged model would be applied.
  7. Assess a vendor's security posture.
  8. Ensure the builds and updates of the system are secure.
  9. Have a system in place for regularly installing security patches for the operating system and any software that is run.
  10. Ensure that only trusted tools can be run on the network.