Stephane Nappo, VP Global Chief Information Security Officer at Société Générale posted: "Even the bravest cyber defense will experience defeat when weaknesses are neglected."
What is a supply chain attack?
A supply chain attack takes advantage of this weak points as malicious hackers aim to infiltrate businesses where they least expect it. It occurs when a malicious actor compromises an external provider or trusted vendor that has access to the internal data of a business to infiltrate the digital infrastructure and commit cyberattacks across a supply chain. Attackers make use of the fact that software is used across a multitude of organisations to inject malicious code on a wide scale to contaminate assets.
How to detect a Supply Chain Attack?
Supply chain attacks are difficult to detect as they are injected through software vulnerabilities, malware via a USB connection such as a camera or phone, firmware, a vulnerability on a network device, unsecure network protocols, unprotected server infrastructure, or unsafe software practices. The following are some steps that can help set up a foundation for detection:
- The first step to successfully detecting a supply chain attack is to create an inventory of all assets within the network. This would help establish an understanding of the organisation’s workflow and data pathways.
- Assigning a threat actor to all assets with a risk score will help create a priority system for attack detection.
- Adjust the risk scores accordingly, from least-at-risk to most-at-risk. This will help with developing security controls.
- Stay up to date with vendor updates and reported vulnerabilities. Not installing firmware and software updates means that any known vulnerabilities are still not protected against.
- Deploy firewalls and intrusion detection/prevention systems to detect unexpected behaviours.
- Monitor and log any activity from suppliers and analyse these logs regularly.
- Finally, fully understand the levels of access a supplier has to the environment. If a system has a backdoor, is the principle of zero trust applied?
How to respond to a Supply Chain Attack?
The ideal way to respond to a supply chain attack is to formulate a response plan in preperation for any cyber incidents. Incident management covers all proactive and reactive aspects of an attack including readiness, response, and recovery. The plan should include real-world potential damage that can be incurred in the business and should be updated and followed regularly throughout the organisation. The two most crucial aspects of a successful response plan are structure and communication.
Almost all supply chain attacks should be considered with urgency as the attack can very easily infect all parts of a network that use the system. Supply chain attacks require:
- Quick response
- Rapid containment
- Swift eradication of the threat
- Assessment of impact and risk
- Appropriate recovery
How to protect against a Supply Chain Attack?
There are a variety of measures that can be taken to protect agaisnt supply chain attacks:
- Refrain from carrying any crucial data in less secure elements of your network infrastructure.
- Ensure that any assets that are deemed as low-level priority are monitored as they are less secure than higher-priority assets. This is because supply chain attacks are carried out on less secure systems whether it is hardware or software.
- Use a robust integrity policy that will only allow authorised apps to run.
- Deploy endpoint detection and prevention solutions that will automatically identify and remove any unwanted activity.
- Invest in a security operation centre analyst that will identify problems and react to threats.
- Implement vendor access control by restricting a vendor's access to the system. This would help mitigate potential risks as the least privileged model would be applied.
- Assess a vendor's security posture.
- Ensure the builds and updates of the system are secure.
- Have a system in place for regularly installing security patches for the operating system and any software that is run.
- Ensure that only trusted tools can be run on the network.