Supply chain attacks are nothing new. However, these attacks have become more organized since the early part of 2020. Now, cybercriminals have turned their focus to suppliers versus organizations to make a far greater impact with damages.
The European Union Agency for Cybersecurity (ENISA) in July 2021 released its “Threat Landscape for Supply Chain Attacks”. This report maps and studies 24 supply chain attacks that took place between January 2020 to July 2021. In this two part article we will discuss what you need to know about supply chain attacks and how you can protect your supply chain from an attack.
Supply Chain Attacks - Part One: What You Need to Know
First, let’s begin with an understanding of what is a “supply chain” for those who are unfamiliar with this term. A supply chain is an ecosystem of processes, people, organizations, and distributors that are involved with creating and then delivering a final product.
In a broader sense, when defining the supply chain from a cybersecurity stance, it also involves resources, such as hardware and software; data storage, whether on-premises or in the cloud; mechanisms of distribution such as online stores and web applications, and lastly, management software to bring everything together.
There are four major components to a supply chain:
- Supplier, the entity supplying a product or service to another entity
- Supplier assets, which are the valuable elements used by the supplier in producing their product or service
- Customer, the entity consuming the supplier’s product or service
- Customer assets, the valuable elements owned by the target
Entities could be individuals, groups of individuals or organizations. Assets may refer to finances, documents, people, hardware, software or other things of value.
What is a Supply Chain Attack?
To be considered a supply chain attack, there must be a combination of at least two attacks on the supply chain. The first attack is enacted on the supplier. The second attack stems from the first when it is used to attack the target and enable access to its assets. The target could be the final customer or another supplier.
Let’s consider the taxonomy of supply chain attacks. The supplier may be attacked by one or more of the following techniques by a hacker in efforts to compromise the supply chain:
- Malware infection, e.g., spyware that steals employees’ credentials
- Social engineering, e.g., used to trick the supplier to do something to initiate the attack, such as phishing, typo-squatting, fake applications, or Wi-Fi impersonation
- Brute-force attack, e.g., guessing web logins
- Exploiting software vulnerability, e.g., buffer overflow exploit or SQL injection in an application
- Exploiting configuration vulnerability, e.g., taking advantage of an existing configuration issue
- Open-Source-Intelligence (OSINT), e.g., online search for usernames, credentials, API keys
The supplier assets that may be targeted by the supply chain attack may include:
- Data, e.g., supplier information, customer/supplier personal data, certificates
- Processes, e.g., updates, backups, certificate signing, validation processes
- Configurations, e.g., firewall rules, URLs, API keys
- Pre-existing software, e.g., software used by supplier, including applications, databases, web servers, firmware, cloud applications, monitoring systems
- Software libraries, third-party libraries, software packages installed by third parties
- Code, e.g., supplier produced source code or software
- Hardware, e.g., supplier produced hardware like USBs, chips, valves
- People, targeted individuals that have access to data, infrastructure or other people
On the customer end side of the attack, the following techniques may be used to compromise the customer:
- Phishing, e.g., fake messages that impersonate the supplier
- Malware infection, ransomware, backdoor, remote access trojan
- Trusted relationship, e.g., trust a certificate, trust an automatic backup, trust an automatic update
- Drive-by compromise, e.g., users infect with malware by malicious website scripts
- Counterfeiting, impersonating supplier’s personnel, create a fake USB, modify a motherboard
- Physical attack or modification, e.g., physical intrusion, modify hardware
The customer assets that are typically targeted in a supply chain attack include:
- Data, e.g., sales and financial data, payment data, documents, emails, intellectual property, flight plans
- Personal data, e.g., credentials, customer data, employee records
- Financial, e.g., money transfers, steal cryptocurrency, hijack bank accounts
- Processes, e.g., insertion of new malicious processes, documentation of internal operation
- People, e.g., individuals targeted for their knowledge or position
- Software, e.g., access to customer’s source code, modification of customer’s software
- Bandwidth, e.g., using bandwidth for sending SPAM or malware, Distributed Denial of Service (DDoS)
How to Protect your Supply Chain
To be protected against supply chain risk, companies need to focus on the following fields:
- Managing supply chain cybersecurity risk
- Managing the relationship to suppliers
- Defining and delegating responsibilities to suppliers backed by defined and verified good practices for vulnerability management on the suppliers side
Read the details on supply chain protection in the second part:
Supply Chain Attacks - Part Two: How to Protect Your Supply Chain
References
ENISA THREAT LANDSCAPE FOR SUPPLY CHAIN ATTACKS (JULY 2021), by ENISA