Supply chain attacks are an increasingly common form of cyberattack.
According to cybersecurity firm CrowdStrike’s 2021 Global Security Attitude Survey, 45% of respondents suffered a supply chain attack within the prior 12 months. This was up from 32% of respondents in 2018. Sonatype’s 2021 State of the Software Supply Chain report found that software supply chain attacks had a 650% year-over-year increase from 2020 to 2021. This followed a 430% increase from 2019 to 2020.
This poses a significant challenge for companies that rely on third-party vendors and suppliers to deliver their products or services. In this post, we’ll give you an overview of what’s involved with a supply chain attack, the growth and types of supply chain attacks happening today, including examples. We’ll also walk you through the steps to mitigate them and what to do if you’re a victim of a supply chain attack.
What Is a Supply Chain Attack?
Our partner Fortinet, defines a supply chain attack as an attacker that uses an outside provider (such as a trusted software partner) to access your systems. When that provider has access to your data and systems, they can infiltrate your digital infrastructure.
Because the trusted third party has been granted the rights to use and manipulate areas of your network, your applications, or sensitive data, the attacker only has to penetrate the third party’s defenses or program a loophole into a solution offered by a vendor to infiltrate your system. It takes only one “weak link” in a supply chain to cause extensive damage to your company and your customers.
Supply chain attacks are diverse, impacting small to large companies, and typically dependable systems, like when automated teller machine (ATM) malware is used to steal cash.
The newest trend: One software supply chain attack leading to another software supply chain attack
There was a recent massive breach that hit a well-known provider of internet-enabled voice calls. The compromise of that provider originated with another, prior supply-chain attack.
To have a supply-chain cyberattack that is the result of a separate supply-chain hack is “a very novel and interesting and quite scary threat,” Charles Carmakal, chief technology officer at Mandiant, told reporters in a recent briefing.
7 Best Practices to Guard Against Supply Chain Attacks
To fight supply chain attacks, companies can integrate a number of techniques, ranging from addressing issues with their general cybersecurity infrastructure to ensuring endpoints are secured against infiltration. Here are seven best practices suggested by The National Institute of Standards and Technology (NIST) to protect against supply chain attacks.
- Integrate Cybersecurity Supply Chain Risk Management (C-SCRM) process to manage exposure to cybersecurity risks throughout the supply chain. The process should include executives and managers within operations and personnel across supporting roles, such as IT, acquisitions, legal, risk management, and security.
- Document how you would address any potential vulnerabilities in your organization’s supply chain.
- Closely collaborate with key suppliers and include them in resilience and improvement efforts.
- Assess and monitor throughout the supplier relationship.
- Ask your cybersecurity partner how they will defend against supply chain attacks. For example, do they:
- Maintain a product vulnerability response program?
- Use a software development lifecycle incorporating secure software?
- Look for known weaknesses and development practices vulnerabilities in their source code and compiled code?
- Actively identify and disclose vulnerabilities while maintaining a vulnerability response program?
- Utilize patch management?
- Develop, maintain and use approved supplier lists for their products?
- Request a software component inventory with each software purchase that will identify and disclose all vulnerabilities. If a vendor cannot provide a component inventory, consider using that as a differentiator when selecting among competing products.
- Implement an Endpoint Detection and Response (EDR) System Supply chain attacks will frequently take advantage of unsecured endpoints, but an endpoint detection and response (EDR) system can protect those endpoints and identify suspicious behavior. It can also place a block or alert on that activity even if it’s coming from a compromised but properly signed application. Learn more in How EDR and MDR can help in the war against data breaches.
Have questions or want to learn more?
Get in touch with us for a no-obligation consultation and we’ll give you more details on the growing risks of supply chain attacks and how to better protect yourself.