A sobering reminder for more vigilant supply chain security
This is a guest post by Gaurav Chhiber, vice-president of Asia-Pacific and Japan at IronNet Cybersecurity
The recent and unfolding news about the Russian APT 29, or Cozy Bear, SolarWinds breach is a sobering reminder of the relentlessness of nation-state cyber attack campaigns, which have turned their attention to vulnerabilities created by supply chain backdoors.
While companies across sectors have been shoring up their cyber security defenses with technologies such as firewalls, endpoint protection, and network detection and response, these recent events call for renewed vigilance for securing the supply chain.
Indirect attacks into the supply chain now account for 40% of security breaches, according to the Accenture’s State of cyber resilience report. Indeed, the days of having well-defined data boundaries are gone, and traditional data protections are no longer sufficient to secure these ecosystems.
How can you protect your supply chain from data breaches, including intellectual property theft, while recognising that many of the companies that work in the supply chain have neither the revenue nor the capacity to really run an in-house security operations centre?
We’re no longer talking about just a physical supply chain of moving a product from production to market. Today’s supply chain is an extended, connected web that spreads in every direction. It can be a digital supply chain where risks such as compromised code present a third-party risk.
More recently, Accellion, a provider of enterprise content firewall, announced that its file sharing system, FTA had been hacked. Organisations that used Accellion as a third-party vendor, including New Zealand’s central bank and Singtel in Singapore, were affected with customers data potentially being compromised.
Separately, in end December 2020, hackers targeted the Vietnam Government Certification Authority (VGCA), a government organisation that issues digital certificates for digital signatures of official documents. This attack compromised users of legitimate application through the modification of two of the software installers available for download to add a backdoor.
As cyber criminals continue to exploit these expanded digital supply chains to circumvent the cyber defences of their targets, nations and enterprises are now looking to protect those ecosystems and future-proof their supply chain.
In Singapore, the Monetary of Singapore (MAS) recently implemented an amended set of technology risk management guidelines to enhance cyber security measures in financial institutions. Notably, the guidelines outline the importance for threat intelligence and information sharing to act more proactively and strategically in the face of attacks.
Securing the weak spots in your supply chain
While an individual company may have hundreds, even thousands of third-party entities, across its supply chain, it is important to keep in mind that a single company’s brand and reputation are on the line. Supply chain vendors often remain behind the scenes, yet they can inadvertently open the so-called back door through which large-scale supply chain attacks are launched.
Sophisticated attackers know where the weak spots are, and they are taking advantage of these backdoor ways to infiltrate a company’s ecosystem. Clearly, it is time to scrutinise third-party risk with vigilance. Here are some techniques they are using to attack:
- Business Email Compromise (BEC): Often associated with financial transfers, where criminals leverage the fact that business is often conducted via email.
- Using vulnerability information gleaned from OSINT tools: Finding weaknesses in supplier or vendors in your supply chain to exploit in order to gain entry to your networks.
- “Living off the land” (or “fileless”) attacks: Gaining additional access using tools that already exist in the computing environment.
- Embedded systems: Accessing backdoors through network-aware embedded systems, operational technology (OT), and IoT devices.
- Service providers: Taking advantage of the potential risk associated with the usage of third-party service providers.
How to defend against these attacks
The question is how to detect and defend against these attacks. It is no longer about protecting one’s own organisation but the ecosystem that organisations operate in. Organisations need to work together with a collaborative approach through collective defence to detect and share threats in real time. This is the only way to gain complete visibility across the value chain.
One thing for sure, the inherent nature of collective defence is a defensive posture. It is critical to adopt this approach if we wish to defend against and win this cyberwar together, battle by battle.