Gorodenkoff - stock.adobe.com

Cyber attacks increasingly exploiting supply chain weaknesses

Cyber attacks are increasingly characterised by supply chain attacks, counter incident response and lateral movement, research reveals

Half of today’s cyber attacks use “island hopping” as an approach, which means attackers are after not only the target network, but all those along its supply chain as well, a report warns.

Supply chain attacks are getting more prevalent and dangerous, according to the latest quarterly Global incident response threat report from cyber security firm Carbon Black.

The industries most targeted by island hopping, the report said, are financial (47%), manufacturing (42%) and retail (32%).

Tom Kellermann, Carbon Black’s chief cyber security officer, said attackers are using their victim’s brand against customers and partners of that company. “They’re not just, say, invading your house – they’re setting up shop there, so they can invade your neighbours’ houses too.”

The report is based on a survey of 40 Carbon Black incident response (IR) partners and aims to offer actionable intelligence for business and technology leaders, supported by analysis of the newest threats and advice on how to stop them.

According to the report, the main reason organisations are vulnerable to island hopping is a lack of visibility, which 44% of respondents named as the top barrier to IR, up from 10% the previous quarter.

“More often than not, the adversary is going after the weakest link in the supply chain to get to their actual target,” said Thomas Brittain, who leads Carbon Black’s Global IR Partner Program. “Businesses need to be mindful of companies they’re working closely with and ensure those companies are doing due diligence around cyber security as well.”

Read more about incident response

The data also shows increased use of counter IR, with 56% of respondents encountering instances of counter IR, up from 5% the previous quarter. The data shows that 87% of counter IR is in the form of destruction of logs and 70% in the form of evasion tactics.

Kellerman said the trend towards counter IR signals a cyber crime wave that is continuing to evolve.

“Attackers are fighting back,” he said. “They have no desire to leave the environment. And they don’t just want to rob you and those along your supply chain. In the parlance of the dark web, attackers these days want to ‘own’ your entire system.”

The report also notes that 70% of all attacks now involve attempts at lateral movement, as attackers take advantage of new vulnerabilities and native operating system tools to move around a network.

Nearly a third (31%) of targeted victims now experience destructive attacks, which the report said is and “alarming byproduct” of attackers gaining better and more prolonged access to targets’ environments.

The financial and healthcare industries remain most vulnerable to these attacks, the report said, but the threat to manufacturing companies has grown significantly, with nearly 70% of all respondents seeing attacks on the financial industry in the past 90 days, followed by healthcare (61%) and manufacturing (59%, up from 41% last quarter).

Intellectual property

The steep rise in incidents in the manufacturing industry is tied to the fact that cyber criminals are increasingly targeting valuable intellectual property (IP).  “These motives and methods may very well reflect roiling geopolitical tensions – be it uneasy trade relations with China or what looks to be a new nuclear arms race with Russia – as nation states seek competitive advantage,” the report said.

Going after manufacturing companies for IP purposes reduces R&D, said Ryan Cason, director of partner success at Carbon Black. “It allows them to get to market quicker, at a cheaper price point, to the detriment of their victim.”

Consequently, the report said there was a steep rise in IP theft as an attacker’s end goal this quarter, with 22% of respondents saying this was the case, up from 5% the previous quarter. However, the data shows that financial gain remains the most common end goal, at 61%.

As IR teams and their partners raise the defensive bar, adversaries adapt in kind, the report warns. “They’re developing and sharing new techniques, exploiting new vulnerabilities, and finding new ways to remain invisible in a network to ‘own’ the entire system.

“As our adversaries seek to wreak havoc, businesses and IR teams need to stay on the cutting edge if we want to fight back with success,” the report said.

Carbon Black recommends organisations focus on five best practices in IR:

  1. Have a backup plan for setting up a new operating environment within a few hours.
  2. Do not immediately terminate the attackers’ command and control system to observe lateral movement and isolate targeted systems.
  3. Store data 30 days or more from all endpoints to preserve the environment and combat the destruction of logs that has become so prevalent.
  4. Alert fatigue is real, so to detect attackers, it is crucial that security data is contextualised.
  5. Rebuild the environment from scratch and augment existing capabilities with EDR (enterprise data replication). 

Read more on IT risk management