Cyber attacks that target the supply chain have been grabbing the headlines in recent months because of the widespread and severe damage they have caused organisations, from government agencies to food processing plants.
Though they are still relatively rare compared to other forms of attacks that require less sophistication, they are a big problem because they abuse an existing trust, according to FireEye Mandiant.
The cyber security company, a trusted supplier itself, suffered a data breach in late 2020, after its security tools used to test the client defences were stolen.
However, it redeemed its reputation somewhat by finding the source of the breach – a supply chain attack on a network software company called SolarWinds, which subsequently led to discoveries of widespread breaches across the United States and other countries.
Such a sophisticated attack is not easy to prevent, says Steve Ledzian, the chief technology officer for Asia Pacific at FireEye Mandiant.
However, it also means that IT teams are now more vigilant not just in checking the software they get from suppliers but also the reputation of the suppliers themselves, he argues.
How often do these suppliers conduct a penetration test, for example, he asks, in this month’s Q&A.
NOTE: Responses have been edited for brevity and style.
Q: In a world where software runs everything, from routers to smart buildings, do you see deeper problems arising from supply chain attacks?
A: FireEye has been calling out supply chain risk for years now. It’s mentioned in our 2018, 2019 and 2020 security predictions reports.
As business and organisations continue to digitally transform and as the attack surface continues to grow, supply chain attacks will continue to grow along with them.
One important consideration is that supply chain compromise in and of itself is not a complete end-to-end attack, but rather just one component an attacker users to build out a complete attack chain.
This can be seen on the MITRE ATT&CK Framework. When an attacker breaks into a network, supply chain compromise is one technique that the attacker can use to accomplish the tactic of initial compromise.
There are many other ways to achieve initial compromise, and after achieving initial compromise, there are many other post-exploitation stages of the attack that must be complete before the full attack is successful.
The point here is that while supply chain compromise is difficult to detect, it is just one of many opportunities to break the chain of the attack, and prevent impact to the organisation.
Q: FireEye managed to find what caused its data breach late last year but how well protected is the digital supply chain in general today?
A: Supply chain attacks are comparatively rare compared to other types of cyber attacks, but as they expose multiple victims simultaneously, their impact can be quite high.
A lot of thought and effort have gone into improving security across the supply chain, but as it’s an attack that abuses a pre-existing trust, it’s a challenging problem to solve.
Governments are paying attention to the risk the supply chain poses. The Cyber Security Agency’s (CSA’s) recent Singapore Cyber Landscape 2020 Report highlights supply chain risk a number of times
Meanwhile, the United States Department Of Defense is leveraging the Cybersecurity Maturity Model Certification (CMMC) to address supply chain risk in the defence industrial base.
Q: Do you see criminal gangs, some originating from jurisdictions where they enjoy relative immunity from prosecution, continue to be the main threat actors in supply chain attacks? Or will state actors be involved at some point?
A: Supply chain attacks can be leveraged by threat actors with both financial motivations as well as espionage motivations.
Often, when we think about supply chain attacks, it’s the nation state threat actors that first come to mind as the culprits most likely to able to have the sophistication required to pull off such an attack.
Nation state threat actors have been doing this for some time now. Cyber criminals have been known to use supply chain attacks as well, but more commonly cyber criminals often don’t need to resort to a level of sophistication that requires a supply chain attack.
Cyber criminals have plenty of success in achieving initial access in other less sophisticated ways such as phishing, exploiting public facing applications, or leveraging compromised valid accounts.
Q: Supply chain attacks target the trust between businesses. How do you build trust when even a digital signature and encrypted data can be compromised at source?
A: It’s not an easy problem. Even if IT teams tightly scrutinise the software they deploy, organisations still need to worry about the software and utilities that employees download and use for themselves.
For example, while IT teams might deploy the latest version of stock browsers, users might add their own browser plug-ins or extensions which might silently perform malicious actions.
Technology controls are part of the solution but organisations are augmenting those in other creative ways. For example, before choosing a vendor, business sometimes will consider that vendor’s financials.
“Is this vendor financially viable” or “Will this vendor still be around to support our purchase next year or the year after?”
Procurement teams are now asking potential vendors about their security practices. “Do you do background checks on employees?” or “How often does your organisation do a penetration test or a red team assessment?”
We’ve long heard of how strong cyber security can be a differentiator, and now customers are starting to ask vendors to demonstrate that they take cyber security seriously.