Arming Your Business Against Supply Chain Attacks
While supply chains aren’t new, the digital supply chain is a modern development that injects much more complexity into the basic concept.
Online commerce and communication has introduced networks of linked services, applications, assets, and devices that are connected through networks of vendors and third-party providers. Imagine how many interactions could be points of vulnerability if there are security problems in the chain! In fact, 58% of business owners believe their vendor access has led to a breach.
Given that some vendor software is so widely used (from point-of-purchase to payroll), an opportunistic hacker can disrupt an assortment of companies in one fell swoop with a targeted supply chain attack. Here’s how this type of attack starts, where it can go, and how you can best avoid both the immediate and long-term damage it can bring.
How do cyber attacks affect supply chains?
A supply chain attack aims to insert malicious code or components at the start of a chain — typically into a supplier’s software or hardware. The attacker can then control the supplier’s distribution systems and infiltrate their customers’ networks.
Hardware can be vulnerable, but software supply chain attacks are particularly concerning. Since third-party software is often repurposed and stitched together, it can be difficult to ensure all the code is completely secure. Just because a software product was previously deemed safe and secure doesn’t mean it’s still secure today.
In fact, research has found that over 30% of third-party vendors could cause significant damage to client organizations if they were to be breached.
How malware moves through the chain
What kind of damage can be done during a supply chain attack? When malware’s involved, a large number of companies can be seriously and simultaneously disrupted.
An “upstream” server attack can quickly impact hundreds or thousands of businesses by implanting malware in the target system and leaving it to infect all the users who download the infected update, app, or program (as was the case in the SolarWinds attack of 2020).
When relying on any third parties, your business is vulnerable to a breach, even if you’ve taken strong cybersecurity measures to protect yourself.
Not only can malware travel easily in a supply chain attack, it can also be more difficult to remediate, for a few reasons:
- The delivery mechanism can pass the malware through to systems buried deep inside corporate networks or hidden behind layers of traditional defense.
- Vendors can’t respond as quickly as they would to a zero-day vulnerability. Instead, they must disable the delivery infrastructure to prevent further misuse while they work on securing their own systems.
- Since malicious updates affect large groups of systems simultaneously, they could challenge the capacity of the entire incident response industry. In turn, some affected businesses may not get the support they need to limit the impact.
In order to stay online, secure, and in control of your network, you’ll want to protect against supply chain attacks as best you can. As the saying goes, an ounce of prevention is worth a pound of cure.
4 steps to prevent supply chain attack fallout
Events like the SolarWinds supply chain attack bring up an uncomfortable fact: when relying on any third parties, your business is vulnerable to a breach, even if you’ve taken strong cybersecurity measures to protect yourself.
But all is not lost: there are steps you can take to shore up your defenses and deal with the risks in front of you. Think about your supply chain attack defense as four sequential actions:
- Investigate
- Defend
- Maintain
- Plan
The specific tasks that fall within these four phases will strengthen your first lines of defense, help you better spot and react to risk, and — if the worst should happen — recover as quickly and with as little downtime and damage as possible.
1. Investigate your assets
You’ve got to know where you’re starting from in order to improve and maintain a good security posture. Here’s how you can begin:
- Audit unapproved shadow IT infrastructure. Applications, software, and services that are used without explicit approval from your IT department (like a simple grammar support plugin) can be trouble.
- Update your software asset inventory. Just as you track all your company systems and devices, keep a record of all the software you use in your daily operations.
- Assess vendors' security posture. Do everything in your power to make sure any vendor who could have access to your data will be careful with it, beginning with a security assessment.
2. Actively defend
Once you understand exactly what you have to protect — and just how vulnerable your network may be — you can shift attention to building a solid defense against continuous threats:
- Treat validation of supplier risk as an ongoing process. Risk and threats evolve, so a vendor’s security posture may change. Periodically assess your suppliers’ risk.
- Use client-side protection tools. Your servers might be protected, but how about the web assets that connect to your customers? Look into potentially vulnerable layered web applications and scripts, and limit exposure by splitting frontend applications into smaller components.
- Use endpoint detection and response (EDR) solutions. Managed EDR solutions can work to detect and assess suspicious activity on your network endpoints.
- Deploy strong code integrity policies to allow only authorized apps to run. Whitelist software and applications, and use digital signatures from a trusted entity.
3. Monitor and maintain
Getting the right defense tools and processes in place is only half the battle; you need to make sure your program keeps working for you, and make changes as required. Here are some ways to stay in control of your security:
- Maintain a secure build, and update infrastructure. Apply patches for software and operating systems as soon as they’re available, insist on MFA, and only use trusted tools.
- Build secure software updaters into your software management strategy. Automatic software updaters make it much easier to keep up with patches and updates, but whether you opt for a paid or a free version, be sure it supports all the programs you run.
- Uphold the Principle of Least Privilege. Not everyone in the organization should be able to access all assets or data at all times. By actively managing permissions, you can shrink your attack surface.
4. Plan for the worst
Even the strongest measures can fall short in some circumstances. Regardless of the nature or size of your business, you should gather your IR allies and develop an incident response process:
- Identify problems with hardware and providers. Aside from auditing and updating your own tools to versions that are supported by developers, it's important to ask your vendors key governance and structural questions — you need to understand their approach to information security, cybersecurity controls, and technology.
You can start with standard best practices and security assessment methodologies developed by NIST (National Institute of Standards and Technology) and SANS (System Administration, Networking, and Security Institute). You can use these frameworks to asses your own security, as well.
- Build your business continuity and incident response plans. What would you deem absolutely critical to the survival of your business? What would happen if you lost access to these things? Have an honest discussion with your key stakeholders about how long you would be able to stay open (and consider backup providers to help extend that runway).
- Learn what it takes to operate manually. Contingencies should be in place for manual operations — and employees should be appropriately trained to carry out those tasks.
Going analog may seem like a return to simpler times, but it's critical for all organizations to know how to carry on without digital conveniences. Case in point: The Colonial Pipeline Attack brought older infrastructure workers onto the scene to operate systems the "old fashioned way."
- Practice scenarios. Once you have your plans in place, conduct tabletop exercises to identify weaknesses in your organization’s security practices and develop action plans to address these vulnerabilities. Then, periodically stress-test your security posture.
Redundancies to the rescue
When you’re putting together your security, continuity, and incident response strategies, pay extra attention to your backup plans. If everything rests on a single vendor, a solitary system, or one route to your data, you could be teetering on the edge of disaster.
Small businesses are often strapped for resources, so you may not be able to put all necessary redundancies in place. The best way forward will be to identify the servers, software, operating systems, suppliers, and vendors that are critical to your operations. Then, focus resources in those areas to ensure you can stay resilient during and after a cyber incident.
Trust your backups
Backup plans are only useful if they can be deployed quickly and predictably. In addition to our suite of proactive security tools, we’ve designed our data backup tool to be as simple and straightforward as it is strong and dependable.
By automatically and continuously backing up your files, saving each version, and storing everything offsite, we make sure you can access your backed-up data when you need to, right through your device. That means you’re better able to avoid the repercussions of a malware or ransomware attack.
Want to learn more about how Elpha Secure can elevate your defense AND your incident response? Check out our cybersecurity technology.