A supply chain cyber-attack targets an organization’s third-party supplier, rather than trying to hack its network directly. One of the biggest and most sophisticated supply chain attacks to date was the 2020 SolarWinds attack where the threat actor gained access to public and private organizations by breaching the SolarWinds IT management software they were all using.
There is one simple reason that supply chain attacks are so difficult to identify and prevent: trust. Supply chain attacks take advantage of the knowledge that we inherently trust our vendors and third parties. We don’t always have visibility into who the weakest link in our business ecosystem might be. We don’t question an update that arrives with a strategic partner’s digital signature attached, as we have no reason to suspect that trusted services are compromised,
Not all supply chain attacks are created equally. Some, like the recent Okta cyber-attack, may not even have been intended as supply chain attacks. However, in our hyper-connected world, an attack on one vendor can easily become an attack on its entire ecosystem – wreaking havoc on partners, third parties, and customers.
We need to retain a high level of trust in our third-party ecosystem, or our businesses would grind to a halt. Whether it’s the remote monitoring software an MSP uses to stay on top of its IT environment, a third-party software solution that automates common processes, or in the case of Okta – our third parties, (as the attack was actually established through Sitel, a vendor who supports Okta in creating customer support assets) – a business needs its supply chain.
However, while traditionally supply chain attacks were rare, and usually carried out by Nation-State attackers with sophisticated tools – the Okta attack is another example of how the tide is turning, and how attacks that impact the supply chain now come in many forms. The LAPSUS$ crime group that has taken responsibility for this attack is not a Nation-State attacker – this isn’t a cyberattack from the Russian or Chinese governments, it’s a far less sophisticated criminal group, looking to compromise customers and data by searching for the easiest way in when they discover the front door is firmly locked.
This attack lowers the bar for other attackers and proves that you don’t need to be a sophisticated group with the might of a nation behind it to successfully breach a network or steal valuable data.
It should also come as a wake-up call for businesses of all sizes. While supply-chain attacks were often previously seen by organizations as “too big to protect against”, the rise in popularity of these kinds of attacks, especially as a method used by less sophisticated hackers, should be a serious call to action. All kinds of criminal groups are waking up to the fact that by attacking a third-party service, they can gain access to hundreds or even thousands of companies – as we saw in the Kaseya attack in 2021, (even though there is a debate if this attack was intended to be a supply chain attack).
Due to the high level of trust we give third parties, these attacks can be very difficult to identify, but that doesn’t mean there is nothing we can do. Every organization should be prioritizing preventive measures to limit the risk of attacks that impact the wider supply chain and lower the wider impact before being compromised, as part of their risk management process.
There are defensive measures that can be implemented to effectively protect your organization against all levels of supply chain attacks, including:
- Assessment of exposure to third-party risk: Security leaders must map the potential risk posed by interfaces with vendors and other third parties that may affect critical processes and business continuity
- Network segmentation: Limiting the attack surface to ensure that if there is a breach, critical assets and customer data are not impacted
- Least privilege: Giving third-party vendors, users, and the services themselves minimal reach, with only the access they need, and nothing more
- Security monitoring: Ensuring that when an attack occurs, alerts are triggered at the first sign of lateral movement or anything unusual
Written by Oren Biderman, Incident Response Expert at Sygnia