With the release of the Securing the Supply Chain report it has been shown that supply chain attacks are increasing in popularity. The survey conducted by CrowdStrike further showed that organizations increasingly have to deal with cyber attacks targeting the software supply chain and in many cases, they are not adequately prepared to respond to such incidents. Such an attack can be defined as the illegitimate compromising of software code through cyber attacks, insider threats, and other close access activities at any phase of the supply chain to infect an unsuspecting customer. In the past, they have also been called value-chain or third-party attacks and can commonly occur when someone infiltrates your system through an outside partner or provider with access to your systems and data.
Another common method employed by malicious actors includes the targeting of software makers in an effort to modify their products so that they perform malicious actions and provide a backdoor into the targeted environment. Such attacks have drastically changed the attack surface of the typical enterprise in the past few years mainly due to the increase in more suppliers and service providers having access to sensitive data than ever before.
There have been some major incidents that have become textbook cases of such attacks over the last few years. In 2014, retail giant Target suffered a major data breach that was proved to be a result of lax security at an HVAC (heating, ventilation, and air conditioning) vendor. The now infamous Equifax breach was blamed on a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor. Further examples of this attacks include the NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident (, which involved hacking of distribution servers at Piriform.
Important findings of the Report
The main finding that can be taken away from the Securing the Supply Chain report shows that roughly one-third of organizations are concerned about supply chain attacks, with 18% and 38% saying that the risk is high and moderate, respectively. Approximately two-thirds of respondents have experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% being hit in the last 12 months. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74%), IT and technology (74%), engineering (73%), healthcare (70%) and insurance (68%).
The survey also looked to determine how quickly organizations can respond to and mediate such an attack. To that extent organizations believe it would take 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it. That amounts to a total of 63 hours from infection to remediation. Another important facet of the survey was the potential for financial loss. A vast majority of respondents that have encountered a supply chain incident reported a financial impact, with an average cost of roughly 1.1 million USD. The highest costs were reported by the hospitality, entertainment, and media sectors, averaging at 1.44 million USD and the lowest reported losses were in the government sector at an average of 329,000 USD.
Such attacks inevitably have a negative impact of trust between organizations and suppliers. Results of the survey reflect this in that only 35% of respondents saying they had been totally certain they would be informed of a cybersecurity incident. A further 39% of those surveyed said they had lost trust in a supplier over the past year. The levels of trust between suppliers and organizations are further strained by vetting standards employed. Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59% of cases. Executives have also started changing their attitude in regards to this threat, with 31% becoming more involved, 49% planning to become more involved, and 13% taking more of an interest.
Can Supply Chain Attacks be mitigated?
The reality of defending against such attacks is that it is very hard to do so. Often what is perceived as traditional safeguards do not effectively protect against such attacks. Antivirus packages often cannot be used effectively to prevent such an attack. One of the reasons for this is that vendors are typically trusted by the anti-virus companies and most organizations do not have the resources to reverse engineer each executable that the organization wishes to use.
One of the best methods to defend against such an attack is not to have an unnecessary software installed on the organizations multiple devices. Avoiding the use of software you don’t need reduces your attack surface. While in the NotPetya attack well known Ukrainian accounting software was exploited, the majority of software supply chain attacks tend to happen with “freeware” applications which are widely used. Avoiding the use of such products which include Web Browser Extensions and plugins will greatly reduce your attack surface.
Another method that has been employed to help prevent such attacks is “hardening” the organization's network. This can often be done by employing technologies like VLANs to segregate workstations from each other, using unique local administrator passwords. This help to prevent privileged movement within your network, and strictly controlling privileged accounts can all help prevent the spread of malware within your organization once it’s entered into your network.
Lastly, Intrusion Detection Systems can be installed. Such systems monitor network traffic for suspicious activity and issue alert when such activity is discovered. It is important to note that such systems will not prevent the execution or installation of software on your network but can certainly assist in threat detection. While difficult to defend against, one of the reasons perhaps an increase in such attacks is likely, measures can indeed be taken. It is little wonder why IT security professionals are concerned about their increase.