Blog Post
From suppliers and service providers to vendors and contractors, third parties deliver many key functions for businesses today. Cloud migration and digital transformation strategies increased this dependence, largely in relation to IT operations.
Top these changes off with workforce shifts (such as using more freelancers) and you have a situation where more external parties than ever have access to prized internal company systems and data.
In recent years, opportunistic threat actors actively increased their focus on this complex area of risk by conducting supply chain attacks. The results have been felt all the way to the U.S. federal government level—a 2020 compromise of SolarWinds’ Orion network monitoring tool led to a data breach at the U.S. Treasury and Commerce Departments.
So, what exactly is a supply chain attack and what are the main cybersecurity risks presented by third parties? What are some examples of recent third-party security incidents and their consequences? And, lastly, what can you do to better detect and prevent supply chain attacks?
Let’s dive into the answers to these pressing questions.
What is a supply chain attack?
A supply chain attack is any cyberattack in which an adversary targets a weak link in your supply chain to gain access to your network or data. These attacks exploit the basic sense of trust that exists in the relationships between companies and their vendors, service providers, and other suppliers.
For example, say you provide a software-as-a-service (SaaS) marketing tool to customers. To sell your solution, you use a third-party payment gateway. This payment gateway solution, however, does not encrypt cardholder data when customers pay you their monthly subscription. A hacker snooping online sniffs out this unencrypted traffic and steals valuable payment information. Voila, a supply chain attack.
The supply chain is the entire ecosystem of people, technology, companies, and resources that helps deliver your product or service to end users, and can extend quite far. In fact, supply chain security risks even extend to parties with whom your company lacks any direct contact or relationship.
In other words, not only do you directly trust your third-party vendors and suppliers, but you also inherently trust their vendors and suppliers.
Some third-party security risks worth being aware of include:
- Malicious code being slipped into third-party software and enabling unauthorized backdoor access to your environment or data.
- Regulatory non-compliance and penalties that result from security breaches of vendors, partners, or service providers with whom you share sensitive data.
- Financial losses from social engineering attacks in which hackers masquerade as important business partners, contractors, and vendors to commit fraud.
- Malicious insiders at third parties who intentionally sabotage security and either directly access your data or sell access to it.
Much of the recent analysis of supply chain attacks focuses on software supply chains. Increased reliance on SaaS apps and freely available open-source code somewhat explain this focus; however, it’s important to bear in mind that there are many ways to exploit trusted supply chain relationships that don’t necessarily involve compromising software vendors or open-source projects.
Examples of recent supply chain attacks
To fully grasp what supply chain attacks look like in the real world and what their potential consequences are, let’s take a look at some examples from the last few years.
U.S. news websites
News websites strive to publish engaging media content in a variety of formats to keep their readers interested. Modern online media platforms gain much of their revenue from viewers clicking on or even simply viewing advertisements.
In a November 2022 breach, hundreds of U.S. news websites unknowingly pushed malware to visitors after threat actors compromised a media partner’s IT infrastructure. The affected U.S. news websites depended on this partner for video content and advertising banners.
This specific malware poses as legitimate software updates, encouraging the unsuspecting news readers to update their browser. In total, the malware was pushed to more than 250 U.S. news outlets, including major U.S. cities such as New York and Chicago.
AccessPress
AccessPress is a popular vendor of website themes and plugins. For small and local companies, having a functional website can be a business-critical element of their operations. Many such companies opt for the easy functionality of a content management system (CMS) to run their sites. In fact, around 58% of all websites online use a CMS.
A 2022 supply chain breach saw the majority of themes and plugins published by AccessPress being compromised by threat actors. The adversaries managed to insert backdoors into the themes and plugins so that any victim who installed a dodgy plugin or theme would unknowingly give an outsider full control of their website.
This attack went somewhat under the radar in terms of publicity, but it demonstrated how fragile supply chain security can be.
Okta
A spate of attacks by cybercrime group LAPSUS$ caused havoc for multiple high-profile companies in 2022 (we wrote about key lessons to learn from the LAPSUS$ attacks here). Among the victims was Okta, an identity management solutions provider that helps companies manage and secure user authentication into applications.
In what turned into an even more challenging year for Okta, they were targeted in a further supply chain attack in August 2022. This complex supply chain spree saw threat actors harvesting 10,000 sets of Okta account credentials.
Defending against supply chain attacks
Move towards zero trust
There’s a big push right now in cybersecurity towards zero trust, a relatively new approach to identity and access management that reduces the attack surface, limits lateral movement, and makes it easier to spot indicators of an attack.
This strategy works by eliminating any default trust given to users and apps within a network ecosystem. The result is that when users or apps make requests to access IT resources, the requests are continually authenticated based on context and risk.
Segment your network
Network segmentation essentially breaks up your IT network into smaller parts rather than managing it as one large zone. This improves security because you can control and monitor traffic flows between different network segments, each of which may contain a different group of applications, data, or services.
By segmenting your network, you limit the ability of third-party software and service providers to escalate their access to valuable data or services that you want to protect most.
Properly segmenting your network helps to minimize the impact of any future supply chain attacks since a successful breach of one subnet will not compromise the resources or services in another subnet.
Conduct third-party risk assessments
A third-party risk assessment establishes a better understanding and clearer visibility over supply chain risks. This assessment should entail inventorying suppliers and vendors and assessing their security posture.
Steps could include grouping third parties into different risk profiles, using questionnaires to assess security, and strategically choosing to work with vendors that comply with stringent cybersecurity standards such as ISO 27001.
Risk assessments can be difficult to conduct yourself, and many organizations choose to enlist the help of experienced experts.
Continuously monitor for threats
Continuously monitoring for threats and vulnerabilities across your company’s endpoints, network, and cloud services is critical for strong cybersecurity. While it’s not possible to fully control supply chain risks, you do have control over how well prepared you are to detect and respond to in-progress threats from suppliers and vendors before they develop into full-blown breaches.
Covalence, our managed detection and response solution, monitors for known threats, suspicious behavior, and vulnerabilities across your entire IT infrastructure. This approach helps to detect and stop cyberattacks early, or even prevent them entirely.