Threat Landscape for Supply Chain Attacks
What are supply chain attacks?
Supply chain refers to the ecosystem of processes, people, organisations and distributors involved in the creation and delivery of a product. There are 4 key elements to a supply chain:
Supplier which is an entity that provides a product or service that another entity needs
Supplier Assets are elements used by the supplier to produce the product or service
Customer starts the chain of events when they decide to purchase the product or service provided by the supplier
Customer Assets are elements owned by the target
So, what is a supply chain attack? This type of attack is a combination of at least two different attacks, for example, if the first attack is on the supplier, that is then used to gain access to the asset (this may be the customer or another supplier). These attacks leverage the interconnectedness of the global markets – when multiple customers reply on the same supplier.
Attack techniques used to compromise the:
Supplier - Malware infection, Social Engineering, Brute-Force attack, Exploiting Software Vulnerability, Open-Source Intelligence
Customer - Trusted Relationships, Drive-by Compromise, Phishing, Malware Infection, Physical Attack or Modification
Assets targeted by the supply chain attack:
Supplier assets - Software libraries, Code, Configurations, Processes, Hardware, People
Customer Assets - Data, Personal data, Software, Bandwidth, Finical, People
Supply chain incidents
SolarWinds Orion: IT management and remote monitoring
Mimecast: Cloud Cyber Security Services
Leadger: Hardware Wallet
Kaseya: IT Management Services Compromised With Ransomware
To manage the supply chain cybersecurity risk customers are advised to define a risk criteria for different types of suppliers & services (e.g. single point of failure) and identify the different types of service providers.
Identification of supply chain risks related to their own business continuity is important, and understanding the impact of outages. It is also important to monitor supply chain risks and threats based on internal and external sources of information on findings and then in turn make their personal aware of the risks.
Implementing third party control assessments and ongoing monitoring is recommended to achieve this.
On the other hand, suppliers should ensure that the secure development of their products and services are consistently up to date with latest best practices. Suppliers need to ensure that their infrastructure that designs, develops, manufactures and delivers their products follows these cyber security best practices.
They should also consider implementing quality objectives such as to identify risks or security issues reported and using them as an instrument to improve overall quality or implementing a secure engineering process that is consistent with commonly accepted security practices.
Our recommendation is that to be best prepared, Organisations should at the very least align to ISO 27001 or even look for certification to show their supply chain that they have achieve a very high standard information security.