Such is the world of the cybercriminal.
You may never know the perpetrators of these crimes. You may never understand how much is paid to them. You may never begin to contemplate that some corporations are reportedly assigning their own hackers to ‘hack back’ at those targeting them, which can be as dangerous as it sounds. What we do know, however, is that the people behind these attacks are busier than ever before. As insurer TT Club recently stated on cyber risk: ‘Be alert and expect the attack; it’s not if but when.’
The European Union Agency for Cybersecurity - also known as ENISA - agrees. The conclusion of its new study ‘Threat Landscape for Supply Chain Attacks,’ which looked at 24 such incidents between January 2020 and July 2021, is to predict a four-fold increase in supply chain software attacks in 2021.
It issues a very clear and frank assessment; strong security protection is no longer enough for organisations because attackers have already shifted their attention to suppliers, with an increasing impact such as downtime of systems, monetary loss and reputational damage. ‘You’re only as strong as your weakest link’ has never been a more pertinent statement when it comes to cybersecurity.
The EU Agency for Cybersecurity’s mapping of emerging supply chain crimes found 66% of attacks focus on the supplier’s code. “Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers,” it states.
In 62% of the cases, malware was the attack technique employed. This evidence stresses the need for policymakers and the cybersecurity community to act now with novel protective measures to prevent and respond to potential supply chain attacks in the future, ENISA says.
Why is a good level of cybersecurity not good enough?
Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed, the EU Agency found. ‘In many instances, such an attack may even go undetected for a long time. Similar to Advanced Persistence Threat (APT) attacks, supply chain cyber incidents are usually targeted, quite complex and costly, with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.’
Organisations could be vulnerable to a supply chain attack even when their own defences are quite good, ENISA adds, with attackers exploring new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common. In order to compromise targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents, highlighting the need for organisations to focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
In some 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property. In 66% of the supply chain attacks reviewed, suppliers did not know or failed to report on how they were compromised.
Apply good practices and engage in coordinated actions
‘The impact of attacks on suppliers may have far-reaching consequences because of the increased interdependencies and complexities of the techniques used. Beyond the damages on affected organisations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result. In this complex environment for supply chains, establishing good practices and getting involved in coordinated actions at EU level are both important to support all Member States in developing similar capabilities – to reach a common level of security,’ the report advises.
In the report, ENISA offers a number of recommendations for customers to manage supply chain cybersecurity risks and their supplier relationships:
Recommendations to manage cyber risk
To manage supply chain cybersecurity risk, the study recommends customers should:
- identify and document types of suppliers and service providers
- define risk criteria for different types of suppliers and services, such as important supplier and customer dependencies, critical software dependencies, single points of failure
- assess supply chain risks according to their own business continuity impact assessments and requirements
- define measures for risk treatment based on good practices
- monitor supply chain risks and threats, based on internal and external sources of information and on findings from suppliers’ performance monitoring and reviews
- make their personnel aware of the risk.
Additionally, to manage their relationships with suppliers, ENISA highlights measures customers should adopt aimed at preventing cyberattacks, including:
- manage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components
- classify assets and information that are shared with - or accessible to - suppliers, and define relevant procedures for their access and handling
- define obligations of suppliers for the protection of the organisation’s assets, for the sharing of information, for audit rights, for business continuity, for personnel screening, and for the handling of incidents in terms of responsibilities, notification obligations and procedures
- define security requirements for the products and services acquired
- include all these obligations and requirements in contracts; agree on rules for sub-contracting and potential cascading requirements
- monitor service performance and perform routine security audits to verify adherence to cybersecurity requirements in agreements; this includes the handling of incidents, vulnerabilities, patches, security requirements, etc.
- receive assurance of suppliers and service providers that no hidden features or backdoors are knowingly included
- ensure regulatory and legal requirements are considered
- define processes to manage changes in supplier agreements, e.g. changes in tools, technologies, etc.
Moreover, as any product or service is built from or based on components and software that is subject to vulnerabilities, suppliers should implement good practices for vulnerability management, such as:
- ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices
- implement a product development, maintenance and support process that is consistent with commonly accepted product development processes
- implement a secure engineering process that is consistent with commonly accepted security practices
- consider applicability of technical requirements based on product category and risks
- offer Conformance Statements to customers for known standards, and ensure and attest to, to the extent possible, the integrity and origin of open source software used within any portion of a product
- define quality objectives such as the number of defects or externally identified vulnerabilities or externally reported security issues, and use them as an instrument to improve overall quality
- maintain accurate and up-to-date data on the origin of software code or components, and on controls applied to internal and third-party software components, tools, and services present in software development processes
- perform regular audits to ensure that the above measures are met
- monitor security vulnerabilities reported by internal and external sources that include used third party components
- risk analysis of vulnerabilities by using a vulnerability scoring system
- maintenance policies for the treatment of identified vulnerabilities, depending on the risk
- processes to inform customers
- patch verification and testing to ensure that operational, safety, legal, and cybersecurity requirements are met and that the patch is compatible with non-built-in third-party components
The study concludes: ‘As the cost of direct attacks against well-protected organisations increases, attackers prefer to attack their supply chain, which provides the additional motivation of a potentially large-scale and cross-border impact. This migration has resulted in a larger-than-usual number of supply chain attack cases reported, with a forecast of four times more supply chain attacks in 2021 than in 2020. The inherent global nature of current supply chains increases the potential impact of these attacks and broadens the attack surface for malicious actors.
‘This report covers a number of known attacks but in reality, there may be more supply chain attacks that go undetected, not investigated or attributed to other causes. Particularly in software, supply chain attacks undermine trust in the software ecosystem. The analysis in this report shows that there are still a large number of unknown factors in the incidents investigated. 66% of the attack vectors used on suppliers remain unknown. A lack of transparency or the ability to investigate poses a serious risk to the trust of the supply chain.
‘Improving the process of transparency and accountability is the first step to improving the security of all elements in the supply chain and protecting final customers. Supply chain attacks can be complex, require careful planning and often take months or years to execute. While more than 50% of these attacks are attributed to APT groups or well-known attackers, the effectiveness of supply chain attacks may make suppliers an interesting target for other, more generic, types of attackers in the future. It is therefore critical that organisations focus their security not only in their own organisations, but also on their suppliers.’
Download the full report using this link.