Supply Chain: Securing Our Vulnerabilities

As technology and agencies’ usage of it constantly change, cybercriminals have learned to adapt with it. One particularly dangerous type of cyberattack is the targeting of supply chains. These breaches tend to have far-reaching consequences and put critical infrastructure and systems in danger. Understanding these attacks can help secure agencies. By creating a security defense and having a backup response plan, organizations can secure their supply chain from devastating cybersecurity breaches.

What is a Supply Chain Attack?

A supply chain attack is when a bad actor infiltrates a system through a third-party partner or provider that offers vital products or services to an organization—including software or software development services. In recent years, common supply chain attacks include ransomware, software code infiltration and exploitation of firmware vulnerabilities. Ransomware has been well-documented in the media, is costly to affected organizations and utilize more traditional attack methods. Due to the interconnectedness of software, attackers have begun to target security holes in software code to manipulate connected networks and access data from multiple organizations. These types of attacks threaten vital software and operational technology (OT), as well as effect a larger surface area than other breaches. As a result, they are increasingly devastating.

With ransomware supply chain attacks, bad actors will attack the network of a small supplier and require a ransom from both the organization and the larger beneficiaries up the chain. Ransomware attacks have had a 105% increase, while the average cost of remediating such an attack has more than doubled.^[1] Government and industry leaders have been working to address the ransomware threat for many years, though the problem is still pervasive. To bring more focus to this issue, Congress established the Joint Ransomware Task Force—an interagency body that aims to make measurable progress against ransomware threats.

With software supply chain attacks, malicious code is embedded directly into software products. When these products are implemented in customer networks, the malicious code infects their infrastructure, granting hackers direct access to the organization. This can enable cyber espionage across hundreds of government and private organizations.^[2]

Supply chain attacks are increasingly popular among bad actors because these types of breaches attack from multiple sources, bringing in exponentially more money than a single target attack. The damage is far reaching, as even data that is two or three layers removed from the target will be compromised.^[3] When even one person’s or company’s data is breached, a whole network of personal information can become available to hackers. As a result, the effect can be exponentially large.^[4] Because of how complex a supply chain can be, cyber-criminals can more easily find victims that are vulnerable to attack. Furthermore, in the case of ransomware, too many organizations choose to pay the ransom—which further incentivizes criminals to conduct more ransomware campaigns. With the aid of cryptocurrency, bad actors can remain anonymous.

Securing Against Breaches

Cyber-criminals are proficient at utilizing both traditional attack methods and malicious ransomware binaries to breach supply chains. Supply chain hacks impact companies of all sizes. Small organizations are especially vulnerable, as they have less resources to protect themselves. Supply chain hacks are increasingly more harmful as they cost organizations a lot of money, so it is especially important for companies to protect their data against such breaches.

While agencies should take care to personalize their security, there are general guidelines they can follow:

1. Managers must pinpoint where their organization stands in the market. Whether they are a supplier or consumer of software may change their approach to cybersecurity.
   • Having a clear understanding of an agencies’ software supply chain ecosystem is imperative. They must know what third party avenues they are connected to, so that they can look out for attacks from these venues.
2. Organizations must manage and monitor their data within their supply chain. This oversight will allow them to catch breaches in their early stages before data is compromised.
   • Special attention should be paid to data locality. Agencies must cover every base of their supply chain and locate their classified data.
   • Creating a consistent line of communication with third party suppliers in their chain is also important. By ensuring that they are reliable, and also monitoring their area of the supply chain, agencies can protect their data from outside attacks.^[5]
3. Agencies need to protect classified data. This includes:
   • Upskilling IT security teams
   • Conducting thorough risk assessments
   • Noting typical suppliers and processes trends by looking into outliers or unusual activity
   • Utilizing endpoint detection or other AI-based software to catch threats
   • Developing incident response plans^[3]

Speaking to cybersecurity experts can help organizations personalize this process. Agencies should plan to continuously adapt their cybersecurity approach as the internet changes and grows. Models such as the Cybersecurity Maturity Model Certification (CMMC), a unified security standard that measures and certifies cybersecurity requirements in organizations that work with the DoD, should be adhered to. This will keep not only the singular agency secure, but all the vendors and customers they work with. This way, from personal data to controlled unclassified information to federal contract information, sensitive data can be maintained amongst relevant and trustworthy parties. By keeping up to date with new standards, agencies and customers can be protected against security attacks.

Handling Supply Chain Attacks

While it is important to protect against cyberattacks, it is impossible to completely prevent a breach from an enemy that is constantly learning and growing. In the case of an attack, agencies can take a few steps to minimize the harm.

These include:

1. Notifying potentially affected partners or customers in a timely manner^[3]—This can maintain trust with other stakeholders and provide due diligence toward securing data.
2. Conducting a thorough defense assessment to locate where the harm has occurred⁠—Common ransomware vectors can be compared with the organization’s unique vulnerabilities to find commonly breached spots.
3. Developing an incident response plan⁠—By locating key contacts and primary decision-makers, organizations can begin to plan for ransom demands.
4. Creating an incident recovery plan⁠—Organizations should know how they will restore breached systems and data, respond to public questions and handle other security issues.^[5]

Moving Forward

Until companies learn how to protect their data from supply chain attacks, they will continue to fall prey to these damaging incidents. Luckily, there are a variety of steps they can take. By working with customers and partners to secure their supply chain and having a backup plan, organizations can secure their data against devastating supply chain attacks.

For more information on supply chains and how Carahsoft can support your organization, visit Carahsoft’s Cybersecurity Solutions.
 

Resources:

^[1] “Supply Chain Attack: Preventing Ransomware Attacks on the Supply Chain,” Maryville, https://online.maryville.edu/blog/supply-chain-attack/

^[2] “SolarWinds Orion Software Supply Chain Attack,” Office of the Director of National Intelligence, https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/SolarWinds%20Orion%20Software%20Supply%20Chain%20Attack.pdf

^[3] “Ransomware and the Supply Chain: Are Organizations Prepared?” Cybertalk, https://www.cybertalk.org/2022/05/06/ransomware-and-the-supply-chain-are-organizations-prepared/

^[4] “Defending Against Software Supply Chain Attacks,” CISA, https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

^[5] “Ransomware Through the Supply Chain: Are Organizations Prepared for the New Normal?” InfoSecurity,  https://www.infosecurity-magazine.com/opinions/ransomware-through-the-supply-chain/