1

S U P P LY C H A I N AT TA C K S

SUPPLY CHAIN ATTACKS

What NCSC has said,

what few are admitting, and what you need

to know

R E L I A N C E A C S N

2 3

S U P P LY C H A I N AT TA C K S

“A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear.” – National Cyber Security Centre (NCSC)

There could hardly be a clearer assertion of supply chain cyber risk than this statement from NCSC.

Most businesses are well acquainted with the consequences of working with suppliers who are just not very good at what they do. But how well do they understand the consequences of working with previously dependable suppliers who, if compromised, could actually become downright dangerous?

This is a seismic shift in mindset, but it can only start to drive real security change if there is an accompanying understanding of which suppliers typically and specifically present which degree of risk – and where, therefore, defensive resources need to be focused in greater or lesser concentration.

But the conventional wisdom on this subject falls well short of telling the whole story. Here’s why.

DANGEROUS SUPPLIERS: WHAT YOU PROBABLY DON’T KNOW

If we look at NCSC’s own listing of typical supply chain attack types, it includes those that operate via third-party software providers, website builders, third-party data stores and watering hole attacks.

There is no claim by NCSC that this list is exhaustive. And it is true that, in recent memory, each of these supplier relationships has been subverted to deliver cyber exploits with very damaging outcomes:

SUPPLY CHAIN ATTACK: EXPOSÉS

THIRD-PARTY SOFTWARE Attack name / actor: DragonflyModus operandi: Compromised the websites of ICS (Industrial Control Software) suppliers and replaced legitimate files in their repositories with malware-infected versions, When the ICS software was downloaded from the suppliers’ websites it installed malware alongside the legitimate softwareOutcome and impact: Delivered remote access functionalities that could be used to take control of the systems on which the malware was installed

WEBSITE BUILDERSAttack name / actor: Shylock banking trojanModus operandi: Compromised legitimate websites through website builders used by creative and digital agencies. Redirected victims to a malicious domain, from which malware was then downloaded and installed on victims’ systemsOutcome and impact: Theft of banking and credit card details, enabling fraud

DATA STORESModus operandi: Botnet exfiltrated information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public InternetOutcome and impact: The victim was a credit bureau providing authentication for financial transaction requests. The attackers accessed valuable information that could enable them to commit large-scale fraud.

WATERING HOLESAttack name / actor: VOHOModus operandi: Compromised a website frequented by high volumes of users. The website was then used to deliver a Remote Access Trojan (RAT) that enabled the attacker to gain access to the victims’ systems.Outcome and impact: Espionage attacks

The recent Target security breach, Eastern European ATM malware, and Stuxnet worm are all also examples of supply chain attacks.

R E L I A N C E A C S N

4 5

S U P P LY C H A I N AT TA C K S

A clear pattern emerges here: namely, that the attackers go after the kind of suppliers whose products or services will simultaneously give them access to the greatest possible number of victims, who are themselves engaged in activities that will yield the largest volumes of the highest-value information.

Hence Managed Service Providers (MSPs) of all hues, with their ability to access the networks and data of many thousands of customers, have become a particular target.

But this is where the story – as it is usually publicly told - is gapingly incomplete.

Because whilst the media narrative has addressed the broader MSP and supply chain story, the proven reality is actually that over 70% of all supply chain breaches are caused – specifically - by IT and security providers, including MSSPs!

This is what you’re not being told. These are - more than any other - potentially the most hazardous suppliers on your books.

HOW DID IT AND SECURITY FIRMS BECOME THE BAD GUYS?

Fundamentally, this is about a mismatch between the levels of expertise and service that businesses and enterprises require IT and security providers and MSSPs to deliver, and what most of the latter are actually competent to achieve.

Here are just a few ways that mismatch can cause IT and security providers and MSSPs to unwittingly facilitate a supply chain breach:

LACK OF SPECIALISM, LACK OF SPECIALISTS

Many IT and security providers and MSSPs major on the deployment and monitoring of software of one kind or another.

Focused on solutions that are technology-based, sometimes with a greater productivity than security element, they lack in-house human security expertise – the kind that can provide analysis and predictive insight to understand where a threat is going next, and why.

On the face of it, this shortcoming is understandable. Security analysts are something of a rare breed, typically hailing from Government, military and intelligence backgrounds, with clearance levels denied to most others, and an ability to treat information and operational security as a way of life. This skill set is quite simply beyond most security providers’ reach.

But with ample examples of supply chain attacks that have clearly evaded security technology (see above), it would seem to be precisely this skill set that IT and security providers and MSSPs need more than any other!

POOR GOVERNANCE, WEAK PROCESSES

The hallmark of a supply chain attack is that a supplier’s data or resources are accessed by someone that that supplier has no reason to grant that level of access to.

Yet most IT and security providers and MSSPs simply don’t have the critical trinity of processes, governance and certifications in place to ensure that they understand who has a legitimate right to access which assets, how this access is being checked and validated, and what significance there is in how that data is being stored and moved.

This lack of understanding is a yawning hole in the provider’s ability to defend itself against unwitting participation in a supply chain attack, since if they cannot comprehend how their data should be used, as against how it is being used, they cannot detect many of the violations that signal the data is in the process of being weaponised against a target.

R E L I A N C E A C S N

6 7

S U P P LY C H A I N AT TA C K S

BOTTOM LINE:

YOUR IT AND SECURITY PROVIDERS AND MSSPS ARE CONDUITS FOR A SUPPLY CHAIN ATTACK.

YESTERDAY’S TECHFollowing on from the point above, effective data governance and processes require effective technologies to enact and enforce them – but here, again, most IT and security providers and MSSPs have simply not kept step.

Take the concept of protecting data against unauthorised access, for example.

Technologies exist that make it possible to validate data access against a user’s privileges by sending that user an authentication token through another channel that is known to belong to the user only (not an interloper). No token, no access.

Essentially, it’s just multi-factor authentication for databases – but few IT and security providers have adopted it.

Likewise, take the concept of exploring exactly how specific data has recently been accessed and interacted with, and by whom.

It is now possible to see each and every database interaction as a recorded screencam. If someone’s up to no good, it’s instantly demonstrable, without ambiguity.

But, once again, few IT and security providers and MSSPs protect their position in the supply chain in this way – which means they’re failing to protect their customers, too.

WOULD THEY SPOT IT?

COULD THEY STOP IT?

DO THEY EVEN KNOW?

Read the next instalment to learn more.

R E L I A N C E A C S N

8

contact@relianceacsn.co.uk

+44 (0)845 519 2946

3 Valentine Place | London SE1 8QH | United Kingdom