A Breached Supplier = A Breached Client?
The European Union Agency for Cybersecurity (ENISA) defines software supply chain attacks as targeting “…the relationship between organizations and their suppliers…” or “…more specifically, a first attack on a supplier that is then used to attack [another] target.” Software supply chain attacks are one of the organizations' main threats today, and evidence suggests that the threat is growing.
Research conducted by various respected cybersecurity firms, including Mandiant and Blackberry, has found that at least 39%, but up to 80%, of surveyed organizations were notified of an attack on their software supply chain in the past year. While these attacks on third-party providers don’t always result in compromises to the client, they can. According to over 1,500 IT decision makers surveyed by BlackBerry, attacks that originated in the supply chain have resulted in operational disruption (58%), data loss (58%), intellectual property loss (55%), and reputational loss (52%) – while 49% say they suffered financial loss.
A lack of visibility into an organization’s own supply chain is one of the primary causes behind these damaging attacks. In the medium–large businesses, supplier relationships and dependencies are often not managed centrally. Instead, smaller teams or departments authorize, select, and maintain such relationships. While this structure can make sense on a practical level, it can often lead to poor overall oversight on where company data resides and who has access to it. According to ENISA and supported by our own research, threat actors are almost certainly aware of the general lack of visibility into dependencies. Attackers are able to move into the gap left by these blind spots to gain a foothold within organizations.
Since at least Q2 2021, Nixu Threat Intelligence has been warning that businesses must rely on much more than just trust when managing their supplier relationships. This includes demanding that providers implement recommended security measures such as data encryption, identity access management, and a clear set of mutually agreed upon procedures to follow in the event of a breach – including informing the affected party. In early 2021, when we first covered this topic in depth, we reflected upon our observations that many affected suppliers often delay informing their customers as they attempt to come to terms with the breach themselves. This remains true – with less than 1 in 5 IT decision makers reporting that an adequate speed of communication is in place between supplier and client.
Fortunately, private companies and government entities are beginning to respond to the threat posed by software supply chain attacks. There is a concerted push by authorities, including those in the US and UK, to provide guidance to organizations and help secure open-source software.
Software supply chain compromises will most likely continue to rise at an exponential pace. The vast majority of global firms are expected to be impacted annually (98% impacted in 2021 – according to a survey by BlueVoyant). Comprehensive and practical advice exists; consider consulting the reporting by the UK’s NCSC and CISA’s “Securing the Software Supply Chain” in our sources.
Recommendations
Software supply-chain attacks have the innate ability to easily compound the number of organizations affected. It is for this reason that your response plan should be up to date and well-practiced – to protect yourself and your customers. Consider approaches that would provide your organization with greater oversight over partner and supplier relationships, in particular focusing on the sharing and access of data. Vulnerabilities are a popular exploitation target for gaining access into an organization. Many organizations lack visibility into the software and hardware used across their environments. We, therefore, recommend implementing a proper vulnerability management program informed by active vulnerability intelligence, such as that provided by Nixu Threat Intelligence, to stay up to date on the latest exploits, patches, and mitigations that specifically affect your business.
Sources
Author / Article / Publisher / Date
- Mandiant M-TRENDS 2022 https://www.mandiant.com/resources/m-trends-2022
- Enisa Threat Landscape 2022. Enisa. October 2022. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
- Kovsky, Steve. Four in Five Software Supply Chains… BlackBerry. 26 October 2022. https://blogs.blackberry.com/en/2022/10/four-in-five-software-supply-chains-exposed-to-cyberattack-in-last-12-months
- Bill: S.4913. Senate of the United States. 117th Congress, 2nd Session. 21 Sept 2022. https://www.govinfo.gov/content/pkg/BILLS-117s4913is/pdf/BILLS-117s4913is.pdf
- Supply chain cyber security. National Cyber Security Centre. GCHQ. 2022. https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf