How Your Firm Can Prevent, Detect, and Respond to a Supply Chain Attack

Supply Chain Attack

Supply chain cyber risk is a growing trend. According to the 2022 Verizon Data Breach Investigations Report, 62% of system intrusion incidents came through an organization’s partner.  

Some of the most devastating cyber-attacks in recent years – including the Sunburst attack, NotPetya, and Kaseya – involved the use of third-party vendors to propagate malware across the software supply chain. These attacks are commonly used to exfiltrate sensitive data or spread ransomware. 

Financial firms are particularly vulnerable to third-party cyber risk because they rely on a vast ecosystem of vendors and partners. Yet businesses often underestimate the need for a robust third-party risk management (TPRM) program. A survey by KPMG found that 73% of organizations have experienced at least one significant disruption caused by a third-party in the last three years. Yet, 61% believe that TPRM is undervalued in their organization. 

These findings suggest that firms need should elevate supply chain cyber risk management to the forefront of their security programs. Let's examine how these attacks work and what you can do to prevent, detect, and respond to them. 

 

How do supply chain attacks work? 

A supply chain attack targets a third-party vendor who provides services or software essential to the supply chain. 

The easiest hack for a threat actor is to look for a trusted software vendor who is vulnerable to cyber-attacks. When a vulnerability is identified and exploited, such as an insecure endpoint or misconfigured firewall, a hacker can introduce malicious code into the software build cycle. Then, when the vendor releases a software update, all users who download it are infected.  

This is what happened in the Sunburst attack and the more recent abuse of a Microsoft Windows software update.  

Because these updates are signed and certified by the vendor, they are implicitly trusted by even the strictest security checks designed to detect malicious files. 

 

How to prevent and detect a supply chain hack 

The sophisticated nature of supply chain attacks requires a defense-in-depth approach to security which provides advanced, layered protection across multiple attack vectors.  

Here are eight best practices to prevent and detect supply chain threats. 

  1. Build a zero-trust architecture: Assume all users are threat actors, until proven otherwise. Block outbound traffic by default, especially from your servers. And use domain, name, system (DNS) filtering to block traffic from uncategorized domains. 
  2. Implement network segmentation: With segmentation, you can reduce the attack surface and prevent lateral movement by third parties and potential hackers. If a supply chain hack compromises part of the network, the rest remains protected. 
  3. Employ the principle of least privilege: Further reduce the attack surface by ensuring that users have just enough rights and access to data, applications, and systems to perform their jobs – and for the least time necessary (just-in-time access). And because many cyber-attacks occur when attackers exploit privileged credentials, be sure to limit the number of users with domain admin rights. 
  4. Patch regularly: Unpatched systems put you at high risk of attack. Continuously scan your network for security gaps and maintain a regular patching cadence. 
  5. Continuously scan for vulnerabilities: Take action to discover where your firm could be open to threats, including internal and external facing environments. As a best practice: 
  • Inventory your assets using active scans via WMI (Windows), SSH (Linux), and SNMP (network devices).  
  • Add an agent-based solution for more detailed and passive scanning.  
  • Use a network packet sniffer to identify malware and anomalous activity. 
  1. Go beyond antivirus and Layer 4 firewalls: Because traditional antivirus and firewalls can’t detect threats at all layers of the networks, be sure to implement more advanced threat detection capabilities, including: 
  • NextGen Layer 7 firewalls that go deep into your network to provide advanced antivirus, malware detection and blocking, bot protection, and more.  
  • Advanced DNS filtering. 
  • Endpoint detection and response (EDR) 
  • User and entity behavior analytics (UEBA).  
  1. Leverage advanced detection, threat intelligence, and response platforms: Unify the detection of anomalies and suspicious activity across a variety of environments – on-premises, in the cloud, and across remote offices with the following tools: 
  • Security Information and Event Management (SIEM). An advanced SIEM can transform billions of logs and feeds into actionable intelligence so you can quickly detect the source and targets of attacks and respond swiftly.  
  • eXtended Detection and Response (XDR). Further consolidate the capabilities of SIEM, security analytics, and endpoint security for improved protection, detection, and response in a cohesive platform.  
  1. Lean on industry standards: Consult guidance and standards from industry bodies, such as the globally recognized CIS Critical Security Controls

 

How to respond to a supply chain attack 

Based on our own response to the Sunburst hack, here are some steps your firm can take to respond to a known supply chain attack:  

  • Search for indicators of compromise (IoCs): Use your SIEM to search for IoCs (signs that the digital environment may have been infected). These include suspicious URLs, domains, file hashes, and IP addresses.  
  • Enforce detection rules: Establish rules in your SIEM, EDR, intrusion detection system, and UEBA to proactively trigger alerts when IOCs are discovered.  
  • Check historical data for signs of past compromise: Hackers often gain access to systems long before they are discovered. To check for evidence of past compromise, restore and analyze three to six months of log data. 
  • Blacklist malicious domains: If you have cloud instances, block malicious domain names in your cloud security solution. 
  • Block malicious IPs: Block (null route) malicious IP addresses on any communications gateway that connect your firm to the cloud. 

Learn more about how the Sunburst breach could have been avoided, lessons learned, and what tools and technologies can mitigate these threats. 

 

Work with a managed service provider 

Many firms simply don’t have the expertise or resources needed to monitor and manage third-party cyber risk. That’s why it’s important to work with a trusted managed services provider. One who can help you implement and manage a defense-in-depth cybersecurity strategy that establishes every must-have security layer needed to protect against these threats. 

Learn more about ECI’s cybersecurity solutions and contact us to see how we can help you. 

How Can ECI help you?
Contact Us today!