In this second part of our 3-part series on how to prevent a supply chain attack you’ll learn about what a supply chain attack looks like. All organizations have a supply chain, but most don’t think twice about it. Supply chains are critical to organizations and their ability to create and deliver products and services to their customers. Without an effective and well protected supply chain, many organizations will struggle to succeed and be easily victimized by opportunity-seeking criminals.
If you missed the first part of this series, you can find it here.
In part one you learned what a supply chain is and that all organizations, big and small, have supply chains. We left off with a brief primer on risk. Read on to learn about the various forms that supply chain attacks can take and how to defend against them.
How can a supply chain attack me?
Ok, ok, it won’t really attack you. But a malicious actor could attack your organization through one of your suppliers, vendors, or partners by incidentally finding themselves with access to your systems. In fact, you may be impacted by a supply chain attack where the malicious actor doesn’t even know your organization exists!
In our example from part one, the supply chain is pretty straight forward and doesn’t appear to contain too much risk to Kale and Tinara’s project. But what if they were emailing with their suppliers? What if they took orders online?
Instead of the risk being a bad batch of lemonade, or someone knocking over their stand and taking their money, they face potential attack through their various suppliers. All of whom they trust. All of whom they know very little about when it comes to the inner workings of the supplier’s business and their supply chain.
Supply chain attacks can take many forms – business email compromise, hacking and exploiting vulnerabilities in your IT assets, impersonation attacks, and denial of service attacks are just some of the ways a supply chain attack can occur.
Earlier, we explored the supply chain by travelling down the links. Next, we need to understand how an attack might occur in an effort to begin planning to prevent them.
Business Email Compromise Attack
This type of attack, also referred to as BEC, is when a supplier, partner, or other organization that your business interacts with has one or more of their email accounts compromised. Often, this happens by way of phishing or credential stuffing (a technique where lists of passwords from different breaches are associated with one email address into a list that is used to try all known passwords to find one that was re-used).
Once the attacker has access to the email, they may try various tactics to steal money, information, or compromise the systems at your company. Some of these tactics include:
Reviving Old Email Threads
An attacker can build legitimacy by appearing to be responding to an existing conversation or reviving one from months or years ago. This allows the attacker to override suspicion in the recipient by invoking the trust and familiarity already established.
The attacker may make a request that appears to align with the conversation topic or introduce a different topic. These emails may include malicious attachments, links, or requests to perform an action, such as buying gift cards.
This type of attack can be defeated by contacting the original sender, using a known phone number for them. By doing this, you can safely verify that they actually sent the email. You must never rely on the information in a suspicious email to confirm someone’s identity. It could have been altered by the attacker!
Sending Requests to Change Payment/Payroll Information
Humans are creatures of habit. We rarely make big changes, like moving banks, unless it is absolutely necessary. The same goes for businesses: updating vendors, suppliers, or customers is time consuming and error‑prone.
This is why any requests to make changes to payment, banking, or payroll information should be questioned. Often, these requests can be identified by simply thinking critically about the request. If your employee lives in Canada, but suddenly wants to change their bank to one in another country, this is a red flag.
These requests can be initiated by reviving an old thread, but often will come as new requests to users in financial, payroll, or human resource positions.
Requesting Information
Not all attacks are immediately after financial gain. Attackers will often look for information that can be used in attacks on other organizations as well as your own.
Information gained through these attacks can be used to deceive and trick other employees in your organization by sounding legitimate. The attacker establishes this legitimacy by having inside information, building credibility for their story.
Question requests for information that a person would either already have access to, or that seems out of context. Asking yourself, “Why do they need this?” can help you identify suspicious activity.
Steps Towards Prevention
By exploiting existing relationships and trust, these tactics create a legitimacy behind any requested actions. The resulting requests may not seem unusual if employees are not careful. If you want to prevent these types of attacks, your team only needs to remember 2 simple steps:
- Question anything that asks for information or a change of information.
- Use an already known phone number to call and verify the request. Check internal employee and vendor databases to find contact information.
These types of attacks can be devastating, both to the organization that was originally compromised and the organization that was attacked, but you can easily thwart them.
Vulnerability Exploitation/Hacking
Businesses often have connections, such as Virtual Private Networks (VPN) or leased lines (a connection from a service provider that connects 2 locations with a private connection), to transfer information, provide access to systems, or otherwise facilitate the business relationship.
We’re all connected!
These connections can be leveraged by an attacker with access to an organization within your supply chain. Performing manoeuvers, known as pivoting, an attacker could compromise part of your supply chain that is many links away from you and move from one organization to another. This pivoting technique has been used since before the modern Internet was created. Clifford Stoll wrote an excellent book that describes tracking down a hacker, called The Cuckoo’s Egg. It provides an excellent case study on pivoting between organizations in an exciting and easy to read book.
As the attacker moves further along the chain, they collect information about systems and vulnerabilities they can exploit. Attackers will search for additional organizations they can access from inside the networks they’ve compromised. With this access, they exfiltrate any information they find valuable.
Don’t set out the welcome mat!
Permitting connections from suppliers into your company should be done sparingly. You must permit as little access as is necessary to facilitate the business relationship. Even with minimal access, any systems that can be accessed by a supplier from a system that is not directly under your organization’s control must be isolated from your internal corporate systems. A Demilitarized Zone (DMZ) is one way to achieve this.
By restricting this access to a properly designed DMZ, you limit the damage from any attacks to the DMZ and prevent the attackers from penetrating further into your organization.
Any system that is accessible to an outside organization can be attacked, hacked, or exploited to gain access, elevated privileges, or steal information. Applying regular software updates to these systems is crucial to reducing vulnerabilities in software. Attackers love finding systems without the latest security updates.
You can defend against these attacks by combining a DMZ with regular software updates. Ensure you give suppliers the least amount of access and information as is necessary. Do this and you can be confident that your organization is well defended against this type of supply chain attack.
Impersonation Attacks
An impersonation attack is when someone impersonates another individual, either by using look-alike domains or masking their true email address. Impersonation attacks are not strictly a supply chain attack and can be coupled with a BEC attack to increase the believability of their ruse.
Impersonation attacks can also take place in person and can be difficult to spot. When was the last time you stopped someone wearing the telephone company uniform and badge to ask what they were doing? What about who they were meeting?
Skilled social engineers will research your business. They perform surveillance and reconnaissance to understand where your organization’s weaknesses are. Then, they plan for how best to exploit them. A social engineer might join a conversation with a group of employees, fitting right in and tailgating them into your locked office. Do your employees know to question anyone they don’t know?
Impersonation attacks can take many forms and be difficult to spot without a strong security culture.
The goals of impersonation attacks may be to gain access to information, trick a target into running malicious code to obtain access to the organization’s systems, or to change financial information.
This type of attack can be difficult to defend against with technology. The key to protecting your organization from this type of attack is vigilance – much like the business email attack; however, it goes beyond when considering the in-person attacks that your employees need to be aware of.
Denial-of-Service Attack
A denial-of-service (DoS) attack is a type of attack where an attacker takes an action or set of actions that result in a resource, service, or system from being available for legitimate requests. They can be devastating to an organization.
Most references to DoS attacks involve internet traffic. Attackers may leverage computers that are already under their control, called bots, in a Distributed DoS attack. In this type of DoS attack, an attacker might use an army of bots to send millions of requests to a server. This attack results in the server being unable to receive and process a legitimate request. This server might process email, host websites, or other mission critical applications that service employees or customers.
While this is the most common type of DoS attack, there are other types that consume valuable resources.
Look to your organization
Think to your business: what would happen if someone repeatedly called your main phone number? The receptionist would have to answer every call, lest they miss an important call from a customer. This is a DoS attack. The resource it is exhausting is your receptionist’s time while they are stuck fielding these calls. Your receptionist may be unable to respond to emails, process mail or shipping requests, or have difficulty greeting visitors to your office.
Consider, now, that you require widgets to make your product. Can an attacker disrupt communications with the supplier, preventing you from receiving the necessary parts to continue producing your product?
While a DoS attack does not live only within the realm of supply chain attacks, any time you interact with another organization or supplier, the potential for abuse exists, whether intentional or not.
Proper technical controls, such as rate limiting requests from the internet or supplier systems can reduce the impact from a DoS attack. If a supplier is unable to meet your organization’s needs, do you have an alternative source?
That’s it for now!
These are a few of the ways a supply chain can attack you, though they don’t belong solely to the realm of supply chain attacks. Building your organization’s resilience against these types of attacks will protect you against a broad spectrum of threats.
Ultimately, there is always some amount of risk when working with external organizations. Microsoft, Google, Oracle, etc. all produce software that is used on a daily basis throughout organizations worldwide. Whether you use them or not, these giants are likely entrenched within your supply chain. It is not possible to eliminate every risk associated with the supply chain.
In the next post of this series on how to prevent a supply chain attack, you will learn how to prevent these attacks. Continue reading it here.
Want more? Sign up for our newsletter to be notified of new posts!