Supply chain attacks are one of the most popular types of cyber attacks. They take advantage of the trust that different members of the supply chain have with one another in order to infect other companies. For example, take the recent SolarWinds incident. One of the reasons why the threat actors were able to infect so many companies is not because the malware itself was so advanced, it was because all the vendors that used SolarWinds applied the update without hesitation because they implicitly trusted them as a business partner. This isn’t the first time a supply chain attack has caused significant damage. In 2013, Target suffered a data breach of over 40 million customer records because a threat actor group accessed their customer payment information through one of the company’s HVAC suppliers. If a threat actor can infect one business, they will have access to all of their business partners. This is the tricky part when it comes to working with business partners; it introduces a greater risk to your environment that is more difficult to measure and quantify. In this article we discuss the types of supply chain attacks, traditional prevention methods, and how companies can utilize Breach and Attack Emulation technology to help prevent these types of attacks.

What is an Example of a Supply Chain Attack?

There are three types of supply chain attacks:

• Hardware supply chain attacks: These focus on infected hardware such as a USB device with a keylogger.
• Software supply chain attacks: This involves inserting malicious code into software that will be distributed to other companies, such as the SolarWinds incident.
• Firmware supply chain attacks: This is when a threat actor embeds malicious code into customer devices. Boot firmware is usually the most popular method.

You can find a list of major data breaches caused by supply chain attacks here.

How Can You Protect Against a Supply Chain Attack?

Traditionally, companies are limited in how they can vet their third parties for security risks. An outside company can never get full access to a company’s internal operations, so to some extent you will always be in the dark on exactly how secure that company is. Usually, companies will first look at what type of information and access that vendor will be receiving in the business relationships, this dictates how serious the company needs to look into the third- party’s processes. Assuming the information is important, companies will usually require the third-party vendor to put in writing the steps that they will take to ensure that the company’s information will be properly protected. Generally, this will be done in accordance with the company’s governance policy. Every company should have a governance policy that outlines what they need their third-party vendors to have in place in order to do business with them.

Lastly, some companies may visit the third-party vendor in order to verify that their facilities and processes meet the required standards. Oftentimes they will also incorporate a security “score” into this evaluation, however these scores will always be somewhat unreliable especially as companies change their processes. For a full list on how you can prepare for third-party risk, you can learn more here.

Preventing Supply Chain Attacks with Breach and Attack Emulation

The more efficient way of knowing if your third-party vendors can properly secure your information is to put them to the test by performing continuous security validations. Attack emulations are used to replicate potential cyber attacks and see how well a company responds to those situations. If you’re in a situation where you’re sharing sensitive data such as financial information, healthcare information, or personally identifiable information (PII) then it’s important to know that your information is being handled correctly. Ultimately, the responsibility and liability for that information will be with the company that owns it, even if the information is exposed because of negligence by the third-party vendor. For this reason, it’s important that you do your due diligence in making sure your information is secure.

Breach and Attack Emulation technology is a great way to understand what your security posture looks like on a continuous basis. Breach and Attack Emulation is the most effective way to determine how well prepared your company is at preventing supply chain attacks. Attack emulations not only test the efficacy of your security controls and processes, but your team and incident response as well. Given the ever-evolving threat landscape, Breach and Attack Emulation can also provide valuable threat intelligence so you remain up-to-date on the latest tactics, techniques, and procedures that are being utilized by advanced persistent threat groups.

How rThreat’s Breach and Attack Emulation Can Help

To help with this, rThreat’s Breach and Attack Emulation solution can help companies test their security posture against both known and unknown attacks. Our attack emulations provide the assurance that is needed to determine your level of risk and the steps to remediate gaps that leave your company vulnerable to supply chain attacks. This proactive approach to supply chain attacks will ensure your readiness in the event of a real incident, and ultimately reduce the impact of attacks and enable a quicker recovery.

Supply chain attacks have increased by 78% in the last few years, which is why it’s crucial for companies to not overlook this risk. It’s a very efficient attack because it takes advantage of the implicit trust that business partners have within the supply chain. It’s much easier for a threat actor to target a smaller company in the supply chain than it is for them to try and hack a highly secure organization. This is why it’s important for companies to properly secure and vet their third-party vendors through practical attack emulations. Contact the rThreat team today to learn more about how our Breach and Attack Emulation solution can help prevent supply chain attacks from impacting your organization.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.