Damaged links lead to broken chains: The contentions of securing the supply chain


The question is no longer ‘if’, but ‘how’ businesses are being targeted by malicious hackers. Recent research conducted by CrowdStrike in conjunction with Vanson Bourne identified that cyberattacks are increasingly targeting the software supply chain in particular, creating a critical new threat vector that is impacting organisations in every industry through a less defended avenue.

The good news is that awareness around cyberattacks is extremely high. It is encouraging to see that nearly all respondents (97 per cent) recognise that at least one form of cyberattack will be a possibility for their organisation in the coming year. However, whereas awareness around the issue in general is strong, and even though evidence suggest that hackers have shifted their approach to supply chain attacks, respondents were predominantly more concerned about general malware (57 per cent) and phishing attacks (50 per cent). Surprisingly, only 33 per cent of respondents see supply chain attacks as a key concern for their organisation in the coming year.

The security disruptor – supply chain attacks

Before delving into the details of these forms of attacks, let us first explore exactly what a supply chain attack is as it’s relatively new. Cybersecurity has developed in leaps and bounds and attackers have found it harder for unwanted, unknown or malicious applications to give them a foothold within targeted environments. However, much like repairing a burst pipe, tension can build, and water will often find another way to escape. Likewise, hackers have now found an alternate weaker point and are increasingly attacking organisations within the supply chain to their final target: A business. Recent examples include software vendors whom once they have been successfully compromised at a point in the chain, hackers are able to modify trusted products to perform malicious activities. As these changes often go unnoticed, software suppliers unwittingly deliver them to trusting clients as legitimate software updates. Today’s corporate networks are also interconnected with other third-parties, leaving again another route of access via a weaker link to our assets once we believed to be securely locked away.

The global impact of large scale supply chain attacks has been noticeable – the NotPeya attack, for example, acted as a wake-up call for many. The survey supports this sentiment, as more organisations are aware of the possibility of an attack (90 per cent). However, there is still much work to be done in combating them: Acknowledgement is the first step, but we are still a way off from universal best practices action in protecting ourselves. Only 37 per cent of respondents in the US, UK, and Singapore said their organisation has vetted all suppliers (new or existing) in the past 12 months – and only a quarter believe with certainty their organisation will increase its supply chain resilience in the future.

The reality of broken chains

So, what is the current state of play? How are these attacks being dealt with today?

The reality is underwhelming. In terms of time, on average, respondents anticipate that it would take their organisation 10 hours to detect, 13 hours to react to, 15 hours to respond to, and a further 25 hours to remediate a software supply chain attack. All told, that would be 63 hours to return to the position that they were in before the attack. That’s over two and a half days were they to work around the clock. However, CrowdStrike’s Global Threat Report found it takes only one hour and 58 minutes for a bad actor to gain access to further systems once they have compromised the network.

It must be acknowledged that just under half (49 per cent) of respondents’ organisations believe they have a comprehensive strategy in place to coordinate their response to a breach via supply chain, with a similar number (47 per cent) having some level of response pre-planned. This is good, but it’s still not great.

The impact of these attacks could devastate an affected organisation. More often than not, when an organisation is exposed to a supply chain attack it will hit them in the pocket – hard. For most (90 per cent) of those who have encountered an attack, there was a financial implication, with the average cost of one of these coming in at a weighty £1.1 million. Even more concerning is the correlation between time taken to respond to an attack and the overall cost as a result: Some industries which take longer to react, such as energy, utilities and oil are the ones incurring heavier costs.

Deep insight into attacks is key when looking to understand how to combat them; and understanding who is at risk and how they may be vulnerable is of the utmost importance. Our research has shown that some industries are more at risk than others. The industries that experienced the most supply chain attacks were biotechnology, pharmaceuticals, hospitality, entertainment and media, and IT services. Although it shouldn’t be assumed that if you are not within one of these sectors you aren’t a target, as attacks occurred across a wide range of sectors.

As previously discussed, although many organisations have pre-planned responses in place, it is evident that these are not enough. It’s vital to find ways in which to combat these to save organisations from such financially disruptive attacks. To achieve this, there are five key areas on which to focus on:

1)   Behavioural-based attack detection: indicators of attack (IOAs) will play a crucial part in finding these attacks before they have a chance to cause real damage. Machine learning is able to detect patterns in hundreds of thousands, or even millions of attacks per day, which will be able to find when ‘good technologies go bad’, a feat that cannot be accomplished by human insight alone in the required time

2) Threat intelligence: this can tell you when new supply chain attacks are emerging and provide you with the information necessary to understand the threat posed, and proactively defend against it

3) Proactive services: real-time simulations of these forms of attacks can allow organisations to identify   and highlight their weak points and current exposures

4) Threat Hunting: Harness the capabilities of defence experts who can hunt to identify the unknown unknowns which may not be detected by your current tooling.

5)   Time to respond: moving at pace is highly important. This year’s Global Threat Report found that the average ‘breakout time’ (the time it takes for an intruder to move laterally throughout your networks once they’ve entered one) is one hour 58 minutes. The need for speed, therefore, should be a top priority in the battle against supply chain vulnerabilities

Finding the perfect blend of solutions must be found in order to meet the optimal timeframe for ejecting an intruder. Only by achieving this will security teams be able to close the security gaps that leave organisations vulnerable. At the heart of this puzzle is speed of detection and response, and the ability to understand what you see. Automation and artificial intelligence and machine learning seem therefore to become the biggest watchwords on the security scene, since they offer the hope for both speed and intelligence in a timeframe that makes security possible. Combined this allows us to respond to incidents quickly and effectively to make sure we are only responding to security incidents, not breaches!

Zeki Turedi, Technology Strategist, EMEA CrowdStrike
Image source: Shutterstock/lolloj