What is a Supply Chain attack?
A Supply Chain attack is one which targets an individual or organisation through a supplier. This could for example be a phishing attack against a less-secure supplier to garner information about you – the ultimate target.
There are simple ways to orchestrate an attack like this actually, through the use of Open Source Intelligence: OSINT. The Defence Security Exhibition International has a publicly available presentation from an expert which runs through the subject in greater detail, see further below.
Depending on how integrated your Supply Chain is, an attack on it can be viciously effective or a mild annoyance. One attack which was viciously effective was the Kaseya attack, and as a result of their integrated systems many customers failed to effectively protect themselves from it. This resulted in significant losses for many businesses.
Ironically the WannaCry and NotPetya attacks also causes hundreds of millions of pounds of damage to international shipping, medico-legal and manufacturing firms many years ago. Nobody is secure is until everybody is secure.
Note that we’re referencing a Defence magazine on WannaCry, given the significant damage it caused to the UK’s National Health Service and loss of life in Germany, and for NotPetya we’re referencing a Kaseya company to illustrate how even security suppliers are a potential vector of attack.
Supply Chains can be a critical flaw in an otherwise secure IT Estate, and even vendors who protect against them can become victims and instigators of such an attack.
Protecting against Supply Chain attacks
Firstly, while OSINT can be a weapon used against legitimate operations so too can it offer a firm defence for you; Talos have an exceptional list of freely available solutions for your use.
A quick note, you will see ClamAV listed in Talos’ list – this is one of the many engines our partner Opswat deploy as part of MetaDefender to ensure you are kept safe.
The key factor in whether you can mitigate against Supply Chain attacks is about how classifying risk for each of your suppliers and deciding if they are ‘resilient enough’ to still provide services to you in the event of disruption.
You should never be afraid to ask suppliers what they do to keep you safe, in the same way as it is expected that a taxi-driver be deemed safe and trusted enough to transport vulnerable people. We classify risk, mitigate and implement protections and standards to ensure there is nationwide-security for service users like you.
Every business is vulnerable to Supply Chain attacks – from stationary to billing systems. There is no such thing as 100% security: plan for failure or prepare to fail.
An example of our approach to zero-trust with Endpoint Security is to recommend organisations who are serious about IT Security to use Panda Adaptive Defense 360 – a cloud based solution that only allows ‘Goodware’ (Good software as opposed to Malicious software) to run on endpoints.
As the saying goes you shouldn’t put all of your eggs in one basket though. This is why we also recommend those with significant security requirements also implement Opswat’s MetaDefender, allowing them to use up to 32 antimalware-engines.
Add to this a Managed Security Operations Centre service and you have:
- A world-leading Endpoint Detection and Response solution, that offers incredible value through an included 100% attestation service for software and files.
- Up to 32 antimalware-engines to ensure that the full portfolio of leading vendors have you covered. There is no one silver-bullet, so use all of them!
- Managed SOC to ensure your configuration, patching and oversight of your IT Estate is up to par with internal and international standards.
A conversation about risk
Even with the approach set out above, there is still a vague chance that you could be hacked: let’s be honest, if a nation-state virtually declares war on your company there is always a risk that it does not end in your favour.
We also have to consider cost. Note that we first recommend Panda Adaptive Defense – this is because it’s incredible value for money – it’s cost-effective. Unmatched, we would argue – the attestation service is not offered by any other vendor in the world.
Secondly we move to Opswat, once again it offers excellent value and complements EDR exceptionally well – but loading the full 32-engines naturally comes at a price. We have to make a judgement on acceptable risk and if there is value-for-money here.
Finally, a Security Operations Centre is central to the success of a highly-regulated firm such as financial advisors. For a local independent stationary supplier though? Perhaps not. While our partner WatchTower offer unmatched value and a truly holistic service – it isn’t for everyone and that is totally fine. It’s comes down to what risks you accept.
This why Hayachi Services offer free Discovery Sessions, for new and existing clients, so we can sit down for an hour and see where the risk lies in your Supply Chain and how to mitigate against it. We as well are a vector of attack, which is why we don’t integrate into your IT Systems as far as possible, despite the added cost to us in doing this.