Risk Mitigation in the Supply Chain How much risk does your supply chain face and what should you do about it?
Several supply chain attacks have made headlines in recent months, including: By analyzing these attacks and others that were reported in andwe can identify three notable trends.
The most common motives are data and intellectual property IP theft. Cases such as the theft of IP from technology companies in the CCleaner malware campaign, the theft of medication procurement information in the ePrica pharmaceutical software breach and the targeting of Israeli companies in the OilRig campaign believed to have been conducted by Iranian threat actors, though unconfirmedindicate that threat actors are likely using supply chain attacks for competitive, political and geostrategic intelligence reasons.
The fact that such attacks often involved the delivery of backdoor trojan malware that allowed for data harvesting, exfiltration or privilege escalation on victim systems reinforces this finding. Actors were able to maintain a presence on target networks, gather valuable user credentials and exfiltrate data to attacker-controlled servers.
Supply chain attacks are typically targeted. In contrast to mass, indiscriminate campaigns, supply chain attacks tend to be highly focused operations with predetermined targets of interest.
This trend likely reflects the motives of these campaigns, which were largely conducted for intelligence gathering or cyber espionage purposes. However, the NotPetya campaign shows that in a handful of cases, where the motives were financial gain or disruption rather than espionage, the attacks were wider reaching.
Technology suppliers are the most popular targets for initial compromise. As demonstrated by the use of CCleaner, MeDoc and MSPs, most of the supply chain attacks over the last two years involved the compromise of a technology or software supplier. Adversaries realize that such suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers that mean compromised software versions containing malware will be whitelisted or overlooked by customer security teams and systems.
Understand, manage and monitor the digital risk your suppliers present.
Each of these measures should be reviewed regularly throughout the year. Suppliers are often given much broader access to company networks than internal users are offered.
Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs.
In addition, network isolation and segmentation can keep supply chain traffic separate from other internal traffic and prevent attacks, like NotPetya and Cloud Hopper, from moving laterally across the network to reach their intended target.
Prepare for unintended targeting. The NotPetya attack showed that not all supply chain attacks are targeted. Implementing foundational security principals can mitigate risk from bad actors that prey on the weakness that result from interconnectivity of systems and ubiquity of applications.
Activity over the last two years shows that no industry is safe from what has become a steady stream of supply chain attacks.
Alastair has worked for over a decade advising secure government and FTSE clients on large-scale data analytics for risk and intelligence. Previous Columns by Alastair Paterson:Risk Mitigation: Supply Chain Safety Net. Mitigating Circumstances Ernst & Young's operations finance and risk practice, supply chain risk management falls.
There are several mitigation measures and best practices that you can adopt to improve your organization’s security posture and reduce the risk of supply chain infections.
Mitigating Global Risk Starts with Specificity and Region Expertise To begin mitigating risks in the global supply chain, an organization must evaluate the risks specific to its industry, develop appropriate responses to disruptions and determine the processes and technology necessary for implementation.
Top 10 supply chain management courses. Mitigating risk across the healthcare supply The modern healthcare supply chain is a key driver for stripping out. Management priorities are focused on efforts to reduce order cycle time to customers, improve throughput, and accelerate the supply chain, all of which reduce capital risk exposure.
“Robust Strategies for Mitigating Supply Chain for Managing Supply Chain Disruption Risk,” Management Reducing the Risk of Supply Chain.