Supply chain attacks are not new. But as the supply chain grows longer and more complex, the attacks are evolving to keep up. Is your supply chain secure?
The original version of this post was published in Forbes.
For most people, “island hopping” conjures up vacation fantasies. A cruise through the Caribbean. The South Pacific. The Aleutians.
But in the world of cybercrime, that’s the term for what attackers do when they’re looking to expand on a breach of a victim’s network—they’re after all the others in the victim’s supply chain as well.
In the words of a recent Global Incident Response Threat Report from Carbon Black, “attackers these days want to ‘own’ your entire system … Exactly half (50%) of today’s attacks leverage island hopping.”
Or, as Tom Kellermann, Carbon Black’s chief cybersecurity officer, put it in the report. “They’re using their victim’s brand against customers and partners of that company. They’re not just, say, invading your house—they’re setting up shop there, so they can invade your neighbors’ houses too.”
So, maybe neighborhood hopping too.
The report, which is based on responses from “40 of the world’s leading IR [incident response] firms,” also said 56% of those surveyed have seen attackers attempt “counter IR”—an increase of 5% from the previous quarter.
Those counter IR techniques include destruction of logs, evasion tactics such as turning off antivirus, firewalls or anything that would trigger a notice of unusual activity, and creating a secondary command-and-control server (C2) used on a sleep cycle.
On the face of it, these don’t seem like much of anything new. The supply chain has been a prime attack surface for years. The catastrophic breach of mega-retailer Target at the end of 2013—40 million debit and credit card numbers and 70 million other records that included addresses and phone numbers were compromised—was enabled by an email phishing attack on a third party—a heating, air conditioning and refrigeration contractor. That gave the attackers access to Target’s point-of-sale (POS) payment card readers.
Another, which became public about a year ago, was a breach of online services provider 7.ai, which resulted in payment card breaches of Delta Airlines, Sears, Best Buy and likely other major companies, exposing customer data.
And those are not anomalies. They are part of a trend. The Ponemon Institute’s 2017 Data Risk in the Third-Party Ecosystem found that 56% of respondents had been affected by a third-party data breach—a 7% increase from the previous year.
It was 2014—five years ago—when Ron Raether and Scot Ganow, attorneys with Faruki Ireland & Cox, noted in a whitepaper that while firewalls, user credentials and strong passwords remain important, the protection they provide is incomplete.
The exploding number of online access points to companies means “our walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet (think an employee badge without a picture) to pass through that wall,” they wrote in the paper, titled “Traitors in Our Midst: The risk of employee, contractors and third parties in the age of the Internet of Things and Why Security in Depth Remains Critical to Risk Management.”
So what’s different now?
For one thing, the supply chain is even longer, more diverse and more complex. Which makes it a richer, broader, even more attractive attack surface for the bad people.
Don Davidson, program management director at Synopsys, said it “can now be described to include your business partners, all your collective practices and technologies. That is different than just a supplier who delivers a part on time.”
And as Gregory Wilshusen, director, information security issues at the federal Government Accountability Office (GAO), put it in testimony before Congress last year, “A full understanding of the sources of a given information system can be extremely complex … the identity of each product or service provider may not be visible to others in the supply chain.”
That, he said, is because federal agencies (and most large organizations that may own or control companies that conduct business under different names in multiple countries) “may only know about the participants to which [they are] directly connected in the supply chain.”
Davidson added that while the supply chain has always been an attack vector, “much of what we see as an ‘increase’ is how we are defining SCRM [supply chain risk management] or, even more, how we have gained capability to determine the forensics of an attack.
“How one exercises a supply chain attack, and opportunities for those attacks, is growing as we outsource more and more capabilities—especially when it comes to information communications technology.”
Besides those factors, Kellermann said what is new and different is that “both counter incident response and island hopping are becoming the new norm, and the techniques being used are becoming more creative.”
“These types of attacks have been around for a while,” he said, “but according to our survey, the world’s leading IR firms are seeing these techniques in cyberattacks much more frequently.”
Kellermann said one of the more novel ways attackers launch such attacks is via reverse business email compromise (RBEC). “They commandeer a mail server and selectively send fileless malware to an organization’s most significant customers and board members.”
All of which means attackers are counting on leveraging your relationships—including with those you don’t know, but ought to know.
And it means bringing your security initiatives up several notches. As Davidson put it, “Enterprise owners should take a measured risk management approach to their hardware assurance (HwA), software assurance (SwA) and assured services.”
That means knowing who is designing, manufacturing, building, delivering and supporting your enterprise IT capabilities.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.