Supply chain attacks are getting worse and you are not ready to face them

The European Union Cyber ​​Security Agency (ENISA) analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough.

Recent supply chain attacks in his analysis include those via SolarWinds Orion software, CDN provider Mimecast, developer tool Codecov, and enterprise IT management company Kaseya.

ENISA focuses on Advanced Persistent Threat (APT) supply chain attacks and notes that while code, exploits and malware were not considered “advanced”, planning, preparedness and execution were complex tasks. He notes that 11 of the supply chain attacks were carried out by known APT groups.

“These distinctions are crucial to understanding that an organization can be vulnerable to a supply chain attack even when its own defenses are good enough and, therefore, attackers try to explore potential new routes to infiltrate them. by going to their suppliers and making themselves a target of them, ”notes ENISA in the report.

TO SEE: Network security policy (TechRepublic Premium)

The agency expects supply chain attacks to worsen: “This is why new safeguards to prevent and respond to potential supply chain attacks in the future while at the same time mitigating their impact must be introduced urgently, ”he said.

ENISA’s analysis found that attackers focused on vendor code in around 66% of reported incidents. The same proportion of sellers were not aware of the attack until it was disclosed.

“This shows that organizations should focus their efforts on validating code and third-party software before using them to ensure that they have not been tampered with or manipulated,” ENISA said, although it is something easier said than done.

As the Linux Foundation pointed out following the SolarWinds disclosure, even reviewing the source code – both for open source and unaudited proprietary software – probably wouldn’t have prevented this attack.

ENISA calls for coordinated action at EU level and presented nine recommendations that customers and suppliers should follow.

Recommendations for clients include:

  • identify and document suppliers and service providers;
  • define risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;
  • supply chain risk and threat monitoring;
  • manage suppliers throughout the life cycle of a product or service, including procedures for managing end-of-life products or components;
  • the classification of assets and information shared with or accessible to suppliers, and the definition of the relevant procedures to access and process them.

ENISA recommends that suppliers:

  • ensure that the infrastructure used to design, develop, manufacture and deliver products, components and services respects cybersecurity practices;
  • implement a product development, maintenance and support process consistent with commonly accepted product development processes;
  • monitor security vulnerabilities reported by internal and external sources, including third-party components;
  • maintain an asset inventory that includes patch information.

The SolarWinds attack, for example, rocked Microsoft, which President Brad Smith said was “the most important and sophisticated attack the world has ever known” and that it probably has. it took 1,000 engineers to complete it. Suspected Russian hackers compromised SolarWinds’ software building system for Orion to implant a backdoor that was distributed as software to several US cybersecurity companies and several federal agencies.

SEE: Cybersecurity Jobs Crisis Worsens, Companies Make Fundamental Hiring Mistakes

The US Department of Justice (DoJ) revealed last week that Microsoft Office 365 email systems in 27 districts had been compromised for at least six months starting in May 2020.

The rise of state-sponsored supply chain attacks and criminal ransomware attacks that combine supply chain attacks, such as the Kaseya incident, has shifted the focus of discussions between states- United and Russia.

US President Joe Biden said last week that a major cyberattack would be the likely cause of the US entering a “full blast war” with another superpower.

Comments are closed.