Thank you for your interest. We'll be in touch soon.
These kinds of attacks can affect companies of all sizes so our security experts have come up with six steps that small and medium enterprises can take to mitigate the risk of being compromised by these supply chain attacks and minimize the damage if an attack does succeed.
A supply chain attack is a tactic used by cyber criminals to indirectly breach targets via their suppliers. They take advantage of the already established trust relationships and infrastructural connections between a company and its suppliers to gain access to their targets. There are two main types of supply chain attack:
Most SMEs will not be the main target of the first kind of attack (although there are exceptions), but they may be breached as a means to get to a company that they supply. They could also be hit in the second kind of attack if one of their own service providers is breached.
Furthermore, just because a company is small, this doesn’t necessarily mean it is not a high-profile target. Some SMEs own valuable intellectual property (e.g source code, customer data, medical record, unpublished movies), which make them worth attacking. However, this is a minority of cases.
Let’s start with the bad news: if you are targeted by a sophisticated, state-backed attacker, you will be affected even with the most comprehensive defense. This is because the attacker abuses existing trust relationships. Often you need to grant a lot of access to service providers in order to fully utilize their services, and an attacker can exploit this.
The only way to guarantee protection from a breach to your infrastructure management service provider would be to forbid it access to the infrastructure, which of course defeats the purpose.
The good news is that many supply chain attacks are not as sophisticated as Sunburst and there are some general rules for protecting your business or at least minimizing the impact of any attacks that do slip through with early detection. This way you will be able to react before too much damage is caused.
1. Pick your suppliers carefully. You can and should ask difficult questions to your suppliers. Certifications like ISO27001 or ISAE 3000 are important but do not guarantee anything on their own. You should also ask the vendor about their security practices and request security assessment reports or another form of proof that they take security seriously. A dilemma you may face is that established suppliers with more established security postures and tighter rules may be more attractive targets for a sophisticated attack. Of course, it is impossible to predict who will be attacked next, so you should always require suppliers to document their security process. A good indicator of a rigorous process is the supplier’s openness to being audited, so you can suggest this even if you are unlikely to go through with it.
2. Only grant suppliers the necessary access and review the level of access regularly. Assume that your supplier will get compromised at some point and plan in advance how to minimize the impact. Always go for the minimum access required (this also applies to internal staff). For example, if you have an external network infrastructure manager, their accounts should allow them to do that and nothing else. The principle of minimum access for all accounts means that an attacker will also have minimum access when they compromise them.
3. Do a threat modelling exercise (even if it’s only lightweight). This means considering the access that all third party services have and how it could be abused, then considering what measures you or your provider can put in place to limit the damage in the event of an attack.
4. Consider a third party monitoring solution such as EDR (Endpoint Detection and Response). You won’t be able to stop all attacks before they happen (especially if you are attacked through a pre-trusted or whitelisted source), but the earlier you spot an attack the better. Our detection and response systems analyze telemetry from your systems and your network to identify hints of suspicious activity.
5. Have a planned response. We frequently see companies that are unable to respond adequately to a breach once alerted to it. You should organize drills to practice all aspects of your response (technical, legal, communications).
6. Cover the basics. Sunburst started with the attempt to “silence” the host anti-malware, EPP solution. That’s something you can and should monitor, as disabling EPP is a clear red flag that something bad may be happening. The fact that we now have new types of “next gen” protection, doesn’t mean we can forget about things like anti-malware protection or a firewall. Obviously, in the multi cloud environment the methods of isolating the environments and providing anti-malware protection may require different tooling, but the underlying idea is the same.
Fill in the form below and we will be in touch shortly.