Home | Community | Blog

Supply Chain Attacks: How They Work and How to Defend

NextLabs Blogs

As organizations become more interconnected, cybersecurity can no longer focus solely on internal systems. Supply chain attacks exploit trusted relationships with external parties, such as vendors, cloud providers, and software suppliers, making it equally important for organizations to secure their extended digital ecosystem. An organization’s overall security posture is, after all, only as strong as its weakest link. 

According to Gartner research, attacks on the software supply chain, which include both proprietary and commercial code, pose significant security, regulatory, and operational risks. The cost of these attacks is projected to surge from $46 billion in 2023 to $138 billion by 2031. These rising threats underscore how even well-defended enterprises can be compromised through their partners. 

To shed light on how supply chain attacks work and why they’re a growing threat, we hear from Nazia Sharieff, an IT professional with over 16 years of experience in the tech industry. With a background spanning software engineering, research, and consulting across sectors such as Energy and Utilities, Telecom, Education, Retail, Real Estate, Government and sports technology in Qatar and India, she currently focuses on Governance, Risk, and Compliance. Drawing from her deep industry expertise and insights from high-profile incidents, she discusses lessons learned, and best practices for managing third-party risk and securing software updates to prevent compromises. 

Curious about supply chain attacks? Watch the full Q&A video or read her insights below.

How do supply chain attacks work, and why have they become a preferred method for cybercriminals targeting organizations?

Supply chain attacks target an organization’s weaknesses. Basically, what happens here is that instead of directly attacking the organization, which has become tough today, they (attackers) try to attack the suppliers, vendors, or partners of these big organizations.

They infiltrate through the supplier‘s software or network and install malicious software. This could be done either through the supplier’s software, or they could also get in by tampering with the hardware or by other means. So, they look for weaknesses or vulnerabilities with the partner or supplier, and through the vendor’s weaknesses, they try to target these big organizations.

These attacks have become pretty common today. Like I said, because most big organizations have a very secure framework, it’s usually difficult for them to infiltrate into the big organizations network. So, they are looking for alternate channels these weak pathways through the supplier or the vendor. That’s how they infiltrate into the big organizations. We’ve seen multiple attacks in the past, and a lot of these attacks were channeled through suppliers and vendors.

Thank you for that insightful response. Now, moving on to our next question: what recent high-profile supply chain attacks have exposed vulnerabilities in major industries, and what lessons have been learned from these incidents?

Like I mentioned, one of the famous attacks that we had was the SolarWinds attack, where the network was breached. There were significant vulnerabilities which were exploited by these hackers, and that is how they managed to infiltrate the network.  

Some of these incidents, and a couple of other incidents that we’ve had in the past few years, have definitely shaken the industry and put big organizations on alert. Though these are small vendors, who are called partners and are small software companies, they are interconnected with the big organizations’ network. Hence, a breach in the partner’s system leads to a bigger breach at the organization. 

Some of the key lessons that we’ve learned from some of these attacks include the need for constant monitoring of third-party risk. Third-party risk management is there, and it is an essential element of cyber security management. We’ve seen that some standards, such as NIST and ISO 27001, mandate third-party risk management. So, supply risk management was a key part of compliance as well as cybersecurity management.  

But the emphasis now is to have continuous monitoring of third-party risks, to monitor the suppliers’ network, to have security requirements in place, and to include the security requirements as a part of compliance. Then, we need to put on security requirements such as the right to audit, to be able to audit these suppliers’ security practices – Are they compliant with local laws and regulations? Do they have any certifications in place?  

That is one way of assessing the supplier before onboarding them and also continuous monitoring. In some of these attacks, it so happened that the attack had taken place a long while ago, and the attackers had infiltrated into the network. They then managed to move in laterally and breach the major organizations’ network. But the attacks were only discovered after some time. This is because of traditional incident management. If continuous security monitoring had been in place and attacks were detected in real time, the lateral movement could have been stopped, and the attack would have been mitigated at an early stage.  

Also, what’s necessary is that an organization implements zero trust architecture. Basically, this means having multi-factor authentication (MFA) in place for both internal and external entities. It’s not only necessary for internal entities, but also for external vendors. Additionally, it’s important to ensure that vendors list all possible dependencies they have. For example, if you are procuring software from a vendor, it’s highly recommended to ask for all the interdependencies – what software they depend on, what security practices they follow, and what compliance and security controls they have in place. 

That gives us a lot to consider. Now, let's delve deeper into this topic: What best practices should organizations adopt to strengthen their defenses against supply chain attacks, particularly in managing third-party risk?

I mentioned a few factors before, like having a proper patch management process in place with a rapid response. So, not only do we need a patch management policy that ensures critical vulnerabilities and updates are applied on time, but we also need to make sure that after patching, monitoring is done to ensure that these vulnerabilities are correctly patched.  

As I mentioned, zero trust architecture is essential – ensuring you are not trusting anyone, whether it is an internal entity or an external entity. Even if you have a long-time trusted vendor, you need to ensure the necessary security controls and compliance requirements are in place as part of your agreements and contracts. You can include clauses such as the right to audit and ask for security certifications to verify if they are ISO compliant. This would ensure that your partners or vendors are trustworthy.  

In addition, third-party risk management should involve regular audits or reviews of vendors, with risks highlighted, monitored, and mitigated in a timely manner.  

These are some of the best practices organizations can implement to ensure that such attacks do not happen. Continuous, real-time monitoring is also critical to detect any threats and anomalies early, enabling swift mitigation. This helps avoid late responses or incidents handling only after major damage or breaches occur. 

Those strategies are vital for enhancing our defenses. Building on that, how can organizations ensure the security of software updates and patches to prevent supply chain compromises?

Firstly, in order to ensure that software patches are applied correctly and to mitigate any supply chain attacks, we need to have patching policies or a patching process in place. We need to prioritize the deployment of critical vulnerabilities and critical patches.  

And not only is it important that we roll out these patches, but also that these software patches are tested in controlled environments first. The organization has to deploy them across the organization and ensure that these patches are working – and if there are any issues, they would have to address them. They also need to ensure that post-installation monitoring is done.  

Basically, after an update is deployed, they have to look out for any kind of unusual behavior, because there is a possibility that there is a vulnerability even after applying these patches. Usually, infiltration happens when there is a patch that is applied through the vendor, and the patch is infected with a malicious file. That gives the attacker a way to enter or reach into the organization’s network.  

So yes, a robust, effective, and continuously tested and monitored patch management process is one of the ways in which we can ensure that the software updates are applied on time. Also, it’s important to ensure that least privilege and segmentation are enforced—especially when third-party vendors are involved in applying software updates or patching systems. In such cases, they should be granted as limited access as possible, whether that’s role-based access or access controls based on their specific roles. 

You also segment the network and make sure that even if vendors get access to the network, they have very limited access and are not able to access critical systems. Critical assets and systems should be separated from the vendor network. 

That is one way to do it. And of course, another way to ensure that software patches are installed on time is to stay up to date – stay connected with updates from the vendor, demand updates on latest releases and latest patches. Sometimes, we might not get timely updates from vendors, so it becomes the organization’s responsibility to follow up and ensure those patches and updates are applied on time.

It’s necessary to collaborate, stay informed, and be part of these groups or advisories – like risk advisory groups or local advisory groups – that inform you. In every country, you usually have something like a National Cyber Security Agency, which informs organizations about critical breaches.  

These days, it is a small world. If there is a breach or attack in one part of the world, communication usually goes out quickly. Vendors will announce and let us know that a breach has happened, and that all organizations using the software should take necessary measures to mitigate the risk.

Thank you, Nazia, for sharing valuable insights on the growing threat of supply chain attacks and how organizations can strengthen their defenses.

Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.