Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Shay Nahari
Shay Nahari
Connect Directly
E-Mail vvv

How Attackers Infiltrate the Supply Chain & What to Do About It

With some security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations.

Attackers today are getting increasingly creative with how they target organizations, often utilizing the supply chain as a point of ingress — exactly the kind of thing that keep security pros up at night. Rather than attack their targets directly, attackers today are perfectly happy to compromise one of their third-party providers and accomplish their end goal that way.

Whether it's a hardware provider further down the supply chain, a software provider that the organization outsourced some added features to, or a service provider, all can represent a potential point of entry. This dramatically changes the attack surface for the typical enterprise and, with recent highly publicized breaches such as ASUS and Docker, is negatively impacting once-inherent trust in the supply chain.

Recent attacks have even targeted patching processes and software updates, leveraging the very means by which organizations protect themselves against potential threats. It's no wonder that organizations are moving more toward a "zero trust" model. Any blind spot becomes a potentially vulnerable attack surface. Infiltrating the target organization by compromising something or someone further down the chain is often an attractive attack vector. And the logical reaction to this type of unknown is to trust nothing — but that mindset is not practical or sustainable.

So, how do we adopt a zero-trust strategy without completely stagnating our business and hamstringing innovation? By accepting the inevitable and prioritizing accordingly.

The truth is, if attackers want to get into your organization they probably can, whether it's through your supply chain or by other means. Although you should treat your supply chain with healthy skepticism, you can't refuse to trust anything outside your control. Instead, it's best to assume there's a breach and focus your time on mitigating the risk of irreparable damage.

After all, think about the typical attacker's priorities;

1. Gain access.
2. Move laterally and escalate privileges.
3. Maintain access (depending on the situation).

If we accept that we likely can't do much to stop attackers from achieving their first goal, we should instead focus on making step two as difficult as possible.

The most basic step to take is limiting the exposure of privileged credentials. Protecting privileged credentials from compromise significantly reduces the opportunities for attackers who may have infiltrated an environment (via the supply chain or other pathways) to accomplish their end goal — expanding access and escalating privileges. Malware getting installed on a workstation for example could theoretically result in an attacker gaining local administrator authority and gaining access to other machines, eventually uncovering server or domain administrator accounts.

Below are three simple steps organizations can take to protect themselves from this type of threat by embracing a realistic zero-trust security strategy that won't hamstring their business:

1. Layer your defenses. As a defender, one thing to avoid at all costs is putting all your eggs in one basket. Perimeter defenses still serve a purpose, but given all the potential points of ingress for attackers today, it would be the height of foolishness to rely too heavily on maintaining a perimeter that gets wider by the day. It's best to instead assume a breach and embrace multiple layers of security, establishing a true defense-in-depth strategy. A good starting point is to adopt a risk-based approach to security, investing the most in the security controls that reduce the largest amount of risk.

2. Consistently employ the principle of least privilege. One of the more obvious, but also more helpful, pieces of security advice is to limit any potential points of access for hackers to exploit. Account sprawl is real and carries significant risk for the enterprises. Organizations should be sure to limit the number of user accounts as much as possible. Otherwise, it's just a potential source of risk with no corresponding reward.

This is particularly true for privileged accounts. Privileged account takeover is the dream scenario for an attacker as it makes a full network takeover easier. However, it's much harder to move laterally and escalate privileges if there aren't as many privileged accounts to take over. An obvious best practice therefore is to only grant administrator accounts to those who actually need them and ensure that they are only used for administrative tasks rather than basic day-to-day work.

3. Increase monitoring for privileged credential theft. If an organization is victimized by a supply chain attack, the initial attack by definition took place in a security blind spot and thus the enterprise won't have detected it. However, by monitoring privileged sessions to detect patterns indicative of credential theft techniques, organizations can increase the chances that they'll identify if/when the attacker is actually trying to use the access they've attained. And if the organization can catch them when they're trying to escalate, then the threat that the supply chain represents is significantly reduced.

Increasingly, the supply chain and its active participants represent a security weakness that attackers are now adept at exploiting. However, there is significant opportunity to reduce the risk and limit the damage attackers can do. With some fairly simply security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations. For many organizations, this means being aware of where privilege-related risk exists, locking that access down and actively monitoring use of privileged accounts to alert on potential anomalies, and spurring action to remediate risk.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Shay Nahari is the Head of Red-Team services in CyberArk and brings more than 15 years of experience in cybersecurity and telecommunications. He specializes in working with global organizations to improve their ability to detect and react to targeted attacks using adversary ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/18/2019 | 11:46:30 AM
Re: Dastardly deeds

Good points about the trucks. The trucking delivery software that is used by the trucking companies is isolated from the receiving company's network, it is very limited and they have been upgrading this process since the beginning (it is a logistic bidding system). But the alternative side is that the receiving trucking or delivery company could be infected but again, the only bidding mechanism goes through a process where they check the contract and they call the trucker and validate the order before they move forward (very good system).

 I wish most of the supply chain systems were as robust and efficient as this trucking system. I had mentioned in another article written by "DR" that we need to implement a BlockChain Supply System using similar mechanisms the "Trucking Logistic System" uses (call, validate the various loads).

 Great points


User Rank: Moderator
7/18/2019 | 5:57:06 AM
Dastardly deeds
Do you have any idea how much mayhem you can cause if you screw up a company's operations or chain of command! Can you imagine trucks going to the wrong warehouses, deliveries being late and customers generally just not being able to get anything sorted out. It would be a catastrophe for the company and would most certainly direct customers to its competitors!
User Rank: Apprentice
7/17/2019 | 2:20:59 PM
Privileged providers
Good article. Simply put, bottom line could be something kind of treat your providers with online access as privileged accounts, even when they're not.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.