Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Shay Nahari
Shay Nahari
Connect Directly
E-Mail vvv

How Attackers Infiltrate the Supply Chain & What to Do About It

With some security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations.

Attackers today are getting increasingly creative with how they target organizations, often utilizing the supply chain as a point of ingress — exactly the kind of thing that keep security pros up at night. Rather than attack their targets directly, attackers today are perfectly happy to compromise one of their third-party providers and accomplish their end goal that way.

Whether it's a hardware provider further down the supply chain, a software provider that the organization outsourced some added features to, or a service provider, all can represent a potential point of entry. This dramatically changes the attack surface for the typical enterprise and, with recent highly publicized breaches such as ASUS and Docker, is negatively impacting once-inherent trust in the supply chain.

Recent attacks have even targeted patching processes and software updates, leveraging the very means by which organizations protect themselves against potential threats. It's no wonder that organizations are moving more toward a "zero trust" model. Any blind spot becomes a potentially vulnerable attack surface. Infiltrating the target organization by compromising something or someone further down the chain is often an attractive attack vector. And the logical reaction to this type of unknown is to trust nothing — but that mindset is not practical or sustainable.

So, how do we adopt a zero-trust strategy without completely stagnating our business and hamstringing innovation? By accepting the inevitable and prioritizing accordingly.

The truth is, if attackers want to get into your organization they probably can, whether it's through your supply chain or by other means. Although you should treat your supply chain with healthy skepticism, you can't refuse to trust anything outside your control. Instead, it's best to assume there's a breach and focus your time on mitigating the risk of irreparable damage.

After all, think about the typical attacker's priorities;

1. Gain access.
2. Move laterally and escalate privileges.
3. Maintain access (depending on the situation).

If we accept that we likely can't do much to stop attackers from achieving their first goal, we should instead focus on making step two as difficult as possible.

The most basic step to take is limiting the exposure of privileged credentials. Protecting privileged credentials from compromise significantly reduces the opportunities for attackers who may have infiltrated an environment (via the supply chain or other pathways) to accomplish their end goal — expanding access and escalating privileges. Malware getting installed on a workstation for example could theoretically result in an attacker gaining local administrator authority and gaining access to other machines, eventually uncovering server or domain administrator accounts.

Below are three simple steps organizations can take to protect themselves from this type of threat by embracing a realistic zero-trust security strategy that won't hamstring their business:

1. Layer your defenses. As a defender, one thing to avoid at all costs is putting all your eggs in one basket. Perimeter defenses still serve a purpose, but given all the potential points of ingress for attackers today, it would be the height of foolishness to rely too heavily on maintaining a perimeter that gets wider by the day. It's best to instead assume a breach and embrace multiple layers of security, establishing a true defense-in-depth strategy. A good starting point is to adopt a risk-based approach to security, investing the most in the security controls that reduce the largest amount of risk.

2. Consistently employ the principle of least privilege. One of the more obvious, but also more helpful, pieces of security advice is to limit any potential points of access for hackers to exploit. Account sprawl is real and carries significant risk for the enterprises. Organizations should be sure to limit the number of user accounts as much as possible. Otherwise, it's just a potential source of risk with no corresponding reward.

This is particularly true for privileged accounts. Privileged account takeover is the dream scenario for an attacker as it makes a full network takeover easier. However, it's much harder to move laterally and escalate privileges if there aren't as many privileged accounts to take over. An obvious best practice therefore is to only grant administrator accounts to those who actually need them and ensure that they are only used for administrative tasks rather than basic day-to-day work.

3. Increase monitoring for privileged credential theft. If an organization is victimized by a supply chain attack, the initial attack by definition took place in a security blind spot and thus the enterprise won't have detected it. However, by monitoring privileged sessions to detect patterns indicative of credential theft techniques, organizations can increase the chances that they'll identify if/when the attacker is actually trying to use the access they've attained. And if the organization can catch them when they're trying to escalate, then the threat that the supply chain represents is significantly reduced.

Increasingly, the supply chain and its active participants represent a security weakness that attackers are now adept at exploiting. However, there is significant opportunity to reduce the risk and limit the damage attackers can do. With some fairly simply security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations. For many organizations, this means being aware of where privilege-related risk exists, locking that access down and actively monitoring use of privileged accounts to alert on potential anomalies, and spurring action to remediate risk.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Shay Nahari is the Head of Red-Team services in CyberArk and brings more than 15 years of experience in cybersecurity and telecommunications. He specializes in working with global organizations to improve their ability to detect and react to targeted attacks using adversary ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/1/2019 | 1:59:20 AM
Smart quiet attacks
It is getting even more frightening to know that as we evolve, hackers evolve alongside our advances. Now that they are getting even smarter in their tactics, we need to counter their attacks with our own preventive measures. Our business might collapse before we even find out that we are under attack. Conniving attacks come without notice and this is when businesses suffer the most.
User Rank: Ninja
7/18/2019 | 11:46:30 AM
Re: Dastardly deeds

Good points about the trucks. The trucking delivery software that is used by the trucking companies is isolated from the receiving company's network, it is very limited and they have been upgrading this process since the beginning (it is a logistic bidding system). But the alternative side is that the receiving trucking or delivery company could be infected but again, the only bidding mechanism goes through a process where they check the contract and they call the trucker and validate the order before they move forward (very good system).

 I wish most of the supply chain systems were as robust and efficient as this trucking system. I had mentioned in another article written by "DR" that we need to implement a BlockChain Supply System using similar mechanisms the "Trucking Logistic System" uses (call, validate the various loads).

 Great points


User Rank: Moderator
7/18/2019 | 5:57:06 AM
Dastardly deeds
Do you have any idea how much mayhem you can cause if you screw up a company's operations or chain of command! Can you imagine trucks going to the wrong warehouses, deliveries being late and customers generally just not being able to get anything sorted out. It would be a catastrophe for the company and would most certainly direct customers to its competitors!
User Rank: Apprentice
7/17/2019 | 2:20:59 PM
Privileged providers
Good article. Simply put, bottom line could be something kind of treat your providers with online access as privileged accounts, even when they're not.
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.