The digital supply chain is under attack like never before. Listed among the top seven security concerns for 2022 by Gartner, digital supply chain security is now top of mind for cybersecurity teams, CISOs, and the entire C-suite. For the first time, digital supply chain attacks are threatening business continuity for large-scale enterprises.
Why the Digital Supply Chain and Why Now?
Digital supply chains are connected to almost every mission-critical service in an organization. All Internet-facing services are built on a tiered ecosystem of third-party services and infrastructures. In turn, every third party has its own third parties, which have their own third parties, and so on down the line. This means that the vulnerabilities of your vendors and your vendors' vendors (and so on) often become your vulnerabilities.
There are several reasons why digital supply chains are especially vulnerable now, including:
- Digital supply chain attacks are worth the investment for hackers. Owing to the nature of the digital supply chain, replicating a single exploit can cast a very wide attack net. This exponentially increases the potential attack payoff and the ROI of exploit development.
- Developers of Web-based applications and services accelerate development with external code packages. These development paradigms carry their own inherent vulnerabilities, the dangers of which are passed up the digital supply chain.
- Cloud service security often falls into a digital no-man's-land. SaaS or PaaS managed cloud services operate in a shared responsibility model. This creates a gray area among vendors, making it hard for traditional cybersecurity solutions to identify if a third-party component has been tampered with.
Threat actors know that it's easier to exploit a vulnerability deep within the digital supply chain than to attack an enterprise head-on. This is why digital supply chains are now the fastest-growing attack surface for most enterprises: By our estimates, 50% to 60% of all cyberattacks are perpetrated via third parties.
The Action Items
To mitigate the risk of attack via digital supply chain vectors, enterprises need to adopt a proactive threat prevention strategy and remediate vulnerabilities before they become catastrophic breaches. Here's a list of how that breaks down and what needs to happen yesterday:
- Automate asset discovery: You can't protect what you don't see, so proactively discover what's out there. Find and map known, unknown, and orphaned externally facing assets, including those introduced through shadow IT implementations. Take into consideration the uncontrolled assets that form your digital supply chain, no matter how far downstream they may be.
- Assess vulnerability: Once you know what you have, you still need to understand which (if any) external assets are vulnerable, how they can be exploited, and the severity of the risk they pose. In addition, "follow the connections" by conducting an in-depth and extensive connection-oriented assessment — discovering how assets downstream are vulnerable, and how that vulnerability may be propagated back up the digital supply chain and become a security risk.
- Continuously monitor: What was secure yesterday may not be secure tomorrow. Make sure you’re continuously scanning to identify new assets in your external attack surface or supply chain (for example, a new third-party vendor or a change in third-party cloud storage providers). Then, reassess each third-party asset, externally facing Internet asset, and distributed cloud infrastructure. Check closely for signs of digital supply chain misconfigurations and vulnerabilities.
- Prioritize risk and plan remediation: What should your team mitigate first? Do you have an actionable, timely mitigation and remediation plan and workflow based on vulnerability prioritization — for both your external attack surface and digital supply chain?
It's important to apply these strategies not only to your direct Internet-facing assets, but also to key areas including:
- Cloud-based services: The keys to your castle are literally in the cloud. Their security is crucial to business continuity. Yet cloud misconfigurations are the leading cause of vulnerabilities. Create an end-to-end inventory of cloud assets across all cloud providers. Use this dynamic inventory as the basis for ongoing monitoring and risk management planning.
- Subsidiaries: Digital assets that belong to your subsidiaries but are connected to your primary business may pose risk. It's important to assess and remediate that risk.
- M&As: Even after mergers, acquisitions, and divestitures, networks may still contain connected assets. It's critical to get a handle on the risk signature of newly acquired or newly relinquished digital assets as part of any merger, acquisition, or divestiture.
The Bottom Line
Recent attacks have crystalized what hackers have understood for years — a breach anywhere along the digital supply chain can easily lead to a compromise of services, users, customers, and your brand reputation. To beat digital supply chain attacks, companies need to take a proactive approach to resolving the vulnerabilities within their entire external attack surface — including third parties and beyond.