- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: Supply chains make companies more vulnerable.
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Supply chains make companies more vulnerable.
Strengthening the digital security of the supply chain
Sander Peters, KPN
Companies are cooperating ever more intensively with partners, suppliers, subsidiaries and the like. “While introducing scalability, cost-effectiveness and increasing efficiency by outsourcing more and more these days, supply chains also make companies more vulnerable”, warns Sander Peters, Head of Security Research at KPN Security. “Cooperation increases the risk of a cyberattack.” How do you stop this ecosystem from breaching your security?
NotPetya and CCleaner
Criminals make use of inherent vulnerabilities to attack the supply chain. The NotPetya cyberattack in 2017 is a good example of this. It involved the spread of ransomware via legitimate updates from M.E.Doc, a Ukrainian supplier of accounting software. This enabled the actor behind NotPetya to completely paralyze major companies such as Maersk.
Another yet impressive example is the breach of the Cleaner distribution servers in April 2017, where Chinese hackers hacked the Piriform infrastructure via a teamviewer account and successfully injected malware into the system-cleaning software Ccleaner, thereby infecting millions of its users. One of the most peculiar aspects of this situation is that it all happened
efore the Avast acquisition in July resulting in a PR fallout all throughout 2017 and 2018 for the new owner when the hack became public in September 2017.
Third party risk
Like the NCTV, Sander Peters of KPN Security also sees a clear rise in third-party risks. He feels there are several reasons for that rise. “If I were a state actor, such as the hacking groups APT10 and APT41 that are linked to the Chinese government, I would also target the MSPs and other service providers. By using those large central service providers or global hubs you can access the infrastructures of major parties unnoticed. Additionally, the infrastructures are so large and complex that detecting and erasing all the remnants of a successful hack is extremely hard.”
“On top of that, good IT people and hackers tend to be either naturally lazy or superefficient”, Peters jokes.
“If good security makes it tougher to penetrate an organisation directly, they simply go in search of supply chain vulnerabilities. And it’s easier to attack a supplier that has a line to several organisations in the same sector than to attack those organisations individually.”
Ransomware via MSP
Peters and his team can see the same trend happening in ransomware attacks. “Previously, individual systems got infected via e-mail or web-visits, after which a payment of 300-700 euros was demanded." Cybercriminals are now aiming higher. “That is shown by one of our latest investigations tracking the REvil ransomware and its affiliates. This ransomware family is offered as ransomware-as- a-service, where the makers of REvil themselves receive between 30% and 40% of every payment. This lowers the threshold for carrying out such attacks.”
“The affiliates using the REvil ransomware as a service (RaaS) are skilled and are adapting their approach to the victim’s organisation using specialized campaigns. These campaigns usually start with old school phishing or exploitation of externally accessible functionality as a first step to gain control over the entire network. Our team has found victims of infections at government bodies and healthcare institutions all over the world. In the last few months we saw campaigns focusing on specialized software used by MSPs, like remote access management tooling. Affiliates set a specific ransom for each campaign, varying from 777 dollars to as much as 1,500,000 dollars. It can be determined from the amount of the ransom whether the attack is opportunistic or targeted. Especially in the latter case, the attackers generally knows how much an organisation can pay.”
Grip on external risks
For Peters, the current reality is that the majority of security breaches result from vulnerabilities in the ecosystem. However, security budgets are spent almost entirely on protecting in-house infrastructure and data.
According to the Head of Security Research the amount of budget and attention spent on security practices of partners and suppliers should be reconsidered.
Organisations need to focus not only on protecting their own data and infrastructure but also on the security within the rest of its ecosystem,” Peters stresses. He has some tips for companies that want to get a better grip on the risks inherent to the supply chain:
1. Check and double-check
It is customary to perform a financial and/or legal check on new suppliers. “A cybersecurity check has to become a given”, Peters believes. “An in-depth investigation needs to be carried out to understand how the supplier’s security has been set up and whether the personnel have been screened.”
“But also consider conducting a pentest or a vulnerability scan of the new partner,” adds Peters. “Or perform a security rating.” That rating is a continuous, objective measurement of the digital security of
the organisation and of the entire business chain viewed from the outside. The scores give a good initial indication of the current level of security.
2. Accept risks
It is never possible to exclude all risks. “State actors,
for example, have billions at their disposal, and plenty of time. So it isn’t really fair to hold a partner with considerably fewer resources accountable for a hack carried out by a state actor. You need to know what your risks are, which risks have to be mitigated and which can be accepted, bearing in mind public opinion and/or the shareholders.”
3. Stay alert
Have the media reported a hack? “Organisations
then need to ask themselves whether this attack or something similar could happen to them too,” says Peters. For instance, red flags should be raised when companies and its partners are using software that has been exploited in a public hack. “At KPN Security this is our natural response, but it ought to be the default reaction of every organisation.”
4. Cooperate
“As far as I am concerned, cooperation is key in combating supply chain hacks,” Peters concludes. Cooperation increases the attack surface of the organisation but is also needed to limit the risks. “Explain to your partners why security is so important for both parties, look at how you can make a coordinated response to threats, and grow together
to a higher maturity level. And, if needed, ask for the help of your security partner that can help both parties connect the dots.”