Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Shay Nahari
Shay Nahari
Connect Directly
E-Mail vvv

How Attackers Infiltrate the Supply Chain & What to Do About It

With some security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations.

Attackers today are getting increasingly creative with how they target organizations, often utilizing the supply chain as a point of ingress — exactly the kind of thing that keep security pros up at night. Rather than attack their targets directly, attackers today are perfectly happy to compromise one of their third-party providers and accomplish their end goal that way.

Whether it's a hardware provider further down the supply chain, a software provider that the organization outsourced some added features to, or a service provider, all can represent a potential point of entry. This dramatically changes the attack surface for the typical enterprise and, with recent highly publicized breaches such as ASUS and Docker, is negatively impacting once-inherent trust in the supply chain.

Recent attacks have even targeted patching processes and software updates, leveraging the very means by which organizations protect themselves against potential threats. It's no wonder that organizations are moving more toward a "zero trust" model. Any blind spot becomes a potentially vulnerable attack surface. Infiltrating the target organization by compromising something or someone further down the chain is often an attractive attack vector. And the logical reaction to this type of unknown is to trust nothing — but that mindset is not practical or sustainable.

So, how do we adopt a zero-trust strategy without completely stagnating our business and hamstringing innovation? By accepting the inevitable and prioritizing accordingly.

The truth is, if attackers want to get into your organization they probably can, whether it's through your supply chain or by other means. Although you should treat your supply chain with healthy skepticism, you can't refuse to trust anything outside your control. Instead, it's best to assume there's a breach and focus your time on mitigating the risk of irreparable damage.

After all, think about the typical attacker's priorities;

1. Gain access.
2. Move laterally and escalate privileges.
3. Maintain access (depending on the situation).

If we accept that we likely can't do much to stop attackers from achieving their first goal, we should instead focus on making step two as difficult as possible.

The most basic step to take is limiting the exposure of privileged credentials. Protecting privileged credentials from compromise significantly reduces the opportunities for attackers who may have infiltrated an environment (via the supply chain or other pathways) to accomplish their end goal — expanding access and escalating privileges. Malware getting installed on a workstation for example could theoretically result in an attacker gaining local administrator authority and gaining access to other machines, eventually uncovering server or domain administrator accounts.

Below are three simple steps organizations can take to protect themselves from this type of threat by embracing a realistic zero-trust security strategy that won't hamstring their business:

1. Layer your defenses. As a defender, one thing to avoid at all costs is putting all your eggs in one basket. Perimeter defenses still serve a purpose, but given all the potential points of ingress for attackers today, it would be the height of foolishness to rely too heavily on maintaining a perimeter that gets wider by the day. It's best to instead assume a breach and embrace multiple layers of security, establishing a true defense-in-depth strategy. A good starting point is to adopt a risk-based approach to security, investing the most in the security controls that reduce the largest amount of risk.

2. Consistently employ the principle of least privilege. One of the more obvious, but also more helpful, pieces of security advice is to limit any potential points of access for hackers to exploit. Account sprawl is real and carries significant risk for the enterprises. Organizations should be sure to limit the number of user accounts as much as possible. Otherwise, it's just a potential source of risk with no corresponding reward.

This is particularly true for privileged accounts. Privileged account takeover is the dream scenario for an attacker as it makes a full network takeover easier. However, it's much harder to move laterally and escalate privileges if there aren't as many privileged accounts to take over. An obvious best practice therefore is to only grant administrator accounts to those who actually need them and ensure that they are only used for administrative tasks rather than basic day-to-day work.

3. Increase monitoring for privileged credential theft. If an organization is victimized by a supply chain attack, the initial attack by definition took place in a security blind spot and thus the enterprise won't have detected it. However, by monitoring privileged sessions to detect patterns indicative of credential theft techniques, organizations can increase the chances that they'll identify if/when the attacker is actually trying to use the access they've attained. And if the organization can catch them when they're trying to escalate, then the threat that the supply chain represents is significantly reduced.

Increasingly, the supply chain and its active participants represent a security weakness that attackers are now adept at exploiting. However, there is significant opportunity to reduce the risk and limit the damage attackers can do. With some fairly simply security best practices, enterprises can significantly reduce the chances that a potential supply chain attack will affect business operations. For many organizations, this means being aware of where privilege-related risk exists, locking that access down and actively monitoring use of privileged accounts to alert on potential anomalies, and spurring action to remediate risk.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Shay Nahari is the Head of Red-Team services in CyberArk and brings more than 15 years of experience in cybersecurity and telecommunications. He specializes in working with global organizations to improve their ability to detect and react to targeted attacks using adversary ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
7/17/2019 | 2:20:59 PM
Privileged providers
Good article. Simply put, bottom line could be something kind of treat your providers with online access as privileged accounts, even when they're not.
User Rank: Moderator
7/18/2019 | 5:57:06 AM
Dastardly deeds
Do you have any idea how much mayhem you can cause if you screw up a company's operations or chain of command! Can you imagine trucks going to the wrong warehouses, deliveries being late and customers generally just not being able to get anything sorted out. It would be a catastrophe for the company and would most certainly direct customers to its competitors!
User Rank: Ninja
7/18/2019 | 11:46:30 AM
Re: Dastardly deeds

Good points about the trucks. The trucking delivery software that is used by the trucking companies is isolated from the receiving company's network, it is very limited and they have been upgrading this process since the beginning (it is a logistic bidding system). But the alternative side is that the receiving trucking or delivery company could be infected but again, the only bidding mechanism goes through a process where they check the contract and they call the trucker and validate the order before they move forward (very good system).

 I wish most of the supply chain systems were as robust and efficient as this trucking system. I had mentioned in another article written by "DR" that we need to implement a BlockChain Supply System using similar mechanisms the "Trucking Logistic System" uses (call, validate the various loads).

 Great points


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.