The rapidly evolving and advancing threat landscape makes each new day more threatening than the last. As each industry strengthens their defenses, cybercriminals are constantly on the hunt for unsuspecting businesses and any gaps in their security. Events over the past year have shown that adversaries have a new target.
Supply chains have increasingly found themselves in the attackers’ scopes, especially those within the manufacturing, logistics and oil and gas sectors. This year alone we have seen high impact cyberattacks on critical infrastructure organizations, such as Colonial Pipeline, designed to cause maximum disruption to business operations. And while these attacks are primarily thought of as highly sophisticated in terms of the techniques used, they often aren’t actually that complicated.
So, why are supply chains seen as easy targets?
The main reason why supply chains within manufacturing and other critical infrastructure sectors are targeted is because they generally have made less investment into cyber defenses. In comparison to more financially lucrative industries such as banking or insurance, manufacturing companies often have smaller budgets and therefore allocate less funds to cybersecurity. However, these industries are not short of data, and this can be just as valuable to a threat actor. To make matters worse, this data is often poorly protected. The manufacturing industry is heavily reliant on legacy technology, and it can be difficult finding the time and money to integrate new solutions with existing security stacks. However, this legacy tech often isn’t compatible with the latest security updates, so data is left vulnerable to threats. Just like a wooden hut on the edge of the sea, any wave could be the cause of its collapse.
Critical infrastructure supply chains are often extremely people oriented, with teams collaborating across businesses — and unfortunately, people are a common tool in cyberattackers’ strategies. Using social engineering techniques, criminals can extract seemingly harmless data that can grant them the minimum access they need to kickstart their campaign. On top of this, manufacturing is a very transactional business, with thousands of emails being fired off every day within the supply chain, equalling a much wider margin for error. It’s safe to say that attackers are on the lookout for any situation indicating increased vulnerability, whether that be underresourced teams, limited cyber training or smaller budgets.
The past few years have witnessed a major increase in cloud migration and adoption of Office 365 as remote working becomes a permanent part of the workforce’s future. Unfortunately, many organisations who have jumped aboard this train significantly increased their attack surface without the added security measures to mitigate this. And this is the low hanging fruit that threat actors have their sights set on.
What are the most common attack methods?
Over the past decade, phishing has been established as one of the most widely used threat vectors as it can be adapted to suit pretty much any business layout. From emails to text messages and phone calls, phishing is versatile and used in most major cyber threat campaigns today.
Social media and our ever-growing online presence are adding fuel to the phisher’s fire. It’s now easier than ever to find out crucial information about someone from a simple search on the web. Cybercriminals put in the time to research their victims. LinkedIn, in particular, can reveal a lot about a business’s employees — including the people employees deal with regularly, their writing style and their position within the company. All this data makes it much easier for a criminal to impersonate someone at an organization and launch a convincing phishing campaign, which is why business email compromise (BEC) is an extremely common occurrence within most supply chains.
Phishing is usually used as the first step in a multistage attack campaign. Where before it would be deployed as a standalone technique to harvest financial information or personally identifiable information (PII) to use at a later date, phishing now provides attackers with the entry point for further exploitation. Additionally, the dispersed workforces are now far more vulnerable to phishing attempts — instead of being surrounded by people to help identify fraudulent emails, employees are left isolated at home. And with Office 365 often being the only barrier between phishers and their targets, it’s unsurprising that this threat vector has grown in popularity. Companies must also face the added complexity of Microsoft account takeover attacks allowing cyberattackers to use legitimate email accounts to carry out their activities.
Whilst the big headlines are talking about ransomware, of which the Colonial Pipeline breach is a prime example, these kinds of attack normally start with a successful phishing attempt. When combined, phishing and ransomware makes a deadly weapon.
What can supply chains do to protect themselves?
When faced with a growing tsunami wave of cyber threats but a limited budget to build defenses, it can become quite overwhelming for supply chains. However, there are a few simple steps that companies can take to construct an effective perimeter line.
Maintaining basic cyber hygiene is the foundations for any security strategy — it’s essential that all patching is kept up-to-date and that every member of the team has a rudimentary understanding of cybersecurity. Securing the business is no longer just the responsibility of the security professionals. Beyond this, secondary layers of defense like multi-factor authentication (MFA) and sophisticated email security will greatly improve each company’s security posture within the supply chain.
Once an attacker breaches one company within the supply chain, it is far easier for them to move between the individual businesses given how much communication and collaboration takes place. Implementing anti-phishing and inbox security solutions that analyze incoming emails to identify malicious content is fundamental. Furthermore, machine learning and behavioral analytics are also powerful tools to use against phishers and will greatly strengthen the supply chain’s overall security stance. If each individual company within the chain completes the basic breach prevention techniques, then the entire collective can stand strong against the surge of attackers gathering outside the perimeter.