Written by Rob Brewer.
Rob Brewer is the Director of Operations here at CloudTech24.
An advisor trusted by governments, financial organisations, and the FTSE100, Rob’s expertise lie in threat evolution and mitigation.
Rob’s LinkedIn can be visited here.
Supply Chain Attacks
A supply chain attack refers to the targeting of a vulnerable third-party supplier or vendor to gain access to a wider subset, or larger organization’s network or systems. Typically, a hacker targets a third-party vendor or supplier with weak security protocols or vulnerabilities, intending to exploit that weakness to infiltrate the systems of the other organizations that uses the vendor’s services or products.
Once attackers gain access to the vendor’s systems, they can use it to compromise the other organization’s systems, which rely on the vendor’s products or services. The attackers can use this method to spread malware, steal sensitive data, or disrupt the normal operations of the targeted organization.
Why should the board care?
In the current interconnected world – every business relies on another business somewhere, even government agencies.
Due to this fact, every business is vulnerable to supply chain attacks and when making partnership decisions, which may seem to have zero relevance to security, it is important for business to perform adequate cyber security due diligence checks to ensure that the business that they are about to potentially share sensitive information with are putting the necessary controls in place to protect their own assets and data.
Failure to do this can lead to compromise through the third party which carries the same impact as a direct compromise such as loss of sensitive information including customer or employee personally identifiable information (PII), or intellectual property (IP).
- 3CX VOIP telephony attack https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
- Solarwinds Orion (SUNBURST) https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
Phishing is still one of the most effective ways to compromise an organisation. It’s not new or sexy in most cases, but as the saying goes “an Oldie but a Goldie”. Social engineering still hits as hard as it did when we first realised that we could manipulate email contents and trick each other into doing something such as opening an attachment or link in an email.
The payloads have changed over time such as more innovative methods like as relying on living off the land binaries and scripts like the recent usage OneNote attachments (.one) campaign, but the act of sending someone an email with the aim of tricking them into clicking on something is still a top trend. We still see an awful lot of ‘Pay your invoice’ style emails that redirects to fake login pages asking for your credentials – I don’t believe this will ever change as it’s simple, it’s effective and from the attacker perspective, it’s not costly.
It’s still an issue, and will be until the foreseeable future. So much so, that at the time of writing the NCSC still has ‘Phishing’ as a “Trending Topic” on their Advice and Guidance page.
Why should the board care?
The board are a primary target. Typically as high worth, high value targets, they will be the ones that get the most amount of phishing attempts alongside privileged users like sysadmins. The reasoning is simple – the reward is greater for success.
VIPs or Sysadmins (or insert other technical owners) will have access to privileged information that most of the business won’t whether it’s financial or technical and going after these targets just makes sense.
You should be doing organisation-wide security awareness anyway, however making an extra effort to ensure that the board are aware of the signals or indicators of a phishing email will go a long way to protect in most cases, the crown jewels.
I don’t need to explain ransomware in too much detail here but interestingly there has been a slight shift in the way that ransomware is leveraged. Typically, ransomware will rip through the organisation encrypting anything in sight to bring the operations of a business to its knees until the ‘ransom’ is paid. This worked well until businesses became more aware and put mechanisms in place to reduce the impact and better structure their business continuity and disaster recovery plans.
Now, having the data inaccessible for a short amount of time wasn’t as much of a concern.
We then started seeing a rise in ransomware which strategically targeted certain data of value which could be used as extortion. It’s less of a focus on the crippling of the operational running of the business but more about the leaking of sensitive information which a business may not want out in the open.
Closely linked is wiper malware, which carries the same sort of techniques as ransomware but its primary purpose is to simply destroy as much data as possible in the shortest amount of time. Since it doesn’t need to actually read data to make it recoverable, it can operate much faster than typical ransomware which in most cases enables a business to ‘recover’ the data using a decryption key when the ransom is paid.
Why should the board care?
Ransomware is effective, easily obtainable from the right places and ever changing. Ransomware combined with phishing is a combo made in heaven for threat actors and it’s been use to great effect since development.
Ransomware can, and will shut a business down for good if you’re not adequately prepared and ready to deal with it.
Is spending all your budget on detection and response tools the most effective way to prepare for ransomware? It’s good, but I would argue that a robust, regular and immutable backup of your data and an associated incident response, business continuity and disaster recovery plan that you test drill will get you most of the way there.
Detection and response tools are hugely beneficial but if they don’t stop it, you need a fallback position. Layered security is still important in 2023 and understanding where the budget is best placed other than on expensive, shiny tools will go a long way with getting approval.