Tackling the Rising Supply Chain Threats in 2024

Introduction: The Growing Supply Chain Threat

Supply chain attacks have been a growing focus in cybersecurity for several years, with several incidents over the past few years showing just how devastating they can be. Whether you’re a business owner or work in a security leadership role, these risks can keep you awake at night. And if you work in any technical area of cybersecurity, you’ve likely experienced frustration of feeling like there are no good solutions to the problem.

As someone working in offensive security, I completely understand these concerns. Just like we have to accept the small, but somehow still non-zero, chance that our antivirus software might bluescreen our systems, we have to accept that supply chain attacks could happen to us no matter how good we are at security. While this means that fully preventing supply chain attacks may be impossible, that doesn’t mean we’re defenseless.

There are effective ways to significantly reduce their impact or prevent serious damage. While I might explore several other methods in future articles, like network segmentation, patch management, and strong detection systems, I will focus on the approach that stands out to me the most when it comes to effectively prepare businesses for such attacks: ‘Assumed Breach’ testing.

In this article we’ll explore how this ‘Assumed Breach’ methodology can simulate scenarios where an attacker already has gained a foothold in your network. By doing so, you can identify vulnerabilities and gaps in your defenses and response mechanisms to strengthen your internal security and protect your critical assets. With the right proactive steps, you can allow yourself to sleep easier at night, knowing your business is armed to handle such attacks because you have seen it happen.

Justifying Supply Chain Attacks as a Growing Risk

If you already agree that supply chain attacks are a big risk to your business, you can skip this section.

In today’s interconnected world, businesses are more dependent than ever on their supply chain with external vendors and third-party suppliers. This increasing dependency on a growing number of entities in the supply chain has also expanded your attack surface, making supply chains one of the most attractive targets for cybercriminals.

From software vendors to logistics partners, the compromise of just one link in the supply chain can expose sensitive data, disrupt operations, and lead to costly fines and regulatory scrutiny. Incidents like the log4j vulnerability and CrowdStrike disaster will make catastrophic scenarios pop up in any security-minded person’s head, of what could have happened had such event been driven by malicious actors. Incidents such as these show us how vulnerable even the most well-prepared organizations can be.

With supply chain vulnerabilities posing such a significant threat, it’s more important than ever for businesses to rethink their cybersecurity strategies. No longer is it enough to focus solely on perimeter defenses, today’s threats demand a shift in mindset. This is where the ‘Assumed Breach’ methodology becomes a crucial part of your cybersecurity playbook. And even if you yourself don’t care that much about this risk, regulatory bodies will force you to through frameworks like NIST or NIS2 in the European Union.

Understanding Supply Chain Threats in 2024

Before diving into the details of “Assumed Breach” testing, it’s essential to understand why supply chains are particularly vulnerable to cyberattacks in 2024.

1. Increased Complexity: Supply chains today are more complex than ever. Companies rely on a vast network of suppliers and third-party services, each introducing potential vulnerabilities. Attackers often target the weakest link in this chain, compromising smaller vendors to gain access to larger companies​.

2. Growing Ransomware Threats: Cybercriminals are using ransomware to lock down critical systems in supply chains, effectively halting business operations until a ransom is paid. Supply chain attacks are a great attack vector for ransomware, as their reach could be enormous.

3. Targeted Attacks: Nation-state actors are increasingly targeting supply chains to carry out espionage or steal sensitive intellectual property. These advanced persistent threats (APTs) pose a severe risk to industries like defense, energy, healthcare, and manufacturing​.

4. Compliance Pressure: Regulatory bodies are placing more emphasis on supply chain security, especially with frameworks like the NIST Cybersecurity Framework and the European Union’s NIS2 Directive​. Businesses are expected to not only secure their systems but also ensure that their suppliers meet certain cybersecurity standards.

What is ‘Assumed Breach’ Testing?

While traditional penetration tests focus on keeping attackers out, ‘Assumed Breach’ testing flips the script. It operates on the assumption that an attacker has already infiltrated the network, bypassed the perimeter defenses, and gained access to internal systems. This methodology maps perfectly for supply chain attacks, where attacks often originate from within trusted third-party systems and start on the inside of your system.

Key objectives of ‘Assumed Breach’ testing:

• Test a realistic scenario: Before the engagement begins the test team should ask you where you most likely or most dangerous attack paths are. If you are unsure of this, they can probably come up with likely scenarios, or even just place a server in your network as a generic starting point for a supply chain attack.

• Assess internal defenses: How well can your systems detect and respond to an internal attack? “Assumed Breach” testing evaluates internal security mechanisms, such as network segmentation, monitoring tools, and access controls.

• Test Incident Response: Once an attacker is inside, how quickly can your team respond? This test challenges your incident response team, helping to identify gaps in procedures and improving reaction times.

• Identify Weak Links: It highlights vulnerable points within the supply chain, such as inadequate security measures at a supplier or insufficient access controls. It will also uncover how easily an attacker could perform lateral movement to further infiltrate your network, giving you great pointers on where to strengthen your configurations or security. From experience, while there could be 100 attack paths throughout your infrastructure, they very often rely on a few choke points of worst offenders, for example a service account with a weak password, or a domain admin logged in to a server with low protection.

This type of testing is critical in supply chain security because it shows you exactly what would happen if a trusted supplier or vendor became compromised, providing insights that traditional penetration tests might miss.

How ‘Assumed Breach’ Testing Protects Your Business

1. Exposing hidden vulnerabilities
   Many vulnerabilities are only visible once an attacker has already gained access to the internal network. For example, weak lateral movement controls or improperly configured servers may not be obvious until they are tested from an insider perspective.
   Examples: A test performed as an ‘Assumed Breach’ scenario could reveal that your segmentation rules are not working as intended, allowing traffic you thought were blocked. It could also reveal that you used a “default password” for new accounts in the past, like Password123, that are still in use on a couple of Admin accounts due to them never being used.

1. Improving detection and response capabilities
   Most organizations focus on keeping threats out, but the reality is that no defense is impenetrable. Once an attacker is inside, the speed and effectiveness of detection and response are crucial.
   Examples: A key part of ‘Assumed Breach’ testing is testing how quickly your team can detect anomalous behavior. For instance, would your team detect if a compromised third-party supplier’s credentials were used to escalate privileges or exfiltrate data? Identifying these response gaps can mean the difference between mitigating a breach and suffering significant damage. Such a test could also uncover that your plan for incident response is insufficient when hit with an attack of this magnitude.

2. Mitigating supply chain risks
   Supply chain attacks often take months to detect, and attackers can exploit these delays to cause maximum damage. An ‘Assumed Breach’ test helps mitigate this risk by preparing your organization to react immediately to suspicious activity from a third party.
   Examples: During the test, your security team might discover that an attacker can easily access a vendor portal, from which they can jump into your core systems. By identifying and addressing this vulnerability early, you prevent a potential future attack. Security in practice often breaks down to slowing down and making it as frustrating as possible for an attacker to compromise your infrastructure. This forces the attacker to be very patient or utilize tools and procedures that have a higher risk of being detected by your detection and monitoring capabilities.

3. Strengthening vendor management
   Effective supply chain security isn’t just about protecting your own assets but also ensuring that vendors follow strict cybersecurity practices. ‘Assumed Breach’ testing can reveal weaknesses in your vendor management processes, ensuring that third parties do not become a backdoor into your network.
   Examples: The test could uncover that a supplier’s remote access is too permissive, or their credentials are being shared insecurely, allowing you to tighten access controls and enforce better security practices with your vendors. It could also uncover poorly secured remote access portals, or weak or even compromised vendor credentials.

Conclusion: How this helps you sleep better at night

As cyberattacks grow more sophisticated, particularly those targeting supply chains, businesses can no longer rely solely on traditional security measures. ‘Assumed Breach’ testing offers a proactive and realistic approach to assessing your organization’s defenses against the worst-case scenario, an attacker already inside your network. By identifying hidden vulnerabilities, improving your detection and response capabilities, and addressing weak points in your supply chain, you can significantly reduce the potential damage of such a breach.

This method prepares you for the realities of today’s complex threat landscape. In the military there is this saying, train as you fight, which should also be used when testing for cyber attacks. Whether it is protecting your internal systems or ensuring a compromised vendors don’t have too much of an impact, ‘Assumed Breach’ testing equips you with valuable insights that other testing methods or automated tools will overlook.

Implementing ‘Assumed Breach’ testing not only strengthens your defenses, but also improves incident response, and help you address supply chain risks before they cause damage. You will gain confidence in your ability to detect, monitor and throw out attackers, and the feeling that your infrastructure might be an easy target will go away.

Ultimately, it provides the peace of mind that your business is prepared to defend against sophisticated threats, letting you focus on what matters most: Growing your business, and of course, sleeping better at night.