In July 2021, software company Kaseya VSA became the victim of a supply chain attack. REvil exploited a zero-day vulnerability in Kaseya’s VSA software, pushing an automatic and malicious update to 60 of Kaseya's managed service provider (MSP) customers and more than 1,500 small-to-midsized businesses (SMBs).
While the Kaseya VSA case appeared to be an outlier at the time, it now represents a widespread cyberthreat. A 2021 study by the European Union Agency of Cybersecurity (ENISA) predicted that by the end of last year that the volume of supply chain attacks would quadruple from its 2020 total. Following this forecast, a recent study revealed that 80% of organizations have been notified of a supply-chain vulnerability or attack in the past 12 months.
In this article, we explore the threat of the supply chain attack and the reasons contributing to its growing popularity among hackers. We then examine why managed service providers (MSPs) make attractive targets, and what your organization can do to protect yourself from exploitation.
As the Kaseya VSA example illustrates, a supply chain attack attempts to exploit the vulnerabilities of a third-party supplier to rapidly compromise an extended network of customers and partners. ENISA’s 2021 study found that 66% of supply chain attacks targeted suppliers' software code to compromise customers, with 62% of attacks on customers taking advantage of their trusted relationship with their supplier.
Hackers can target suppliers as a platform to distribute malware, exfiltrate sensitive information for ransom, launch spear-phishing or phishing campaigns, or more. Supply chain attacks are also commonly used to disrupt local communities and economies, the driving motivation of advanced persistent threat (APT) groups and the reason the ENISA study found that 50% of supply chain attacks were attributed to APT threat actors.
Supply chain attacks occur in two phases: the first is intended to gain access to the supplier's network, and the second is focused on carrying out more ambitious attacks against organizations in the supply chain. Supply chain attacks can use different types of cyberthreats in both stages, including phishing, spear phishing, malware, data exfiltration and encryption, and more.
Supply chain attacks are becoming more common as organizations are forced to protect a broader attack surface and the supply chain becomes more digitally dependent and interconnected. The growth of cloud computing, software-as-a-service (SaaS) offerings, and internet-connected devices means organizations must protect more users, endpoints, and applications—including those outside their direct and immediate control. For example, some suppliers need access to internal networks to provide services, exposing organizations to new vulnerabilities and making their cybersecurity posture only as strong as the supplier with the weakest security measures.
Compared to other types of cyberthreats, supply chain attacks represent the path of least resistance and greatest reward for hackers, which explains its growing popularity among cybercriminals and why organizations such as MSPs should be on high alert.
Because supply-chain attacks use software as the vehicle to spread and exploit victims, the prime targets for this type of attack are software developers and suppliers. As the Kaseya case illustrates, MSPs are another target of supply chain attacks, because they operationalize software for a vast network of small-to-midsized businesses (SMBs) and control their information systems. SMBs are also a prime target because they lack the cybersecurity resources of large enterprises. According to 2022 Verizon Data Breach Investigations Report, SMBs experienced more than twice the number of confirmed cyberattacks and data breaches as large enterprises.
As an MSP, protecting against supply chain attacks can help your organization avoid financial, reputational, regulatory, and legal consequences. And while a variety of factors are making this cyberthreat more popular and difficult to defend against, you can prevent a supply chain attack by adopting the following set of solutions.
Malware is the most common threat used in supply chain attacks, according to ENISA. And the most common method for distributing malware is email, making it the prime vulnerability for MSPs and their clients.
While traditional email security solutions can detect and filter malware with known signatures, these solutions are no match for dynamic and emerging threats, such as polymorphic or environmentally aware malware (variants that change their code to avoid detection).
That's why MSPs need a forward-looking alternative to traditional email security. AI-based threat detection and response provides predictive defense, meaning its protection is not dependent on previous attacks. This technology enables organizations to defend against known and unknown malware variants proactively. And because email threat detection is not 100% effective, this technology continually scans and removes threats post-delivery to help prevent user compromise.
Advanced protection requires a core set of AI technologies as well the data to power it. Look for AI-based solutions that leverage Computer Vision, Machine Learning, and Natural Language Processing, as well as a real-time, relevant, and large dataset. These solutions can catch and neutralize the most sophisticated malware strains and other email-borne threats.
To combat supply chain attacks, organizations must address a critical vulnerability in their attack surface, one outside their direct and immediate control: third-party vendors. To limit the risk that vendors present, organizations need a framework for assessing the security posture of third parties over the lifetime of the partnership. This includes performing a cybersecurity risk assessment before entering any agreement, building security standards and measures into vendor contracts, and formalizing processes for the routine monitoring and auditing of compliance.
Zero Trust security is a strategic cybersecurity framework that addresses the deficiencies of the perimeter security model. As its name suggests, Zero Trust doesn't innately trust users with internal access to a network but requires all users to undergo continuous authentication and authorization for each digital interaction within the network. When it comes to supply chain attacks, Zero Trust minimizes the ability of threat actors to infiltrate networks, move laterally, launch insider attacks, and more. Zero Trust combines multiple tools and policies, including multi-factor authentication (MFA), access controls, and network segmentation.
Shadow IT is the unauthorized use of software applications without your IT department's knowledge or approval. With the growth of remote work and cloud-based solutions, Shadow IT has become a widespread problem among organizations, as users can introduce vulnerabilities to internal networks by using software that may have inadequate security measures. To limit the risk of compromise, organizations should develop policies that educate users on the danger of Shadow IT as well as ensure they gain access to the tools necessary for their daily work.
Most data breaches are attributed to the human element, according to 2022 Verizon Data Breach Investigations Report. That means organizations should teach users to adopt better cyber hygiene practices, including spotting and responding to a phishing attack. Education should be personalized, automated, and administered on an ongoing, as-needed basis.
The vulnerabilities in the supply chain won't go away anytime soon. The pace of technological innovation tells us they’ll likely multiply as attack surfaces increase in size and complexity. That's why it's important for organizations such as MSPs to proactively and aggressively adopt solutions that can help eliminate supply-chain attacks.