Cybercriminals are constantly evolving their tactics to target new victims with the latest attacks. News of the latest breach or cyberattack regularly make headlines, indicating now is not the time to ease up in the fight against cybercrime. If anything, financial institutions must be even more vigilant and enhance defenses against current and emerging cyber threats, including supply chain attacks.
What Is a Supply Chain Attack?
A supply chain attack occurs when a bad actor targets a software vendor to deliver malicious code through seemingly legitimate products or updates. Supply chain attacks allow a fraudster to compromise distribution systems to deliver malware, such as ransomware, and potentially create an entryway into the networks of the supplier’s customers. Because these updates are delivered under the guise of being from a trusted source, customers often suspect no malicious activity—until it’s too late.
According to the National Institute of Standards and Technology (NIST), not only can bad actors use the compromised software vendor to gain privileged access to a victim’s network through hijacking updates or changing code, but they can bypass perimeter security measures and often re-enter a network using the compromised vendor. NIST also warns that bad actors target some victims for varying follow-on actions, including injecting additional malware packages into a specific target allowing them to conduct even more malicious activities.
The infamous SolarWinds and Kaseya breaches are examples of supply chain attacks, an increasingly popular method to distribute malware. In both examples, the hackers perpetrating these attacks levied large-scale compromises with devasting effects to many organizations and garnered attention from the U.S. government.
Supply Chain Attacks in the News
As early as March 2020, hackers successfully compromised SolarWinds Orion platform—an IT performance management system—and inserted malicious code in software updates that went undetected for months. Executing a supply chain management breach, the hackers injected a backdoor in the SolarWinds code updates, after which compromised versions of the software were then downloaded on 18,000 instances of Orion.
The SolarWinds Orion platform possessed some of the highest access levels available within networks, so the bad actors had more control and network access compared to a typical breach. Wreaking further havoc, the hackers likely pivoted to other devices or machines in compromised networks and installed other backdoors to permit future access.
In early July 2021, Kaseya—an IT solutions developer for managed services providers (MSPs) and enterprise clients—announced it was the victim of a cyberattack. Hackers carried out a supply chain ransomware attack by exploiting a vulnerability in Kaseya’s software against multiple MSPs and their customers. It’s estimated that up to 1,500 businesses were affected by the attack and experienced ransomware compromise.
Enhancing Your Institution’s Cybersecurity Defenses
Hackers will use whatever tools at their disposal to gain access to data, systems and networks. Though financial institutions are more heavily regulated than other organizations, the customer data they hold make them extremely attractive targets to cybercriminals. The Kaseya attack—which affected several banks and credit unions across the U.S.—is a reminder that financial institutions remain vulnerable.
Consider the following strategies to enhance your defenses against these types of attacks:
Use a SIEMaaS Model for Real-Time Monitoring and Mitigation
If a threat makes it past your institution’s prevention tools, threat monitoring and management are critical. A Security Information and Event Management (SIEM) solution delivers insight and control of cybersecurity, providing real-time incident response to any network threats or vulnerabilities. A SIEM collects and holistically reviews event logs of devices throughout your technology environment, allowing security teams to detect and remediate any security events.
While a SIEM is a powerful tool to boost your defenses, this technology is expensive and requires the time and resources to configure, maintain and review the alerts produced. For many institutions, it simply is not feasible to dedicate the time and resources needed to investigate every alert produced.
To help avoid a small incident becoming a major breach, many institutions opt for a SIEM-as-a-Service (SIEMaaS) model to handle the burden of monitoring and reduce upfront costs. With SIEMaaS, a third party—such as a managed security service provider (MSSP)—collects all event logs and sends them to an outsourced SIEM. Alerts produced will go directly to your internal IT team or an outsourced security operations center for investigation and review.
An outsourced SIEM is fine-tuned and managed by a vendor’s security operations center, significantly reducing the time burden on internal IT and turning the cost into an operational expense instead of a large upfront investment. MSSPs invest resources to configure their SIEM solutions to the point where valuable alerts are received, allowing your institution to reap the benefits of this advanced monitoring.
Deploy Endpoint Detection and Response
Endpoint detection and response (EDR) monitors specific endpoints to identify anomalies and block malware using advanced threat intelligence. EDR stops the spread of malware in an infected system through detection, isolation and remediation.
While technology like anti-virus software provides a basic level of monitoring, EDR adds an additional layer of protection by leveraging artificial intelligence to learn baseline behaviors and patterns. EDR solutions also produce event logs that can be correlated and fed into a SIEM, offering enhanced insight.
EDR solutions are an effective strategy to protect against zero-day exploits, which are vulnerabilities with no available patches. Especially when paired with a SIEM, EDR solutions are particularly useful in a supply chain attack since these tools could detect and remediate the suspicious behavior from the updates or software delivered by the supply chain.
Conduct Regular Data Backups…and Test Them!
Supply chain attacks are often a vehicle to distribute ransomware, and if this is the case, your institution’s best ability to recover is through successful, complete backups. Ransomware attacks thrive on holding your data captive. But if your institution has been regularly duplicating and storing your data elsewhere, attacks become much less threatening.
As you review your backup strategy and controls, include provisions for segregating your backups. Segregated backups decrease the risk of a hacker seizing an entire backup in the event of a successful attack. If an institution only maintains online network backups and a cybercriminal gains access to that network, the backups are effectively rendered useless.
Consider taking a risk-based approach to backups, determining the needed frequency and retention period based on how criticality of your data. Beyond performing regular backups, maintain good access controls and test backups to ensure successful restoration.
Maintain a Cybersecurity-Centric Culture
Organizations can outsource many aspects of cybersecurity, but a security-focused culture is not among them. Cultivating and maintaining an organizational culture focused on the importance of cybersecurity is an effective way to strengthen your institution’s cybersecurity posture. Even with the most sophisticated cybersecurity monitoring tools, employees are on the frontlines of nearly every cybersecurity battle.
A security-focused culture is especially critical if employees are working remotely, helping to defend an institution’s extended network. Continuous cybersecurity training and awareness campaigns that provide information on the latest threats is an effective way to keep employees on guard and up to date against prevalent social engineering schemes.
Does your staff know what to do if they encounter an unusual or suspicious email? Ensure they are familiar with best practices and encourage them to report any potentially suspicious behavior to the appropriate parties for investigation. Your employees are your first line of defense against attacks, make sure they are empowered to proactively protect your institution.
Mitigate Supply Chain Threats with Cybersecurity Monitoring
As cybercriminals continue targeting institutions with the latest tactics, a layered, holistic approach to cybersecurity will enhance your defenses. With this approach, your cybersecurity monitoring solutions complement one another, providing multiple layers of defenses and making it more difficult for hackers to infiltrate your institution.
Read our white paper—A Guide to Strengthening Your Institution’s Cybersecurity Posture—to learn more.
Sean Martin serves as a product manager for CSI Managed Services and has extensive knowledge on implementing effective systems security and network management practices. He speaks and writes frequently on security-related topics affecting the financial services industry and holds Cisco CCNA and CCIE written certifications.