Cyber attackers up the ante

From the December 2022 print edition

The pandemic has brought many supply chain resiliency threats – material shortages, labour disruption, transportation delays, supply, and demand shocks – into the public eye.

Lesser known is a growing risk of cyberattack. That concern ranked a surprising second in a 2021 Economist Intelligence Unit survey on supply chain resiliency commissioned by the Association for Supply Chain Management (ASCM).

“When you consider all the other things that were on the list, I was a bit surprised to find that cyberattacks actually landed the number two position just behind the pandemic,” says Douglas Kent, executive vice-president of corporate and strategic alliances, ASCM.

Cyber security often falls under the radar because companies are reluctant to admit they’ve been hacked due to reputational concerns. Strict laws requiring disclosure of all attacks that exist in the US, but fo, and following the lead of Quebec, similar legislation is expected across Canada.

Regardless, the growing frequency of successful attacks should have every supply manager concerned.
“One of the biggest IT risks that we’ve seen lately is the growth of ransomware in Canada,” says Yogesh Shivhare, research manager, security and infrastructure, IDC Canada. “Based on our study published in June, the infection rate for Canada is 52 per cent. This means that if you’re talking to a Canadian organization, whether commercial or public sector, it’s a coin-flip probability that they have experienced at least one ransomware infection in the last 12 months.”

Recent attacks have also become far more likely to create harm and extort ransoms. “Years ago, the standard was that a hacker would encrypt your data and demand a ransom to give it back,” says W. Curtis Preston, chief technical evangelist at data resilience solution provider Druva. “That’s relatively easy to defeat if you have a decent backup and recovery system. But what we’re seeing now is hackers that exfiltrate your data and then threaten to expose it, which is very different. Once your data has been exfiltrated you basically have two choices – pay the ransom or suffer the consequences.”

Ironically, the same backup systems that protected companies in the past are often the easiest data sources for exfiltration. “We’re seeing attackers use on-premises backup systems to accomplish this,” says Preston, “as they are often ignored and not properly secured against such things.”

According to IDC, roughly half of Canadian companies that are infected end up paying ransom. The average ransom for all industries is $220,000, and that’s only the tip of the iceberg. “Based on our research, usually ransom payments account for 10-15 per cent of the overall cost of incidents,” says Shivhare. “So, the average cost per incident is around $2.4 million.”

Well-organized adversaries
Today’s attackers look for two factors – ease of compromising the target network, and the amount of ransom that the victim organization would likely pay. Companies in supply chains are often prime targets because of the knock-on impact of disruptions on their customers and partners.

The alarming success rate of attacks speaks to the phenomenal resources that their perpetrators have at their disposal. “This is a big business, and these companies are quite sophisticated,” says Preston. “They have HR departments, a management structure, and huge infrastructure behind them.” There are even career paths – a hacker can be assigned a larger project, Preston notes, after succeeding in a more modest one.

While attackers often use technology to achieve their means, the most common method of gaining access is the age-old “social engineering,” where a hacker impersonates a legitimate person and tricks an employee into providing a login and a password.

“Despite all the agitation for training and awareness, social engineering and phishing haven’t gone away,” says Daniel O’Neill, director, managed detection and response (MDR) security operations, Bitdefender. “Those are still how attackers get into the environment 60-70 per cent of the time, possibly more depending on source. And once they’ve got those credentials, they have the potential to escalate privileges undetected and try to gain administrative rights.”

Unlike the “smash and grab” approach where hackers would do their damage within minutes,
a hacker using a legitimate login can troll a victim network for weeks or even months, patiently discovering how to make the greatest impact.

“In the past, cyber attacks used a carpet-bombing approach, where they’d throw out a big net and try to make some money from that,” says Shivhare. “Nowadays, attackers do a very detailed recon. They find out what information is where, and we’ve seen some cases where they know exactly how much cyber insurance coverage there is. I’ve even seen attackers send out mass communications within an enterprise to recruit employees.”

Securing the digital chain
With the increasing likelihood of any network being compromised, it’s critical to restrict lateral movement within the network. First steps include limiting access rights and tightening authentication procedures. “One of the keys would be what we call the concept of least privilege,” says Preston. “If a partner has access to your network, how much access do they need? You should absolutely give them only the bare minimum information that they need to do their job.”

Accordingly, security goes far beyond technology solutions. “It’s 2022, and you still can’t buy security,” says John Dwyer, head of research, IBM Security X-Force. “It all comes down to the people behind the response, behind the defense, and behind the management.”

The challenges get more complex in supply chains. As companies seek greater visibility of the elements in their supply chains, partners are increasingly granting access to each other’s networks. This makes every company in the supply chain more vulnerable to cyberattack. For example, an intruder in a small retailer’s network could gain access to the network of a large distributor.

“The bigger your company and the bigger your list of third-party vendors, then the bigger your attack surface,” says Preston. “So, it can seem an insurmountable challenge.”

“I think one of the issues is acknowledging that with supply chains, security posture is an ecosystem,” says O’Neill. “There is no one solution, and you can’t do that internally.

So, you try as much as possible to ensure that your partners’ security posture has coherence with your own security posture.”

ASCM has developed the Supply Chain Operations Reference Digital Standard (SCOR DS), a process framework for standardizing supply chain workflows. In addition to movement of physical goods and payments, the approach also includes standards for mapping information flow. “Our SCOR DS model has encouraged companies to also map how information is being exchanged in order to highlight where the vulnerabilities exist,” says Kent.

Ultimately, a company’s approach to security will have to be at least as well orchestrated as the attackers’. “The problem with a lot of security organizations is that they are thinking in silos,” says Shivhare. “They’ve got their endpoint security team, there’s a risk assessment team, there’s an identity and access management team, without effective orchestration. But when the adversaries look at your organization, they’re not thinking in silos. They’ll be looking at the security posture in its entirety.”