A study released earlier this year identified at least 300 cybersecurity incidents impacting the supply chain throughout 2019. This finding should come as no surprise when considering that supply chain attacks increased by 78% during the 2019 calendar year, prompting everyone from cybersecurity analysts and researchers to the FBI to publicly warn about risks in the global supplier ecosystem.
In an attempt to mitigate cyber risk, many organizations, particularly Fortune 5000s with extensive and global supply chains, have intensified how they vet new suppliers and how they hold existing partners accountable. This adherence to due diligence can in large part be traced back to the Target breach of 2013, when forensic investigators were able to trace back the attack’s origins to the superstore’s HVAC supplier.
And recently, General Electric (GE) was hit hard by a data breach, exposing personal data of current and former employees, including passports, driver’s licenses, tax forms and more. Yet, the hackers didn’t target GE. Rather, they gained access to an employee’s email account at Canon Business Process Services, a third-party partner.
Since then, organizations have demanded to know the cybersecurity protocols, processes and procedures of their partners and prospects. From questionnaires assessing firewall policies, compliance certifications and endpoint protections, to forms seeking details on data in flight policies, physical access controls, anti-virus protections and more -- the depth of information being requested is quite thorough, or so it seems.
However, there is one question (or series of questions) almost always absent from these vendor assessments, like what is your email security strategy? The absence of spotlighting email security is perplexing when considering that nine out of every 10 cyberattacks begin with an email phishing campaign. It’s even more concerning when understanding how attackers have evolved their attack strategies to subvert even the most well-trained human and technical controls.
Endless number of suppliers creates thousands of attack vectors
According to CSO, more than 56% of organizations report falling victim to a breach caused by their vendor. This suggests that the motivations behind supply chain attacks are well understood.
Simply put, it’s infinitely easier for attackers, regardless of their expertise and financial backing, to exploit a small or medium-sized supplier with limited cybersecurity safeguards as a means to damage or disrupt a larger organization then it is to hack the larger organization directly.
Historically, attackers have deployed various techniques to compromise supply chains. In 2015, Trend Micro issued a report that stated compromising source code, firmware, websites and internal portals were the most frequently used techniques. While these remain active threats, advanced persistence threats (ATPs) and ransomware have also emerged as a major burden.
But, security has gotten better for both the large organizations and their suppliers in recent years. It’s much harder today to compromise source code, for example, especially as more and more product teams choose to build security into products and not add them on after-the-fact. And, as more companies either refuse to pay or cannot pay ransoms, ransomware has begun to fade out, just a bit.
When humans and technology fail to stop attacks
Unfortunately, attackers are smart, and whenever it appears as if an industry is gaining the upper hand, they are quick to pivot course. And, that’s exactly what’s happening with today’s supply chain. As traditional attack techniques become harder to pull off, attackers have set their sights on the most effective attack vector the world has even known email.
Email security has traditionally been used to validate the “who” and the “what” of each message. That is, technology such as secure email gateways and authentication protocols like DMARC are built to look for identifiers of compromise, such as links and attachments, and bogus URLs and domain names. This type of attack is designed to install malware onto a device and/or get recipients to enter their personal/company information into the fake login page.
Often, security against such attacks is provided by the email client, like a Gmail or Office 365, so companies, smaller suppliers in particular, think they’re covered.
But, the last two years has seen a resurgence in a type of email threat that lacks all of the identifiers that humans and most technology are trained to look for. Commonly referred to as business email compromise (BEC), these attacks trick users into taking actions, such as sending a payment or updating a credit card.
These “social engineering” attacks often prey on human nature by impersonating executives or colleagues within a company. Because there is no malicious attachment or URL, it is much more difficult for email security to identify and prevent that email from reaching its intended target. That said, the end-goal is the same: once a recipient responds to the initial email, the door is open for a hacker to send a link to a fake login page, similar to a traditional phishing attack.
There have been strides to combat these attacks as they rise in popularity and cost to businesses. The FBI estimates over $1.7 billion in losses stemmed from BEC in 2019 alone. Technologies like natural language processing analyze the metadata of email syntax to watch for and flag patterns of such emails.
In particular, the use of phishing websites with fake login calls-to-action are increasing gaining in popularity due to the ease of deployment and return-on-investment. In fact, Bolster reported over 800,000 confirmed phishing websites in just Q1 2020. Fake login phishing websites are especially problematic for many email security tools that lack visual anomaly detection capabilities to assess a fake login page from a legit login page in real-time.
Reducing risk requires a change in mindset as much as technology
So, what is the supply chain supposed to do to reduce risk when attackers are plotting campaigns specifically designed to avoid detections? Fortunately, advancements in natural language processing and computer vision technology are starting to be deployed in email security architectures. In doing so, security professionals can better assess the “intent” and “content” of an email rather than simply verifying the “who” and the “what.”
But, like anything else, the first step to fixing a problem is admitting that one exists. For the supply chain, it’s recognizing that the threats of yesteryear have taken a backseat to the risks of social engineering campaigns that are proliferating today. With that recognition, one would hope that questions about email security find their way onto those supplier security questionnaires sometime very soon.