Growing reliance on third-party suppliers signals increasing security risks

Adversaries are turning their focus on cheaper, easier targets within an organisation’s supply chain, especially as businesses increasingly acquire software from external suppliers. In this first piece of a two-part feature, ZDNet looks at how organisations in Asia-Pacific are facing more risks even as the perimeter they need to protect extends far beyond their own networks.

There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches. 

Just last month, personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). Earlier this year, personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches.

That Singtel and SIA had been compromised through such attacks did not come as a surprise to Benjamin Ang, senior fellow of cyber homeland defence and deputy head of Centre of Excellence for National Security (CENS).

Established in April 2006, CENS is a research unit of the Nanyang Technological University’s S. Rajaratnam School of International Studies and consists of local and overseas analysts specialising in national and homeland security issues.

Ang told ZDNet in a video call that the IT ecosystem had been built for efficiencies and speed of deployment. To do this in software development, libraries or DLL (Dynamic Link Libraries) had to be established so data could be pulled from different places.

Enterprises also did not build every application on their own, choosing instead to acquire software from external suppliers. “And whoever they acquire from has their own software development system that we have to trust they are securing,” he noted.

Cheaper, easier targets within supply chains

CyberGRX’s chief information security officer (CISO) Dave Stapleton also pointed to an increasing dependence on third-party products over the past 15 years, with businesses outsourcing their operations to achieve economies of scale and access specialised products.

It then would make sense for adversaries to target secondary targets, rather than their primary one, to breach a network, said Stapleton in a video call.  

He noted that recent attacks also had appeared indiscriminate straying away from the more targeted and direct nature of APT (advanced persistent threat) attacks, which had gained in popularity over the past few years.

This seemed to be the case for the Microsoft Exchange Server hack, where hackers adopted a scatter approach to expose thousands of companies that might not be the main target.

Stapleton said more organisations would face a challenge should such indiscriminate supply chain attacks become more popular. Impact would be more widespread, especially as pivotal third-party applications used by millions worldwide were targeted and breached, as was the case with SolarWinds, he said.

Noting that third-party attacks were not new, he said: “What we’re seeing now is a shift in mindset and strategy of threat attacks to focus more on these pivotal third parties that have links to supply chains. And from the attacker’s perspective, compromising a third party can be a cheaper and easier entry point to [breach a] primary target.”

They also were easier targets, said Sanjay Aurora, Darktrace’s Asia-Pacific managing director. He confirmed there had been a plethora of attacks this year where adversaries focused on the supply chains of their main targets, since these companies would typically be guarded like a fortress.

Hackers’ ultimate aim here was data exfiltration and would hunt for weak links along the supply chain, where a supplier had failed to keep up with patches, to breach the network and illegally access data of their main target, Aurora said.

He advocated the use of artificial intelligence (AI) to better combat such attacks as well as ransomware, which was the leading threat vector. Coupled with self-learning capabilities, AI-powered security tools could autonomously identify vulnerabilities and changes in patterns, and predict and respond to malicious attacks, he said.

This would be critical for industrial environments and operational technology (OT) systems, where the same AI approach–of identifying unusual movements across the network–could be applied without the need to change or swop out old systems, he said.

According to Aurora, Darktrace’s AI system autonomously performed more than 150,000 investigations each week and responded to a security threat every six seconds.

Reed noted that most common cause behind a breach still was someone clicking on a phishing link or malware. Adding that it was difficult to train people and full-proof the organisation, he said AI and machine learning would plug the gaps.

And the threat landscape would only get more complex as more companies digitalised and adopted cloud, and with the emergence of 5G networks.

Aurora said: “When you can’t even define what a network is [and] how to protect it, the only way to do so is to insert AI to wherever your data, digital asset, and remove workforce is. It’s a digital estate that now has more complexities and we can use probes, sensors, and native-cloud AI machines to process all the information real-time to get full view of what’s going on.”

Stapleton said: “Our perimeter extends far beyond our networks. And now you’re talking about a remote workforce, which pushes everyone outside of the network. Third parties should be looked at as extension of our security [strategy], but I don’t think most of us are there yet. That’s the blackhole I’m seeing.”

Check Point’s research head Lotem Finkelstein added that there was no longer any distinction between private and corporate networks, with employees including him working from home on the same network on which their family members also were connected.

“In past decades, we’ve invested in protecting corporate networks, but in just the last year, we’ve opened many doors to different networks,” Finkelstein said. “IoT (Internet of Things) and 5G also have allowed us to work from anywhere with high speed, which means we may see more employees working from abroad across multiple locations.”

This then would require a completely new security framework, where prohibiting someone living in another country from accessing the corporate network in Singapore, for instance, would no longer be feasible.

“Five years from now, this won’t be possible because employees will be able to live and work from anywhere and will need access to the corporate network,” he said. “We will need to change the strategic thinking behind securing the network based on localisation, to allow people to access data securely and enable the employee’s ecosystem to protect itself.”

RELATED COVERAGE