{"id":42118,"date":"2021-08-03T11:28:32","date_gmt":"2021-08-03T11:28:32","guid":{"rendered":"http:\/\/8a2a327d-49e1-442d-8822-0faf973323f0"},"modified":"2021-08-03T11:28:32","modified_gmt":"2021-08-03T11:28:32","slug":"supply-chain-attacks-are-getting-worse-and-you-are-not-ready-for-them","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/supply-chain-attacks-are-getting-worse-and-you-are-not-ready-for-them\/","title":{"rendered":"Supply chain attacks are getting worse, and you are not ready for them"},"content":{"rendered":"
<\/div>\n

The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough. <\/p>\n

Recent supply chain attacks in its analysis include those through SolarWinds Orion software, CDN provider Mimecast<\/a>, developer tool Codecov<\/a>, and enterprise IT management firm Kaseya<\/a>. <\/p>\n

ENISA focuses on Advanced Persistent Threat (APT) supply chain attacks and notes that while the code, exploits and malware was not considered “advanced”, the planning, staging, and execution were complex tasks. It notes 11 of the supply chain attacks were conducted by known APT groups. <\/p>\n

“These distinctions are crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defences are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them,” ENISA notes in the report<\/a>. <\/p>\n

SEE: <\/strong>Network security policy<\/strong><\/a> (TechRepublic Premium)<\/strong><\/p>\n

The agency expects supply chain attacks to get a lot worse: “This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently,” it said.<\/p>\n

ENISA’s analysis found that attackers focused on the suppliers’ code in about 66% of reported incidents. The same proportion of vendors were not aware of the attack before it was disclosed. <\/p>\n

<\/section>\n

“This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated,” ENISA said, although this is something easier said than done.<\/p>\n

As the Linux Foundation highlighted in the wake of the SolarWinds disclosure<\/a>, even reviewing source code \u2013 for both open source and unaudited proprietary software \u2013 probably wouldn’t have prevented that attack. <\/p>\n

ENISA is calling for coordinated action at an EU level and has outlined nine recommendations that customers and vendors should take. <\/p>\n

Recommendations for customers include:<\/p>\n