A new global software supply chain survey from CrowdStrike®, conducted by independent research firm Vanson Bourne, reveals that cyberattacks are increasingly targeting the software supply chain, creating a critical new threat vector that is impacting organizations in every industry. The study, “Securing the Supply Chain,” surveyed 1,300 senior IT decision-makers and IT security professionals in the United States, Canada, United Kingdom, Mexico, Australia, Germany, Japan and Singapore, across a wide range of industries.
The global impact of events such as last year’s NotPetya attack likely served as a wake-up call, and the survey confirms that organizations are becoming increasingly aware of the supply chain as an emerging attack vector. Eighty percent of respondents believe that over the next three years, software supply chain attacks could pose one of their biggest cyber threats. Yet, only a third of respondents are vetting all of their suppliers and even fewer feel their organizations are sufficiently prepared to mitigate the risks of a software supply chain attack.
A Summary of Key Survey Findings
- A majority of surveyed organizations report being attacked: Two-thirds of respondents reported that their organizations had experienced a software supply chain attack, and 90 percent of those confirmed that they had incurred financial cost as a result. The average cost of an attack was over $1.1 million.
- Some industries were targeted more than others: The industries that experienced the most supply chain attacks were biotechnology, pharmaceuticals, hospitality, entertainment and media, and IT services, although attacks occurred across a wide range of sectors.
- Organizations aren’t adequately prepared and feel vulnerable: Almost 90 percent of the survey respondents believe they are at risk for a supply chain attack, yet companies are still slow to detect, remediate and respond to threats.
- Software suppliers aren’t being vetted enough: Although close to 90 percent of those surveyed see vetting as critical, only one-third of respondents vet all of their suppliers. Survey respondents clearly recognize the need for better security assessment, with 58 percent of senior IT decision-makers indicating they plan to evaluate their suppliers more rigorously.
What Is a Supply Chain Attack and Why Are Attackers Adopting Them?
In order to fully appreciate the findings in this survey, it’s important to understand what a supply chain attack is and why they are increasing. Enhancements in security technology such as machine learning (ML), artificial intelligence (AI) and global reputation systems have made it harder for unwanted, unknown or malicious applications to give attackers a foothold in the environments they are targeting. The logical next step for them is to get “upstream” and infect a legitimate, trusted application. To accomplish this, attackers are increasingly targeting software makers. Once a supplier is compromised, the attackers can modify trusted products to perform malicious actions or provide a backdoor to the target environment. Unaware of these malicious changes to their applications, suppliers unwittingly deliver them to their trusting clients as legitimate software updates. We saw a number of these appear in headlines last year.
Recommendations for Effective Prevention, Detection and Response
Widespread incidents such as the NotPetya attack and CCleaner outbreak in 2017 have combined with the European Union’s new General Data Protection Regulation (GDPR) to bring the risk of supply chain attacks to the forefront, and this concern is reflected in the survey findings. Supply chain attacks are increasingly becoming a business-critical issue that’s impacting crucial relationships with partners and suppliers. However, as the survey reveals, organizations lack the knowledge, tools and technology they need to be adequately protected. Along with rigorously assessing the software supply chain vendors they use, organizations need to close the security gaps that are making them vulnerable to attack. This requires employing effective prevention, detection and response technologies.
The following are some recommendations for how organizations can increase their security and avoid becoming the victim of a supply chain attack:
Employ solutions that include behavioral-based attack detection: The sophisticated nature of these supply chain attacks require organizations to employ the power of behavioral-based analysis such as indicators of attack (IOAs). Mitigating the risks incurred “when good programs go bad” requires technologies such as ML that can detect patterns in hundreds, thousands or even millions of attacks per day — a feat that can’t be accomplished with human insight alone. The survey showed that 75 percent of respondents are using or evaluating endpoint detection and response (EDR) solutions, such as CrowdStrike Falcon® Insight™, to gain behavioral-based protection. Learn more about Falcon Insight.
Get ahead of future supply chain attacks with threat intelligence: Threat intelligence will tell you when new supply chain attacks emerge and provide you with all the information you need to understand the attack and proactively defend against it. Falcon X™ is CrowdStrike’s automated integrated threat analysis tool that combines malware analysis, malware search and threat intelligence to deliver context-rich information that enables predictive security. Learn more about Falcon X.
Enhance your readiness with proactive services: The CrowdStrike Services team includes supply chain analysis as part of its Cybersecurity Maturity Assessment and also conducts tabletop exercises with customers, where they simulate a supply chain attack. This gives customers an understanding of their current exposure and a roadmap for enhancing protection against, and readiness for, a supply chain attack. Learn more about CrowdStrike Services.
Don’t Forget the Key Metrics of Effective Attack Response
The survey found that on average, it takes respondents 10 hours to detect an attack, 13 hours to react to it and 15 hours to respond. In all, this means it requires a total of 63 hours for those surveyed to return their environments to the state they were in before the attack — that’s two and half days, working around the clock.
These metrics are significant because they differ widely from the key metrics CrowdStrike believes organizations must observe to effectively respond to an attack. Chief among them is “breakout time,” which CrowdStrike revealed in the 2018 Global Threat Report. Breakout time is the time it takes for an intruder to begin moving laterally, outside of the initial beachhead they’ve established, to other systems in your network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach. CrowdStrike believes that the ability to respond within the “1-10-60″ window is a critical factor in mounting an adequate defense against cyberattacks of any kind, including software supply chain attacks:
- Time to detect: Organizations have one minute to detect an incident (intrusion).
- Time to investigate: It should take no more than 10 minutes to find out if an incident is legitimate or not.
- Time to remediate: Ejecting the intruder and cleaning up your network should be done within 60 minutes.
Finding a solution that can help you meet these time windows is critical to closing the security gaps that leave organizations vulnerable to supply chain attacks.
Download the CrowdStrike Securing the Supply Chain survey report.
Read the press release.
Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.