Supply chain impersonation or genuine third-party information request? Here’s how to tell.

Kevin Tunison | 21st Jun 2022

The last 24 months has seen a steady stream of media attention relating to attacks on the supply chain. The impact is real, as is the cost. We have watched both big name security like SolarWinds and open source such as log4js serve as targets with devastating effects.

Quite often the methods used have anecdotally relied on technical means and to a lesser degree social engineering. It has been well established that the more aware organizations and individuals become to technical attacks, attackers pivot to social tools. We have seen this is the case with research such as the 2022 Verizon Data Breach Report.

What I will share with you is what a socially engineered attack on your supply chain can look like. I’ll also explain the steps you can take to prevent divulging confidential information, thus avoiding that information being used to breach highly sensitive systems and data.

Passing on risk to third parties

Businesses are fairly alert to managing risk. Large enterprises have invested entire teams to do so. One of the often-used tactics to manage risk is to pass it on to a third party by engaging with a contractor or supplier to carry the burden on your behalf.

When you have a constant stream of onboarding and offboarding suppliers, it makes sense to procure a third party that specializes in carrying out the assessments for you.  Moreso, it reduces your overheads so you can focus on what is core to your business.

Attackers do varying levels of background research. One such tactic is to view a supplier’s website and gather their published list of customers and then register a similar looking domain. For example we will use a fictitious big brand company named “Miracle Work” (at the time of writing this is not a known entity in the UK). A quick search of domain names suggests a cheap alternative domain to register called www.miraclework.uk.

 

Once the domain is registered and some cheap SSL certificates are added to hosting, the attackers can set to work on targeting customers of “Miracle Work”.  We will come back to this at the end of the blog.

Whether or not you are familiar with third-party risk management the main fact you need to know is this: there are regular new businesses entering the third-party risk management market. With no knowledge of the brands they represent how do you know your risk management supplier is any good? Do they represent “Miracle Work”?

Onwards with a real-life example of the type of request you might expect to see – which could or could not be genuine.

Real example of a third-party information request

Here was a request we received at Egress from an external third party:

Before moving on to the rest of the exchange, let’s break this down into the psychological aspects that attackers often utilize.

  • You are going to get some sort of reward or avoid a penalty.
  • It is a requirement therefore you are compelled to act. Now.
  • I am a real person so you can trust me.

There are other methods and tools that can be used, but these are the ones the example presents so let’s focus on them.

Businesses have a clear desire to grow revenue. This risk to facilitate responses is compounded if the source appears to be from a reputable business. When the thought of potential reward is presented, that is the key moment to start bypassing the thoughtful consideration of whether it is a legitimate request.

To make ‘this happen’, first ‘this other thing must happen’.  This is the catch and with attackers they are hoping at this point you stopped any critical thinking and are stuck on ‘new business’. So by making this happen and providing information, you have unlocked the deal, or maybe you have unlocked the keys for the attacker to move to the next stage.

What are attackers trying to gain?

When we see links, attackers have realized that people are much more likely to reply to a genuine person instead of clicking on a link. This can be down to good technical tools, training, and experience. Do they offer a telephone number or a way to do more than just reply by email? If not, that would be a warning sign that they may not be who they claim to be.

So what was the attachment in my example? There are several ‘industry standard’ templates such as SIG, Fedramp, ISO 27001 (and others). These tend to be the main set of controls/questions that get presented as part of a compliance request.

You may see requests for policies or respond to questions that can give an attacker knowledge of pretty much anything. Here’s what legitimate compliance questions or policies can look like:

  • How complex are your passwords?
  • What kind of MFA do you have implemented? Is MFA being planned?
  • Are scoped systems and data shared with third parties?
  • What is the role and name of senior management responsible for signing off policies? I
  • Is wireless networking in use? How is it protected?
  • Provide a copy of your change management policy and procedure. Who is responsible for updating this?
  • Are visitors permitted at your locations?
  • What is the notification period for customer requested audits?
  • Do third parties monitor the network? If not then they probably don’t have a SOC to worry about.
  • Provide a copy of your organizational chart.
  • Provide you most recent business continuity test results.
  • Provide a copy of your software development lifecycle procedure.

Reading the above section from the eyes of an attacker, this is all highly useful information to stage an impersonation attack at pretty much every layer of the organization. The attacker can learn how difficult passwords and security will be to crack, the security policies and procedure they need to circumvent, names of key people to target or impersonate, and info on potential weaker links within the supply chain to send the same questionnaire to.

How to assess whether a request is legitimate

Let’s look at responses you can use to clarify whether a request is legitimate and simple steps and solutions you can implement to avoid this kind of attack.

When you run due diligence or respond to supplier questionnaires, chances are you should already have a procedure in place with a sign-off before replying. Here is what that may look like for a maturing organization.

  • Is the customer already a customer?
  • Is a contract in place with confidentiality clauses?
    • If not will they sign an NDA?
  • Is the email in your CRM list of contacts?
    • If not do you have an established contact to verify them?
  • Are they requesting the information by email?
    • Do they make use of secure/encrypted email such as Egress Protect?
  • Are they requesting the information is submitted into a third-party risk platform?
    • Are there fees?
    • Will the terms remove liability for misuse of the information?

 

Step One: Check with your actual customer:

 

 

Step Two: Get verification of who they claim to be

Seeing your customer CC’d into a reply is not enough. Ensure they also respond to confirm the request is legitimate.

 Step Three: Protect yourself from human error

If you do rule out a supply chain attack and respond to a request, have DLP technology at multiple layers in your network (one at the client, one at the gateway). This will help ensure that the emails leaving your organization are intended.

Share information as view-only and for a time-limited period. Egress Secure Workspace is one way of achieving this. It also provides a full audit of access and account activity.

 

Key takeaways for reducing supply chain risk

Remember, attackers do not stop with success, they build on it. For those unfortunate to fall afoul of a supply chain attack, their work is not done.

Going back to the fictitious example of ‘Miracle Work’, once they are successful getting a supplier to divulge information they can pivot either up or down the supply chain. For attackers that are financially motivated, this can mean finding vulnerabilities in online shops using what is known as web-skimming. Microsoft 365 Defender Research have a good write-up in detail on their blog of how this works. The result is legitimate sites processing sales send a copy of the payment details to the attacker.

When finance is not the target, attackers with the resources and determination will go through several layers of the supply chain to achieve their goal. In the last year, the same threat actors behind Solar Winds have done just that. Now tracked as Nobelium this campaign has been monitored since 2021 and continues to show activity. In this example the attackers succeeded in “exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks.”

It's not all doom and gloom. There are simple steps you can take.

Social engineering that results in a failure to quickly identify human-related incidents is a risk you can address.  Consider some of the actions above in your processes, and encourage everyone involved in the supply chain to take time to assess whether what they are being asked is legitimate. If you have the opportunity, make use of technology that empowers your employees. This is a very effective way to scale-out your processes and at the same time, reduce your risk.