Supply Chain Intelligence

What is Supply Chain Intelligence?

Supply chain intelligence is a type of threat intelligence that focuses on identifying, detecting, and countering digital adversaries who attempt to harm organizations by targeting their supply chains and vendor networks with cyber attacks, social engineering attacks, and other nefarious acts of subterfuge.

What is a Supply Chain Attack?

A supply chain attack, or supply chain intrusion, is when digital threat actors attempt to penetrate a target organization by executing cyber attacks against other organizations in its supply chain or vendor ecosystem. 

Supply chain attacks frequently involve inserting malicious code or compromised hardware into the development or manufacturing process of a legitimate product. 

In a software-based supply chain attack, hackers inject malware into the source code of a legitimate software application. When the application is pushed to end users, the malware gives hackers backdoor access to their secure networks and systems, enabling follow-on attacks that often include data exfiltration.

In a hardware-based supply chain attack, attackers infiltrate the supply chain of a physical product and either: 

  • Insert a compromised hardware component that is not part of the original design, or
  • Replace a legitimate hardware component with a compromised version of the same component.

When the compromised hardware reaches the end user, the fraudulently implanted devices allow cyber criminals to spy on their internal networks, exfiltrate their data, or take control of network and business infrastructure to enable follow-on attacks.

Why is Supply Chain Intelligence Important?

To demonstrate the growing importance of supply chain intelligence, we consider one of the largest supply chain attacks ever recorded: the SUNBURST security incident.

In this incident, hackers from Russia’s Foreign Intelligence Service (SVR) gained unauthorized access to the networks of the SolarWinds software company and injected malware known as SUNBURST into the source code of the Orion application. 

As a result, SolarWinds unknowingly distributed Orion software updates containing this malicious code to 18,000 of its customers, including private companies like Microsoft, Intel, Deloitte, and government agencies like the U.S. Department of Homeland Security, State Department, Treasury Dept., and the National Nuclear Security Administration.

The initial hack took place in September of 2019, but went undiscovered until December 2020 because hackers used clever methods to conceal their presence in compromised systems. Ultimately, hackers were able to steal classified data, break into secured email accounts, and spy on the activities of both private companies and government agencies.

The SUNBURST attack exemplifies three qualities of supply chain attacks that make them especially dangerous for targeted organizations: 

  • Supply Chain Attacks circumvent normal cybersecurity measures, enabling hackers to penetrate some of the most difficult targets,
  • Supply Chain Attacks can compromise a large number of targets with just a single operation, and
  • Supply Chain Attacks are difficult to detect, giving hackers more time to execute follow-on attacks.

How Else Can Cyber Adversaries Target the Supply Chain?

Software and hardware-based attacks are the most insidious methods for targeting the supply chain - but they aren’t the only options available.

Digital adversaries can also use social engineering techniques and other fraudulent methods to exploit the relationships of trust that exist within vendor networks.

For example, a digital adversary that wants to defraud Company A might:

  • Identify Vendor Z in Company A’s supply chain,
  • Set up a fake domain and execute a phishing campaign to steal email credentials from employees of Vendor Z,
  • Execute an account takeover attack against a Vendor Z employee, taking control of their email account, and
  • Send a fraudulent invoice form the compromised email to Company A.

Enterprises can prevent these attacks by monitoring the public attack surface to identify, detect, and disrupt fraudulent infrastructure, including spoofed email accounts and fake domains, before it can be used successfully by digital adversaries.

Three Types of Supply Chain Intelligence to Protect Your Business

Malware Intelligence

Malware intelligence involves monitoring the public attack surface to identify cyber adversaries and the TTPs they might be using to execute supply chain attacks against organizations in your vendor network.

Brand Intelligence

Brand intelligence involves monitoring the public attack surface for fraudulent domains, executive impersonations, phishing infrastructure, and other forms of fraud or brand abuse targeting organizations in your supply chain.

Dark Web Intelligence

Dark web intelligence involves monitoring the “invisible Internet” that can only be accessed with specialized browsers that encrypt data and enforce user anonymity. 

Digital adversaries visit dark web forums and marketplaces to traffic in leaked or stolen data, exposed credentials, malware, phishing kits, and other exploits that enable attacks against enterprise targets. Monitoring the dark web can help you identify cyber adversaries who plan to launch cyber attacks against organizations in your supply chain.

Safeguard Your Supply Chain with ZeroFox Threat Intelligence

ZeroFox provides protection, intelligence, and disruption to dismantle external threats to enterprise supply chains across the public attack surface in one, comprehensive platform.

Ready to learn more? See our full spectrum threat intelligence solutions here.