Compromised Partners: The New Insider Threat

8693490885?profile=RESIZE_400xIt is difficult to stop supply chain attacks if partner accounts are compromised. What can you do when these attacks are indistinguishable from insider threats?  The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in your security strategy. Attackers exploit the fact that you must communicate with outside partners and vendors to thrive as a company or an institution.

As you interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration, so the final "kill shot" has the most subtle of fingerprints. Yet efficiency is so high, in just the first few months of 2021, such attacks have succeeded in millions of dollars in currency theft and an incalculable amount of stolen data.   

Compromised credentials are the key to the attacker's success. But here is what is disturbing. It is not your credentials that are the linchpin in stealing from you. The bad actor lurks while legitimate trust is built between you and a partner. No malware is delivered. No network penetration is involved.

Often, the supply chain attack involves a Business Email Compromise (BEC) exploiting invoice fraud. Business email compromise attacks are a form of cybercrime which use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Examples include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. Consumer privacy breaches often occur as a result of business email compromise attack. .Detecting the final diversion of funds that comes from an established trusted vendor, involving a long legitimate email thread, and using a perfectly altered invoice is difficult to detect. 

 

What are the strategies to stop these attacks?

Strong security solutions extend the concept of "zero trust" beyond its original premise of micro-segmentation and incorporate that idea of reducing trust for your most trusted communications. While seemingly ironic, the point is, the more you trust a person, entity, or a communication, the more successful an attack that exploits it can be.

So, how do you apply the concept of zero trust to partner interactions and prevent supply chain-based attacks? 

Effective zero-trust application must start at the point where your own infrastructure and control begins: email.

Think of each interaction as a microsegment in the zero-trust world that must be "authenticated." There should be no implied trust between parties, regardless of how often you have communicated, since you do not know if a partner's account has been compromised.

To apply the concepts of zero trust to detect supply chain phishing and compromised partners in email, consider the following three factors:

Campaign Source


An email-based attack can leave subtle clues about the attack or attacker. Beyond looking at the sender information for spoofed names or domains, inspecting the sending infrastructure and source of an email can help identify whether it is malicious.

For example, if there are links or nested links within the email, where are they being hosted? Is the sender domain a legitimate organization's domain or does it use a newly created webmail domain from Microsoft 365 or Gmail? In a recent Office 365 missed threats report, nearly half (48.9%) of missed threats were from recently created domains.

Attackers tend to reuse hosting infrastructure and register new domains. By tracking attacker infrastructure, phish can be linked to an attacker even if accounts and domains have no known reputation. Preemptive, in-the-wild crawling and indexing also allow you to discover new malicious infrastructure quicker.

 

Message Sentiment and Conversational Context


Recent cyberattacks like BEC do not contain malicious links or documents. Instead, they rely on social engineering to trick unsuspecting users into sending funds or disclosing sensitive information, often by spoofing a trusted party like an internal employee or executive. Specific types of BEC based on supply chain compromises are the most difficult to detect since the target victim organization typically does not know a supplier's account has been compromised.

Detecting these types of malware-less attacks requires detailed analysis of message sentiment and conversational context. You need to understand what is actually being expressed within a message, or its intent. Detecting variations within message threads is also important to surface attempted fraud. Since supply chain BEC attacks can take place over weeks and months, it is important to be able to consider variations in behavior and requests over extended periods of time.

 

Partner Social Graph

8693491873?profile=RESIZE_400x
Just as each organization has a social graph of interactions, each supplier also has theirs. Evidence of vendor account takeovers can be surfaced by properly assessing each supply chain partner's reputation and their partners' reputation. This, along with taking into account message sentiment and conversation context mentioned before, can signal whether a known contact's account has been compromised.

Supply chain attacks complicate detections by making everyone an insider. By applying zero-trust principles to email, the source of most phishing and account takeover attempts, organizations stand a better chance of early detection and minimized damages.

RedXray https://www.wapacklabs.com/redxray was developed by Red Sky Alliance for organizations to notify and identify cyber threats against supply chains.  Why become a victim when our service can notify users of cyber threats before they breach the network?

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.

 

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

Reporting:  https://www.redskyalliance.org/

Website:     https://www.wapacklabs.com/

LinkedIn:   https://www.linkedin.com/company/wapacklabs/

Twitter:      https://twitter.com/wapacklabs?lang=en

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

TR-21-081-001_Compromised_Partners.pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!