Strong security protection is no longer enough as supply chain attacks continue to worsen


The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks – including those through SolarWinds Orion, Mimecast, Codecov and Kaseya, and concluded that strong security protection is no longer enough as supply chain attacks continue to worsen.
ENISA’s report found that 66% of supply chain attacks focus on the supplier’s code, while malware is the attack technique used in 62% of attacks.

The supply chain attacks complied by ENISA highlight impeccable coordination between cybercriminals amid comparatively simple hacking techniques. Most of the attacks, even those involving exploitation of 0day vulnerabilities, could have been prevented by defense-in-depth and zero-trust models. Worse, many of the large-scale intrusions exploited lack of attack surface visibility, vulnerable software with security flaws publicly disclosed many months or even a few years ago, or primitive password reuse attacks, are successful due to missing 2FA and other pretty simple security mechanisms designed to stop human-focused attacks. Thriving phishing attacks dominate the modern threat landscape, being evidence that the human factor remains the cornerstone of corporate cyber resilience.

There is a clear trend to exploit misconfigured CI/CD pipelines and vulnerable cloud deployments. Amid the pandemic, countless organizations rapidly moved their IT infrastructure to a cloud, while trying to save money on training and cloud-specific security hardening. Combined with legacy IT infrastructure, third-party managed servers and software, the digitalization in 2021 made organizations a low hanging fruit for cybercriminals.

Finally, cyber-gangs are much better organized compared to the cybersecurity industry. They meticulously plan and coordinate their attacks, leverage division of labor and eventually attain impressive efficiency. Contrasted to cybersecurity teams, bad guys are never on holidays or sick leave, and will even purposely conduct swift raids while the victim organizations are the most unprepared.