Supply Chain Security: Leveraging NDR to Combat Cyberthreats

Supply chains are crucial to business operations. It’s essential to verify that the connections required for them to operate don’t provide an opaque pathway for cybercriminals to exploit. This makes supply chain security a critical concern for organizations everywhere.

The criminals determined to breach security and establish a persistent presence on networks are increasingly targeting vulnerabilities in supply chains. Through a single entry point, they can compromise multiple organizations. Progress Flowmon Network Detection and Response (NDR) can detect the attack activity coming from supply chains.

We recently hosted a webinar outlining how to use NDR to detect and combat supply chain attacks. Read on to explore the main points presented, strategies for combating these sophisticated threats, real-world examples and practical recommendations for strengthening your supply chain security. You can also catch the full session here:

What Is a Supply Chain?

As defined at the start of the webinar, a supply chain encompasses the entire manufacturing and delivery chain that brings a product from its conception to the end user. This includes raw materials, suppliers, manufacturers, distributors, customers and consumers.

Each link in this chain represents a potential vulnerability attackers can exploit to affect linked organizations. What makes supply chain attacks particularly effective is our inherent trust in suppliers. Organizations often implement new equipment, software or technology from trusted vendors without realizing that, somewhere upstream, an attacker may have already compromised the integrity of these elements.

Examples of Supply Chain Attacks

To give viewers an idea of what these attacks encompass and the damage they cause, two successful supply chain attacks were covered in the webinar:

Target Corporation - This November 2013 attack resulted in the theft of 40 million credit card numbers, but what’s particularly interesting is how the attackers gained access. Rather than directly breaching Target’s security, they compromised an HVAC vendor in Pennsylvania that maintained Target’s air conditioning systems.

The attackers delivered malware through an email to the HVAC firm, which allowed them to steal VPN credentials used by technicians to access Target’s network. Once inside, they discovered Target’s network lacked proper segmentation, enabling them to access and infect every cash register across 1,800 stores. This attack highlights how seemingly unrelated third-party vendors can become entry points for attackers, emphasizing the need for robust supply chain security measures.

CrowdStrike - This infamous 2024 incident demonstrated how supply chain issues can have cascading effects. Although not a malicious attack, a corrupted software update affected 8.5 million Windows devices, causing widespread disruptions across airlines, healthcare systems and financial services. Many organizations are still dealing with the aftermath of this incident, both technically and in the courts, through lawsuits against CrowdStrike and others.

The Impact of Supply Chain Attacks

Supply chain attacks can occur in multiple forms, including those shown in Figure 1.

Each will have a different impact on the organizations that are affected. These impacts include:

• Financial losses: Data breaches can result in significant financial losses due to stolen credit card information and intellectual property theft.

• Operational disruptions: Attacks can disrupt critical systems and disrupt business operations, leading to downtime, loss of productivity and customer dissatisfaction.

• Reputational damage: Supply chain attacks can severely damage an organization’s reputation, eroding customer trust and impacting future business opportunities.

• Legal and regulatory implications: Organizations may face legal repercussions and fines for failing to adequately protect sensitive data. Especially now that NIS2 is coming into force in the EU.

But data shows that, overall, supply chain attacks are trending in the right direction, as awareness of the risk spreads and more protective actions are taken. For example, Statista reports that in 2023, approximately 138,000 customers were affected by supply chain cyberattacks worldwide, a massive decrease from the 263 million impacted in 2019. Still, the same report shows 183,000 customers were affected in 2024, demonstrating that the problem continues.

Recommendations to Improve Supply Chain Security

The webinar covers some essential cybersecurity principles that help bolster defenses from supply chain (and other) attack types. They fall into three categories:

• Policy and Procedures

  • Document all policies and procedures thoroughly
  • Establish clear guidelines for trusted suppliers
  • Implement robust governance frameworks for monitoring and identification

• Risk Councils

  • Create cross-functional teams that include experts from IT, legal and finance
  • Develop end-to-end risk management strategies in this team
  • Integrate security risks with other business risks in selection processes and audits

• Zero Trust Architecture

  • Implement a framework where no one is trusted by default
  • Require verification from everyone attempting to access network resources
  • Apply this principle consistently for internal and external access

It’s also vital to deploy and use an NDR solution to gain deep visibility into network traffic, proactively detect abnormal behavior and enable rapid incident response. NDR tools provide valuable insights into supply chain attacks, helping security teams identify malicious activity from compromised vendors.

A Step-By-Step Walkthrough of a Supply Chain Attack Using Network Detection Optics

During the webinar, a real-world scenario involving a compromised helpdesk system is used to outline how Flowmon NDR can help detect and deal with supply chain attacks. The walkthrough uses the 8-step Supply Chain Attack Stages shown in Figure 2.
These eight stages fall into three groups (get a deeper dive in the recording)—and an NDR solution can assist at each touchpoint:

• Reconnaissance and Initial Access

  • Detects suspicious activity, such as horizontal TCP SYN scans or unknown IP addresses, by using NDR solutions
  • Identifies early warning signs of reconnaissance activities

• Discovery, Credential Access and Lateral Movement

  • Detects network scanning by attackers, such as ARP device enumeration and vertical TCP scans
  • Identifies unusual network patterns via behavioral analysis
  • Flags password spraying attacks against services like SSH

• Collection, Exfiltration and Impact

  • Detects DNS service exploitation attempts
  • Identifies data collection and exfiltration activities through behavior-based methods
  • Monitors and reports service disruptions and system unavailability

Flowmon NDR provides security teams with a complete picture of the attack lifecycle through its in-depth network visibility and advanced analytics. By correlating events and leveraging threat intelligence, Flowmon NDR enables timely detection, investigation and response to mitigate the damage caused by supply chain attacks. It does this via:

• Advanced threat detection capabilities

• Real-time network traffic analysis

• Automated response mechanisms

• Thorough visibility across hybrid cloud environments

Final Thoughts

The Flowmon solution provides many benefits for IT teams, such as:

• Improving visibility into network traffic with customizable dashboards, alerts and reports

• Detecting threats automatically and identifying indicators of compromise early

• Monitoring network performance to show if any reported problems are due to a network or application issue

• Delivering automatic analysis and root cause suggestions via easy-to-understand language based on frameworks like MITRE ATT&CK

• Providing the data needed for troubleshooting issues, post-incident analysis or infrastructure upgrade planning

Read more about Flowmon solutions on this overview page. You can also get a demo of Flowmon NDR to quickly see how it will make your cybersecurity more resilient and your network monitoring more transparent and useful.