Protect Against Digital Supply Chain Attacks as Your Digital Footprint Grows
Your supply chain is a juicy target for cybercriminals, but integration, automation, and APIs can help safeguard business resources, partners, and reputation
Key Points
- APIs are an indispensable component of any strategy for deterring and remediating supply chain attacks 24x7x365, at scale.
- Email remains the #1 vector for supply chain attacks, but when a bad domain’s email-based attacks fail, it will strike you in other ways.
- SIEMs, SOARs, XDRs, endpoints, and firewalls all get smarter when API connections quickly share what your email gateway is learning.
Today’s complex, extended supply chains are rich targets for exploitation by cybercriminals. Businesses work with multiple remote partners, many of whom they know only at arms’ length. To transact business, companies must at some point extend trust — but often without meaningful control over how partners operate, so it’s hard to tell just how secure they are. Even if they maintain robust security, impersonation is easy — and can rapidly lead to large-scale fraud.
To deter supply chain attacks, the different elements of a security infrastructure must work together rapidly, seamlessly, and intelligently. Robust APIs are indispensable: They empower companies to automate information sharing, orchestrate rapid decisions, and take action. We’ll consider their value in deterring and remediating supply chain attacks as companies’ digital footprints extend ever wider.
Phishing: Still the #1 Supply Chain Attack
The top supply chain attack remains a phishing email that impersonates a business partner, requesting payment, a fraudulent redirection of money to a criminal’s account, or a fraudulent credential change that compromises business resources. Your first line of defense is a best-in-class secure email gateway such as Mimecast’s. But even when Mimecast identifies and halts delivery of a phishing email, the criminal’s web infrastructure remains intact for use in attacks they may launch quickly through other vectors.
With Mimecast’s open, out-of-the-box integrations and well-document APIs, it’s easy to share information about an email we’ve flagged — whether it was clearly a dangerous impersonation or presented only weak signals of risk and was delivered with a warning to the recipient. With this information, endpoint protection systems and next-generation firewalls can flag the source URL for different treatment. So, too, SIEM, SOAR, and XDR systems can correlate Mimecast’s data with other signals, such as whether the email links to a newly created AWS S3 bucket or Microsoft 365 instance. These insights can be used to automate action throughout the security infrastructure, including direction to halt future emails from the same domain. Where risks are only gradually recognized, API connections can even be used to remove older emails from Mimecast Cloud Archive.
Mitigating Human Risk via API-Linked Awareness Training
Since human error remains the primary target of cyberattacks, most organizations offer some form of human-risk-centric awareness and training to help employees recognize and resist phish-based supply-chain attacks. Here, again, APIs help you mitigate risk more effectively. Mimecast Awareness Training continually scores employees based on their participation in training and performance in realistic phishing tests. Those scores can be exposed to other security systems via APIs, so they can use Mimecast’s personalized risk assessments to customize each user’s rights, limitations, and guardrails.
For instance, within the Mimecast email environment, riskier users might only see attachments within sandboxes. Beyond email, information from Mimecast Awareness Training delivered via API might raise the level of URL scanning applied to risky users’ web connections or prevent risky users from using social media on company-owned devices.
By granting or limiting capabilities based on a user’s behavior, you lower supply chain attack risk in the short term and incentivize better behavior over the long-term.
Avoiding Domain Impersonation — And Protecting Your Partners
Mimecast’s services include domain similarity checking, both for domains our clients own and for those they do business with often. When Mimecast recognizes that emails are being sent from a domain that was apparently crafted to impersonate and mislead, this knowledge is immediately accessible via API and can be used to block that domain universally, at firewalls, endpoints, and other security controls.
When similarity checking finds one of your own domains being mimicked, APIs make it easier to trigger domain and real-time-blocklist (RBL) lookups, as well as other investigations. They can also help notify business partners faster so they aren’t inadvertently tricked by fake messages that seem to come from your organization.
This raises a broader issue. You want to defend your business from inbound supply chain attacks, but you also want to defend your vendors and customers against supply-chain attacks made in your company’s name, which could damage its reputation. You never want to see a valued business partner scammed by someone pretending to be you. Moreover, nowadays your security posture is continually being tracked by independent services that help prospects decide whether and how to do business with you.
Similarity checking can help, as can DMARC and other services — especially when they, too, are API-enabled. If a bad actor is spoofing your domain, Mimecast’s Rejection Log API can flag emails that were rejected based on a DMARC failure, and our Release Log API can flag emails that recipients released to their inboxes in spite of a DMARC failure. These may be the earliest warnings that one of your domains is being spoofed.
The Bottom Line
Supply chain attacks succeed because manual processes can’t sense and respond to all of them. Their complexity requires security systems to work together seamlessly, rapidly applying new knowledge wherever it emerges — whether from a phished email, an employee’s poor decision, a new high-risk S3 bucket, or a DMARC failure. APIs such as Mimecast’s deliver the right information for fast, efficient analysis, and deliver the right decisions to the point of action, for both prevention and remediation.
**This blog was originally published on May 10, 2022.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!