Think rebuild, not recovery, after a supply chain attack

We are living in a time when siloed businesses are increasingly rare. Supply chains are the lifeblood of modern organizations, enabling the seamless flow of goods, services, and information. This interconnected network creates a trade ecosystem vital to the survival of both businesses and consumers. 

So, understandably, when a cyberattack disrupts this critical process, the immediate response is often panic-driven -- focusing solely on getting operations back online as quickly as possible. While restoring functionality is essential, this approach frequently overlooks a crucial aspect: rebuilding security.

Concentrating only on short-term recovery means businesses risk falling into a dangerous cycle where vulnerabilities remain unaddressed, leaving them exposed to future attacks. Breaking this cycle requires a fundamental shift in mindset -- one that prioritizes rebuilding and strengthening security processes to ensure long-term resilience and protection against emerging threats.

Recovery vs. rebuilding: A flawed focus

As supply chains expand and businesses become more interconnected than ever, the attack surface for cybercriminals is also increasing. Disrupting one organization means all dependent businesses will be impacted to some extent. We’ve seen this in the SolarWinds breach, the Colonial Pipeline attack, the GitHub attack, and many more recent incidents.

More concerning, cybercriminals are not only becoming more sophisticated but are also showing a tendency to revisit the same targets. For instance, in 2023, the Cl0p ransomware group exploited vulnerabilities in the MOVEit Transfer software.

After the initial breach, the group returned just months later to target companies within the same supply chain that had not sufficiently addressed the vulnerabilities. This repeated targeting highlighted the dangers of focusing solely on recovery without thoroughly rebuilding security measures.

While recovery efforts focus on restoring systems and operations to their pre-attack state, this approach can be dangerously short-sighted. It addresses the symptoms but fails to tackle the root causes and underlying vulnerabilities that allowed the attack to happen in the first place.

The rush to return to the status quo can result in missed opportunities to fortify defenses, leaving organizations exposed to subsequent attacks.

Simply restoring equilibrium is no longer enough. A more proactive approach is necessary -- one that prioritizes rebuilding security to improve resilience and protect against future threats. Without this shift in focus, businesses risk falling into a cycle of recurring breaches, each more damaging than the last.

Learning from the British Library: a case for rebuilding

The British Library offers a compelling example of why investing in rebuilding and resilience is essential. Following a significant ransomware attack in October 2023, the institution did not just focus on recovery. Instead, there was a concerted effort to improve cyber resilience and learn from the attack.

The British Library’s rebuilding strategy began with a comprehensive review of its existing systems. This involved a detailed forensic analysis to identify the root causes of the breach and the vulnerabilities that were exploited.

They committed to modernizing their infrastructure, which included replacing outdated legacy systems that were no longer supported by vendors and could not operate in a modern, secure environment.

In addition to upgrading its technology, the Library implemented advanced security measures such as role-based multi-factor authentication (MFA) across all access points, network segmentation, a hybrid compute infrastructure, a new backup system with immutable and air-gapped copies of data, and continuous system monitoring to detect and respond to threats in real-time.

They also improved their incident response capabilities and disaster recovery protocols to ensure they could respond more effectively to future incidents.

This comprehensive rebuilding effort has produced significant benefits for the British Library, earning praise from the cybersecurity community for its forward-thinking approach. By not merely bouncing back but bouncing forward, the institution has strengthened its defenses and significantly reduced its risk of falling victim to future cyberattacks.

Three main steps after a supply chain attack

Organizations can adopt a structured approach to the post-attack phase by focusing on three key steps: review, strengthen, and reconnect. This framework ensures that recovery efforts are complemented by strategic rebuilding initiatives.

1. Review the crisis and the state of the supply chain

The first step is a comprehensive review of the attack and the organization's response. This involves a detailed analysis of how the breach occurred, which vulnerabilities were exploited, and how the incident was handled. Conducting a thorough post-mortem allows organizations to identify gaps in their security posture and response protocols.

Key topics to address during the review phase include understanding the attack vector, evaluating the speed and effectiveness of breach detection and containment, identifying exploited weaknesses, and assessing the critical risks in the supply chain. By focusing on these areas, organizations can gain valuable insights into their vulnerabilities and opportunities for improvement.

2. Emphasize monitoring and training

With insights gained from the review phase, the next step is to strengthen security measures. This involves implementing robust defenses to address identified vulnerabilities and prevent similar attacks in the future.

Key actions in this phase include updating and patching software to close security gaps, enhancing network security through segmentation and access controls, implementing advanced threat monitoring solutions, and conducting regular security audits and penetration testing. 

These measures will help businesses achieve real-time visibility into their supply chain activities and identify potential indicators of compromise.

Strengthening security must also involve fostering a culture of cybersecurity awareness and training among employees. Human error remains one of the most significant vulnerabilities in any security framework.

Training programs should be scenario-driven and include practical, simulated exercises that mimic real-world cyberattack scenarios. These simulations help employees develop the reflexes needed to respond swiftly and appropriately under pressure. Regular training sessions should cover the latest threat vectors, phishing detection, secure handling of sensitive information, and the importance of adhering to security protocols.

Beyond technical training, organizations should implement robust response protocols. These protocols should clearly outline communication channels, procedures, and recovery plans in the event of an attack. Staff should be trained on these protocols to ensure there is a coordinated and effective response to any incident. These measures will help build a security-first mindset within the business.

3. Reconnecting the systems

The final step is to reconnect systems and operations, ensuring they are secure and resilient. This involves gradually restoring normal operations while maintaining a heightened focus on security.

Key considerations in this phase include verifying the integrity of restored systems and data, as well as determining who has the authority to approve reconnection processes.

It’s critical to conduct post-recovery audits to confirm that vulnerabilities have been fully addressed. Reconnecting with a strong emphasis on security helps organizations build a more resilient infrastructure, making them better equipped to withstand future cyberattacks.

Moving away from a recovery-focused strategy

Overall, shifting from a recovery-focused approach to a rebuild strategy after a supply chain attack is the only way to achieve long-term resilience. Recovery, while necessary, often addresses only the immediate damage, leaving underlying vulnerabilities unaddressed.

In contrast, a rebuild strategy goes beyond merely restoring systems; it involves a comprehensive overhaul of security measures to prevent future incidents. By thoroughly reviewing the attack, strengthening defenses, and establishing a robust reconnection and approval process, businesses can effectively bounce back from a supply chain attack.

More importantly, they can emerge stronger and more resilient, with a fortified infrastructure that is better equipped to handle future cyber threats. This proactive approach also instills confidence in stakeholders, ensuring the continued success and security of the business in an increasingly interconnected threat landscape.

Image credit: lolloj / Shutterstock

Gregg Ogden is Supply Chain Security SME, Immersive Labs.