Given the increasing digital dependencies, supply chain attacks have risen in recent years. 45% of organizations faced at least one supply chain attack in the past year (compared to 32% in 2018). Software projects have an average of 203 dependencies today. If one of these dependencies is compromised, the apps/ software using them would be compromised, resulting in an exponential increase in the number of victims.
Therefore 84% of organizations believe that cybersecurity supply chain attacks will emerge as one of the biggest cyber threats by 2024. This article takes a deep dive into supply chain attacks, types, and ways to prevent them.
Supply Chain Attacks: A Deep Dive
Also known as value chain attacks or third-party attacks, supply chain attacks are the type of cyber threats wherein attackers infiltrate an organization’s IT infrastructure through an external entity with access to your systems and data. It exploits trust relationships with external entities such as partners, vendors, or third-party service providers. Typically, the main goal of these attacks is to gain access to data and source codes, build processes, inject malware, update mechanisms, etc.
In recent years, external entities such as suppliers, service providers, etc., have had access to sensitive data like never before, owing to the increasing digital dependencies. This has amplified the organization’s attack surface and the risk of cybersecurity supply chain attacks. The easier availability of for-hire tools and services to attackers has led to the emergence of more sophisticated and severe types of supply chain attacks.
Examples :
SolarWinds : Hackers, having gained access to the production environment of SolarWinds in 2020, embedded a backdoor called SUNBURST to its Orion network monitoring product through an update. 18,000 customers ended up installing the update and hence, the backdoor. Taking advantage of the multiple supply chain layers, this attack broke the chain of trust.
Kaseya : This software company providing software to Managed Service Providers (MSPs) was faced with a supply chain ransomware attack in 2021 that held 1000+ companies at ransom. Attackers used 2 flaws in the Kaseya software to orchestrate the attack. The ransomware was installed through a malicious patch from Kaseya’s VSA server, compromising and encrypting thousands of nodes in several companies.
Other Examples:
- Codecov
- Mimecast
- NotPetya
- Atlassian
How Does it Work?
Attackers scout for vulnerabilities, weaknesses, and flaws such as insecure protocols, software vulnerabilities, unsafe coding practices, misconfigurations, unprotected server infrastructure, etc. They exploit these vulnerabilities to change source codes and release malicious patches that impact those in the value chain using the service.
Since the updates are from a trusted third party, they are automatically installed, and malicious code runs with the same permissions and trust. Several organizations are unaware of the malicious patch until much later.
3 Common Sources of Supply Chain Attacks
- Open-source software / solutions : Since anyone can contribute to the development of the program, attackers can program vulnerabilities into the software/ code/ service. Owing to the popularity of open-source solutions, they easily gain access to several targets.
- Commercial software products : Since several organizations may use the same software or service, attackers can access multiple targets at once.
- Foreign sources : Originating from foreign countries, these threats are often government sponsored.
Types of Supply Chain Attacks
The following types of supply chain attacks are categorized based on the security weakness that attackers leverage:
- Stolen code-sign certificates
- Compromised software development tools/ infrastructure
- Signed malicious apps that use the identity of development organizations
- Pre-installed malware on devices
- Code included in firmware components
Best Practices for Supply Chain Attack Prevention
Supply chain attacks are difficult to detect. Therefore, it is crucial to carefully choose and thoroughly vet any external entity you partner with or hire services from. It is equally important to conduct ongoing vendor risk assessments and product/ software validation. Remember that products validated in the past are not necessarily secure today.
Adopt intelligent, managed security solutions such as AppTrana equipped with behavioral attack detection, intelligent intrusion prevention and self-learning capabilities, global threat intelligence, integrated threat analysis tools, security analytics, and intelligent automation. Such solutions enable you to reduce your attack surface and harden your security posture.
Other measures:
- Regular audit of shadow IT infrastructure to unearth vulnerabilities
- Implement least privileges
- Integrate security right into the software development stages to build secure-by-design apps
- Deploy strong code integrity policies to ensure only authorized apps run
- Perform network segmentation to ensure third parties do not have freed access to the network
The Bottomline
Your enterprise security is only as strong as the weakest link in your supply chain, be it – their third-party service providers, partners, vendors, suppliers, and so on. In addition to establishing a strong enterprise security culture, you must ensure your external partners have robust and resilient security measures in place. Else, you are putting yourself at a high risk of being breached and targeted by cybercriminals through supply chain attacks.
