As corporations have been stepping up their security measures, hacker groups have shifted their focus toward software vendors and various system providers. The frequency of supply chain attacks has multiplied several times compared to what it was in 2020.
The concept of a Supply Chain Attack revolves around hijacking an organization’s IT infrastructure via third-party vendors. By securing initial access to, say, a vendor’s code management or version control systems, attackers can disseminate their malicious software while masquerading as a legitimate application. Since the company does not have direct control over all of its suppliers, it is virtually impossible to fully safeguard against such threats.
How organizations become vulnerable
The attackers’ goal is to infiltrate a company’s infrastructure, and there’s no shortage of methods to achieve this. However, hackers often opt for the path of least resistance, targeting the most vulnerable points. There is no need for them to stage a “head-on assault,” attempting to breach the defenses of a bank’s servers and engaging its security systems, when they could instead attack something like a library used in an online banking application, exploiting a vulnerability that grants them access to the infrastructure.
Even if the cybersecurity team at your bank swiftly mitigates the attack, regains control of the impacted systems, and starts recovery efforts, any other organization that utilizes the same software library will still be affected.
This aspect underscores the global scope of threats linked to supply chain attacks. Hackers can intentionally or unintentionally gain control over any organization’s infrastructure, even if it has not been directly targeted, all for a minimal cost to the attacker.
Why supply chain security is important
If a supply chain attack succeeds, the consequences can be severe. It could result not just in substantial financial and reputational damage or a compromise of the IT infrastructure, but it could also halt production entirely or even cause an environmental catastrophe.
Several years ago, hackers successfully infiltrated a routine update of SolarWinds’ Orion software. This breach granted them access to hundreds of US federal government agencies, educational institutions, and over 80% of Fortune 500 companies. Remarkably, the attackers managed to stay under the radar for a prolonged period, enabling them to carry out extensive information theft. So, now, more than ever, incorporating the supply chain into a cyber risk management strategy is of paramount importance.
Different types of supply chain attacks
There are numerous forms of supply chain attacks, but three principal and most frequent ones stand out:
· Software Attacks: These attacks focus on the source code of a vendor’s software, where the attacker injects their malicious code into a trusted application. There are also instances where an update server is compromised, allowing the attacker to substitute a legitimate library with their own.
· Hardware Attacks: These attacks target physical devices like webcams, routers, and keyboards. The most prevalent form involves the insertion of backdoors into the hardware.
· Firmware Attacks: This type involves injecting malware into the boot code. The malware runs after the computer boots up, putting the entire system at risk. Firmware attacks are fast, often undetected (unless you specifically protect against them), and extremely dangerous.
Why software vendors remain vulnerable
Professionals from penetration testing companies are frequently taken aback by the level of protection they encounter in many businesses. During their projects, ethical hackers often manage to secure unrestricted access to version control systems like GitLab, update servers, and servers tasked with building applications and storing artifacts. This indicates that an attacker could potentially exploit any of these points to inject their own code.
Conscientious software developers must prioritize the security of their IT products and their users. Unfortunately, we frequently encounter situations where coders simply lack the necessary knowledge and experience in this domain. While software vendors do consider protective measures, they are still susceptible to threats.
These situations lead to the attacked vendor unknowingly distributing infected code, libraries, or updates to its customers, thus allowing an attacker to infiltrate the customers’ IT infrastructure. Once inside, the attacker can operate stealthily to extract data from the organization, disrupt service performance, or introduce a virus. This malware can propagate across the network, infecting the company’s systems such as customer databases or accounting servers. If the organization does not have a robust backup process in place, there is a substantial risk of data loss.
Protecting from supply chain attacks
It is impossible to be guaranteed safe from a supply chain attack. Therefore the primary goal of the defending side should be to stop the attack at an early stage before the attacker can gain a foothold inside the infrastructure and cause damage.
Keeping a watchful eye on each endpoint can aid in the timely detection of suspicious activities. Every server and computer within an organization’s network must collect event logs. If someone remotely accesses an employee’s account and attempts to crack passwords via a brute-force attack, these authentication attempts will be recorded and reflected in logs.
A properly configured firewall should not only block an access attempt but also log the time, the attacked node, and the address from which the attack was carried out. Extended Detection and Response (XDR) tools consolidate all data in a central location, enabling security specialists to identify threats efficiently, trace the attacker’s journey through the company’s infrastructure, and neutralize it. Without such monitoring, hackers can potentially remain undetected in the system for months, having access to critical information all the while.
To identify and stop a supply chain attack quickly, the following steps can be taken:
- Leverage cutting-edge security measures for both endpoints and the network (XDR, NGFW).
- Set up network monitoring to spot any suspicious activities.
- Establish a backup procedure to safeguard data in case of destruction or encryption.
- Enforce a security policy, such as permitting only authorized applications to run.
- Regularly conduct penetration testing and security scans.
- Utilize network segmentation to safeguard sensitive data and prevent lateral movement.
- Control and monitor the actions of privileged users by using Privileged Access Management (PAM), which effectively reduces the potential for unauthorized resource access.
Mitigating problems stemming from the human factor is crucial in many situations. It is incumbent on company leaders to ensure that users and employees strictly adhere to all security protocols.
Ensuring security on the side of software vendors
As the specialists at SKUPREME point out, automating the majority of manual processes within supply chain management is crucial. It is a critical step towards reducing the risks that arise from human errors and other areas. To diminish the chances of a successful attack, vendors must uphold a strong security posture across their external and internal IT infrastructure:
- Implement multi-factor authentication.
- Apply the principle of least privilege.
- Establish a Security Development Lifecycle (SDL) process.
- Optimize the software update management process.
- Incorporate code integrity controls.
- Properly utilize digital signatures for executable files and libraries.
Particular emphasis should be placed on incident response, focusing on developing strategies to contain incidents and minimize damage. It is crucial to formulate a comprehensive plan and disseminate it to all employees, detailing the appropriate procedures to follow in emergencies. This could include instructions on whom to notify in case of an unexpected commit to a repository, the discovery of unfamiliar files, or unusual system behavior. Ensuring all employees are fully aware of their roles and responsibilities is paramount. Also, maintaining clear and effective communication both during and after an incident is vital.