The Rise of Supply-Chain Attacks and How You Too Can to Combat Them
Current Landscape
In today's interconnected world, supply-chain attacks have become a significant threat to organizations of all sizes. These attacks target (i) less secure elements within the supply chain, such as suppliers, vendors, or third-party service providers, and, more recently, (ii) highly trusted developers' working platforms, to gain access to sensitive data, systems, or infrastructure.
What is Supply-chain Attack in the Cybersecurity Context
There is no standard definition and classification on this topic.
A supply-chain attack in cybersecurity is a type of attack where adversaries target an organization by compromising its suppliers, vendors, or third-party service providers. Instead of attacking the organization directly, attackers infiltrate less secure elements in the supply chain to gain access to sensitive data, systems, or infrastructure.
Classification of Supply-chain Attacks
These attacks can be classified into four main groups: Software Supply-Chain Attacks, Hardware Supply-Chain Attacks, Third-Party Service Attacks, and Code Dependency Attacks.
-
1. Software Supply-Chain Attacks: These involve injecting malicious code into OEM software products or updates, affecting all users of the compromised software.
- One example is the SolarWinds attack reported in Dec 2020, where attackers compromised the Orion software update with malware called SUNBURST and infiltrated multiple U.S. government agencies and companies. This case is undeniably a software supply-chain attack because the poisoned Orion software update was digitally signed by SolarWinds
-
2. Hardware Supply-Chain Attacks: These attacks target physical components during manufacturing or distribution, whereby unauthorized hardware-based backdoors are planted by malicious entities.
- This controversial report by Bloomberg in Oct 2018 illustrated the example – tiny spy chips were found on Supermicro server motherboards that were installed on products such as Apple and Amazon. While expanded its claim, Bloomberg further pursued with their investigation involving law enforcement, the military, Congress, intelligence agencies as well as the private sector. Supermicro has, and as always, unequivocally refuted the accusation in its statement.
-
3. Third-Party Service Attacks: These types of attacks target Third-party Vendors, Cloud Services, or Managed Service Providers (MSPs) by exploiting vulnerabilities in their systems or services, creating a wider and faster spread of compromised devices used by the Vendor’s customers when successful.
- The attack on the Kaseya Virtual System/Server Administrator (VSA) servers in July 2021 is a good example, where attackers exploited one of the reported zero-day vulnerabilities on their remote monitoring tool that implicated thousands of their customers.
-
4. Code Dependency Attacks: Unlike software supply-chain attacks at the software vendor level, attackers inject malicious codes into popular and open-source libraries, or easily imitate or typosquat such libraries, that developers installed onto their machine and unknowingly invited all-the-wares. At worst, it can further migrate to developers’ git repositories or enterprise servers causing more harm.
- Since developers use IDEs to develop their applications and it is uncommon to run in a sandbox, this makes poisoning libraries used by popular IDEs, such as VS Code, the ideal target to penetrate a system. Moving away from typosquatting, researchers successfully demonstrated, without any fact check, they masqueraded a legitimate extension package and found other suspicious extensions inside VS Code Marketplace. In a more well-planned deception, malicious [GitHub projects were found to have been deployed years ago] (https://securelist.com/gitvenom-campaign/115694/).
Why Supply-chain Attacks Thrive?
As you can see, these types of attacks have already evolved from the typical approach of hitting the target directly, to a more indirect approach. These attacks thrive because they present the following characteristics:
-
Openness: Open source software allows anyone to inspect and improve on it. But this means that cybercriminals are also granted the opportunity to sharpen their axes. Even big tech companies that utilise a mix of public and private dependencies once had their setbacks. Hence, know what you install.
-
Wider and Faster Spread: The attractiveness of such attacks is also mainly due to the wider and faster spread. As shown, by compromising a single software vendor, attackers can potentially affect all the vendor's customers such as ASUS incident in Jun 2018. And obviously, this will lead to a much higher return on investment which in turn propels similar exploitation in other types of services. Imagine the effort and time the cybercriminals had saved…
-
Trust, Reliance, and Credibility: Trust is fundamental to securing network communications, the use of PKI and reliance on CAs are the standard use cases to explain the tangled relationship. Because of this, cybercriminals latch on the reliance and craftily exploit vendor’s software and open source coding libraries because customers and developers trust and heavily rely on them to complete their product. When left unchecked, the exploits will inevitably gain credibility with a growing customer pool and more software downloads.
Can Companies Implement Measures to Prevent Supply-chain Attacks?
While eliminating these attacks is challenging, implementing these security measures can (i) significantly reduce the risk and impact, (ii) enable a faster recovery, and (iii) regain market confidence for your company.
Importantly, companies should throw away the notion that the “supplier” is to resolve it because the attack is on them.
You can do something!
Below are some measures and rationale for why companies like yours should implement them, and reevaluate if you have not.
User Awareness Training First and foremost, educating all employees is the fundamental measure that helps detect and protect against cyberattacks. Period.
Rationale: There are cases where the “supplier” is not the one who discovered the attack. Your staff can be defenders too.
Therefore, regular training sessions and simulations can further reinforce awareness and provide guidelines on how to recognize and report suspicious activity. CISOs should ensure that supply-chain attacks are part of the training package and iterate the importance of following security protocols.
Incident Response Plan Developing and maintaining an incident response plan specifically for supply-chain attacks is crucial for all types of supply-chain attacks. Yes, the attack in on the “supplier”, however, you do not have to always wait for their solution but take certain proactive actions immediately to minimise the impact.
Rationale: You have control and therefore you can take the following actions before more damages are done.
Using Security Control mechanisms to frame the context, here are three questions that you can and ought to answer:
- Preventive Control – What are the systems that can be isolated to prevent manifestation to the rest of the network?
- Corrective Control – What are the losses if the last backup is used?
- Detective Control – What type of logs is useful to participate in the investigations and confirm the damages?
Thus, conducting regular drills prepares all employees to response should the crack, whether a real attack or a stumble, originate from vendor side. Ultimately, knowing how to swiftly respond within your limits does helps to bring back your company’s market confidence unlike one that took a longer recovery time and being challenged by the Vendor.
Vendor Risk Management Regardless of your company size, it is common practice to request vendors to provide their independent certifications, such as SOC 2 which includes their internal control on security measures, or audit reports.
Rationale: You must sense-make the degree of confidence of potential vendors before making a business deal. After all, vendors are equally looking for an opportunity with you.
With an assessment, it is therefore the first step in mitigating Third-Party Service Attacks as you can assess vendors’ robustness in their security measures.
Customer/Independent Audits Conducting customer audits or calling for independent audits on manufacturers can be effective in countering, hardware in particular, Supply-Chain Attacks.
Rationale: Audits can verify that vendors comply with security standards.
This, however, largely depends on two factors. First, smaller companies may lack the resources to call for such audits but to rely on independent certifications instead. Second, big and established vendors like AWS offer comprehensive security certifications (e.g., SOC 2, ISO 27001) instead of allowing individual audits. Whichever the factors, the end goal for vendors is always to build trust in the partnership and ensure transparency and accountability.
Asset Inventory Regularly reviewing and updating the inventory can help in mitigating Hardware Supply-Chain Attacks and Third-Party Service Attacks.
Rationale: Well, one can only defend what (you think) you have.
You never know if a terminated vendor may still be connecting to your IT resources, leading to Shadow IT and IT Sprawl if inventories of any of your hardware and software assets are not updated.
Patch Management Implementing an automated patch management system ensures timely updates, while testing patches in a controlled environment before deployment helps in identifying any potential issues.
Rationale: Keeping all software up to date with the latest patches is crucial in defending against Software Supply-Chain and Code Dependency flaws. There is no second doubt about this point.
That said, there are occasions when hiccups, albeit shifting responsibilities, do happen. However, some developers do choose to wait for a while before effecting the updates. Let others fail first… Sure! But obviously, this is unless vendors and security research firms urge to perform an immediate update. In short, companies should define in their policies the strategy to update software. A simple guideline is to categorize by the criticality of the software.
Sandbox Testing Whether to wait or not, before deploying new software or updates, testing them in a controlled environment, such as a sandbox environment, can help detect any malicious behavior.
Rationale: You do not want to jeopardize your systems with untested software, but at the same time, you want to know how the whole system would behave when the new software is executed.
Like the term ‘sandbox’, it is a playground filled with sand. Inside the playground, you build sandcastles (servers), bailey (firewalls), markets (trading of information), and villages (services) with pathed roads (networks) connecting all the facilities. Nothing is real because it lives only inside the playground and is not connected to your enterprise. Therefore, applying this measure will be particularly useful against Software Supply-Chain Attacks and should be put into practice for preventing Code Dependency Attacks.
When all has failed (someone lurking inside your network…)
Use Honeytokens A successful penetration will go on to comb your network for other valuables, persistently and will not stop.
Rationale: When your first (few) line(s) of defences have failed, the penetrators are free to look for more honey.
This is where the deployment of honeytokens, which are decoy resources, are set to alert you to suspicious activity in the decoy resources and help to detect unauthorized access that failed by other means.
Limiting and Segregation of Access Performed during on-boarding, change of roles, and periodic review, the process of setting access rights that follows the Principle of Least Privilege (PoLP) ensures that users, and vendors, have only the access they need. But is that all?
Rationale: Consider this, when a user account is taken over control by bad actors, limited access based on PoLP plays a big part. Hence, take the above process seriously!
However, should the breached account be a Privileged Account, the impact will be vastly different. Therefore, companies should adopt a minimalist approach when setting up Privileged Accounts - plan out how to segregate systems tagging to different accounts and other enhancements like MFA and the 2-person rule.
Conclusion
As discussed, there are measures that your company can implement to guard, detect, and minimize the impact should your vendors be compromised with ripples coming to you. After all, the quicker you regain control of your systems, the more it will make a difference in market confidence for your company.