Supply chain attacks are on the rise. Learn how to align security efforts within your supply chain to reach a more desirable level of cyber protection.
For many years, supply chain attacks have been a concern for cybersecurity experts. The chain reaction triggered by one attack on a single supplier can compromise a whole network of providers. Several major incidents during the past years have demonstrated how harmful this kind of attack can be. It just suffices to mention the SolarWind company, which fell victim to a supply chain malware attack resulting in one of the biggest data security incidents to date. The attack occurred by delivering malware through the company’s own servers during a software update. The incident affected around 100 SolarWinds’ customers, including the US Treasury Department, the US Department of Defense, and other governmental agencies.
In conditions where attackers shift their attention to suppliers, strong security protection within a single company is no longer enough. More important is to align security efforts among all parties within the supply chain and validate products and services at all stages of a life cycle.
A supply chain attack is a cyberattack that aims to access information held by multiple organizations (or a targeted business) by attacking less-secure elements in the supply chain. Typically, any industry from communication services to healthcare can fall victim to a supply chain attack.
The National Institute of Standards and Technologies (NIST) acknowledges that the supply chain networks fit within the greater information and communications technology (ICT) supply chain framework – a network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services. The ICT Supply Chain Lifecycle entails six phases – design, development and production, distribution, acquisition and deployment, maintenance and disposal – and each of these phases may be exposed to different types of supply chain attack risks. For instance, compromised software may be deployed on devices at the stage of their design and then collect and transmit data to a foreign server. Or someone may get access to targeted businesses using improperly wiped laptops at the stage of disposal.
Modern organizations are extremely vulnerable to supply chain attacks for several major reasons. First, many vendors require privileged access to information systems, software code, or intellectual property to perform their service operations. Second, many third-party software products require a constant dialogue between a vendor’s network and the software product on the customers’ networks. Finally, third-party vendors often have poor security practices, which put the entire supply chain at risk. Given these vulnerabilities, the hackers invent new ways and methodologies for executing their attacks. Defenders, on the other hand, should apply best practices to minimize the risk of a supply chain attack.
This could either be a sophisticated campaign, such as the SolarWinds attack, or something more simple. For instance, attackers may compromise software or a device at the stage of its design. As in the case with cell phones, when a manufacturer sold devices programmed to make encrypted records of call histories, phone details, and contact information and transmit that data to a foreign server periodically.
Most modern software vendors distribute routine updates to address bugs and security issues as a systematic part of product maintenance. Hackers can hijack an update through a suppliers’ network and either insert malware into the outgoing update or modify the update to gain control over the normal functionality. An example of such a threat was the NotPetya attack that occurred in 2017 when Russian hackers distributed malware through an accounting software popular in Ukraine.
Another common supply chain attack technique is infecting digital suppliers with malware designed to steal sensitive customer data. For instance, a hacker group disseminated a digital skimming code by infecting the supply chain. Hackers have managed to infect hundreds of websites via a French advertising agency. The attackers compromised a content delivery network for ads run by the company to include a stager containing the skimmer code. This means that any website loading script with the agency’s ad would inadvertently load the digital skimmer that steals visitors’ payment information.
Open-source code compromises are frequently used types of supply chain attacks. It occurs when hackers insert malicious code into publicly accessible code libraries, which unsuspecting developers add into their code. For example, in 2018, researchers discovered 12 malicious Python libraries where attackers used typosquatting tactics by creating libraries titled “diango,” “djago,” “dajngo,” etc., to attract developers seeking the popular “django” library. Given the fact that the number of supply chain attacks on open-source software packages increased by 650% in 2021, developers should be cautious as never before.
Security professionals have a limited ability to mitigate attack consequences after a supply chain has been compromised. This is because organizations rarely control their entire supply chain and lack the authority to compel their supply chain parties. The difficulties of mitigating the supply chain attacks prompt security specialists to implement industry best practices before an attack takes place.
To reduce supply chain vulnerabilities and manage risks, businesses should embrace best practices to prevent supply chain attacks.
It is very important to establish a formal Cyber Supply Chain Risk Management (C-SCRM) program to prevent, mitigate, and respond to vulnerabilities that may be introduced through the cyber supply chain and exploited by malicious actors. Integrate the C-SCRM across the organization, closely collaborate with your key suppliers, and include them in resilience and improvement activities. Always assess and monitor throughout the supplier relationship and keep a full lifecycle plan in mind.
Include clear and unambiguous security requirements in every third-party contract. Use supplier certifications to verify whether the supplier incorporates secure software development practices throughout all lifecycle phases. Also, check whether the supplier actively addresses known weaknesses and vulnerabilities. A prominent example of how to manage relationships with vendors is HIPAA Business Associate Agreements (BAA) which all covered entities sign with their vendors to spell out requirements around PHI.
Do not neglect Secure Software Lifecycle Development Programs and training for personnel. Establish a formal security awareness and training program and provide continuous education to all workforce members. Require your partners to do the same. Assign roles in charge of supply chain cybersecurity to cooperate with teams that touch products at every stage of their development lifecycle and ensure that cybersecurity is a part of suppliers’ and developers’ processes.
Work with your vendors on-site to address any vulnerabilities and security gaps. Support zero-tolerance regarding vendor products that are either counterfeit or do not match specifications. Control and pre-qualify all components purchased from vendors before accepting. Where possible, obtain a source code from all purchased software.
Impose strict control on third-party access to software and data and limit it to very few vendors. Ensure your hardware vendors are limited to mechanical systems with no access to control systems. Reduce software attack surface by conducting security impact analyses, hardening software, and maintaining an information system component inventory. Always identify critical data and baseline your data flow processes.
Due to the increased interdependencies of the supply chain attack techniques, their impact has far-reaching consequences. Beyond the damages on affected organizations and third parties, there are deeper causes for concern. Supply chain attacks may cause sensitive data exfiltration or even impose a threat to national security. In this environment, businesses should establish best practices and maintain coordinated actions to reach a strong level of security.
To stay updated on most acute cybersecurity topics, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!