A supply chain attack is when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. The external party will grant the rights to use and manipulate areas of your network, your applications, or sensitive data. The attacker only has to either penetrate the third party’s defences or program a loophole into a solution offered by a vendor to infiltrate your system.
Supply chain attacks are diverse, impacting large companies, as was the case with the Target security breach and typically dependable systems. Like when automated teller machine (ATM) malware will use to steal cash. They will also use against governments, as with the Stuxnet computer worm designed to infiltrate Iran’s nuclear facilities.
Some of the most common sources of supply chain attacks are commercial software, open-source supply chains, and foreign products.
Because hundreds or even thousands of companies may use the same software vendor and solutions, if a supply chain attacker can penetrate a software company’s system or compromise the integrity of their product, they can gain access to a significant number of targets.
If hackers can install malicious code into software that companies purchase, they do not have to go through hacking the company’s system. Hackers may also try to gain access to penetration tools that software security providers give their clients and use these to gain a foothold in their network.
One way attackers have been able to compromise software is by using compiler attacks. Similarly, a compiler translates code written in one language into a different programming language. In a compiler attack, the compiler will use to insert malicious code into the translation it produces.
With open-source software solutions, anyone can contribute to the development of a program. Unfortunately, hackers have programmed vulnerabilities into open-source solutions using this free access, making it easy to introduce threats to companies that use the software.
Even though other members of the development community can see and evaluate the solution produced by perpetrators, they may not know what to look for, allowing hackers to introduce a variety of vulnerabilities.
In countries like China, where the government can exercise profound, granular control over what private companies produce, software products may contain malicious code that the government demands the producer to include.
The inclusion of these threats does not have to sanction by the government, either. Malicious actors can infiltrate companies and sneak their code into otherwise legitimate products. When these will purchase by other countries, hackers on the other side of the border can have full access to sensitive systems.
Hackers have to insert malicious code into software or find ways to compromise network protocols or components for a supply chain attack to work. Once they discover a hacking opportunity, they take advantage of it, gaining access to critical digital resources.
Many of the attackers’ products come from trusted vendors, making it easier for supply chain attackers to penetrate their targets’ systems. They may do so using an application or one of its updates, which, ironically, will often design to close security loopholes.
There are several kinds of supply chain attacks involving creating or taking advantage of security weaknesses in solutions companies trust. They include:
Hackers’ attacks on supply chains have recently resulted in several high-profile incidents. In each of the following supply chain attack examples, the systems or software of trusted vendors were compromised.
Dependency Confusion, 2021
A security researcher was able to breach Microsoft, Uber, Apple, and Tesla. The researcher, Alex Birsan, took advantage of dependencies that applications use to provide services to end-users. Birsan transmitted counterfeit yet harmless data packets to high-profile users through these dependencies.
Mimecast, 2021
In the Mimecast attack, hackers compromised a security certificate that authenticates Mimecast’s services on Microsoft 365 Exchange Web Services. While only a relative few will impact, about 10% of Mimecast’s customers use apps that rely on the certificate that will compromise.
SolarWinds, 2020
The SolarWinds attack was orchestrated by injecting a backdoor, known as SUNBURST, into the Orion IT update tool. In contrast, the backdoor had been downloaded by 18,000 customers.
ASUS, 2018
According to Symantec researchers, the attack on ASUS took advantage of an update feature and impacted as many as 500,000 systems. In the attack, an automatic update uses to introduce malware to users’ systems.
Event-stream, 2018
In the event-stream attack, a repository within the GitHub system was injected with malware. An unknown number of applications accessed the dependency in the malware repository. While not open-source, GitHub serves as a backup service to the public and users are encouraged to share their solutions with others.
Companies can integrate several techniques to fight supply chain attacks, ranging from addressing their general cybersecurity infrastructure issues to ensuring endpoints are secured against infiltration.
While with shadow IT, the services used by employees are not overseen by the IT department. These can range from security software to communication tools and more. Auditing these may reveal vulnerabilities that supply chain hackers can take leverage.
Regardless of how useful it is, each software asset introduces a potential vulnerability. With an updated inventory of all the software your company uses. You can keep better track of which apps, updates, and upgrades may present security issues. You can also narrow down the number of potential attack vectors by categorising your solutions according to how safe they are.
If you ensure each vendor provides a complete description of their security measures. You can get an idea of how safe their products are. You can also have a cybersecurity professional examine the information vendors provide to see if what they have in place is adequate.
A supplier may be safe in Q1 but the source of an attack in Q2. Therefore, evaluate the risk presented by each supplier continuously, periodically verifying the safety of each one.
In a client-server model, users download data provided by a server. With client-side protection tools, you will filter download content, looking for and stopping malicious code before installing it on a machine on your network.
Supply chain cyberattacks often take advantage of inadequately secured endpoints. With an endpoint detection and response (EDR) system. Many supply chain attacks can be prevented. As a result, the endpoint also will not use to spread an attack to other areas of your network.
Code dependency policies consist of rules that dictate whether or not an application will allow running. For example, if the application code raises a red flag, the system blocks it. Similarly, strict code dependency policies can limit the number of supply chain attacks your company encounters.
While in some cases, setting up strict rules may cause legitimate apps to Flagg. But it is always better to be safe than sorry. So invest a little extra time investigating flagged apps.
To ensure the builds and updates of your system are secure, have a plan in place for regularly installing security patches for your operating systems and the software you run. Also, only trusted tools can be run on your system. Finally, require multi-factor authentication (MFA) for admins.
To ensure secure updaters are a vital element of your life cycle, you can:
Develop an Incident Response Process
Your incident response process should be systematic and incorporate honest and transparent information dissemination. This includes letting internal stakeholders and customers know promptly. Then, the cause and steps are taken to mitigate the problem when something happens.
Supply chain attackers take advantage of a lack of monitoring within an organisation’s environment. While here, Offensive360 Harmony Endpoint helps an organisation protect against these threats by monitoring suspicious behaviour applications that might point to compromise.