According to a study by Argon Security, software supply chain attacks grew by more than 300% in 2021 compared to 2020.
The study also indicated that attackers focus most heavily on open-source vulnerabilities, code integrity issues, and the tools’ exploitation to disrupt any supply chain.
What are supply chain attacks?
A supply chain attack aims to infiltrate and disrupt a weak point of a system within an organization’s supply chain to cause significant operational, financial, and reputational damages. Attacking a third-party supplier or vendor connected to the target is a typical way of doing this.
Cybercriminals use supply chain attacks to meddle with manufacturing processes via hardware or software tampering. For instance, they can install malware at any stage of the supply chain.
Supply chain attacks allow for wider targeting, and the number of victims can proliferate depending on the number of customers that the attacked vendor has.
What are the different types of Supply Chain Attacks?
According to ENISA’s taxonomy of supply chain attacks, the four fundamental elements of a supply chain attack are as follow:
- Attack technique used to compromise the supplier
- Supplier assets targeted
- Attack technique used to compromise the customer
- Customer assets targeted
Let’s look at some of the recent examples of Supply Chain Attacks.
SolarWinds 2020-2021: Threat actor group Nobelium orchestrated the 2020 SolarWinds attack. The attackers obtained access to the SolarWinds network by exploiting a zero-day vulnerability in either third-party applications or devices through brute force attacks or social engineering. During these attacks, the attackers collected extensive information before injecting malicious software into the SolarWinds Orion applications monitoring platform during the build process. Finally, customers downloaded the compromised software via scheduled updates to the software.
Victims of the SolarWinds attack included the U.S. departments of Defense, Energy, Homeland Security, Treasury, State, Commerce, and Health. The episode also compromised significant technology companies, including Microsoft, Intel, and Cisco. SolarWinds estimated that 18,000 organizations may have downloaded the Malware.
One of the victims was FireEye, a cybersecurity firm with U.S. government contracts. The attackers specifically targeted FireEye to gather information on government targets.
Accellion 2020-2021: Accellion, a firewall vendor, experienced a powerful attack that started as a vulnerability in firewall equipment and became a global breach of sensitive personal and corporate information.
Between late 2020 and early 2021, the company discovered four different zero-day vulnerabilities in its File Transfer Appliance (FTA). This device allows the transferring of large files that host sensitive and business-critical information. Cybercriminals used those vulnerabilities to install a backdoor to the FTA server., which allowed them to steal data from the victims’ networks.
Healthcare organizations, including the United States Department of Health and Human Services, were most impacted by this supply chain attack. Other victims were the Australian Securities and Investments Commission, Bombardier, Stanford University, Royal Dutch Shell, and the Jones Day law firm. The hackers gained sensitive personal information, including social security numbers, financial information, health information, and credit card information.
Dependency Confusion, 2021: Alex Birsan, a security researcher, successfully breached Microsoft, Uber, Apple, and Tesla. He exploited the dependencies that applications use to provide services to end-users, through which he was able to send fake yet harmless data packets to high-profile users.
The name ‘Dependency Confusion‘ was given to the vulnerability that allows an attacker to execute Malware within a company’s networks by overriding privately-used dependency packages with malicious, public packages of the same name.
The researcher later carried out the same technique by creating public RubyGems and Python packages, porting his malicious code into the dependencies and recreating the attack.
Birsan exploited this vulnerability to breach the internal systems of Shopify, Netflix, Yelp, Tesla, and Uber – earning at least a $130,000 bug bounty in the process.
So, how do you ensure the security of your supply chain?
The following are some of the security measures which can help your organization reduce risk from supply chain attacks.
- Know Your Vendors: With the ever-growing scale of cyber ecosystems, decision-makers discover new business relationships. Be cognizant of each service provider in your extended supply chain. Complete visibility of vendors enables improved tracking and security management. Consider including security requirements in every RFP and contract. Once you accept a vendor into the formal supply chain, a security team should carry out a periodic security assessment of all critical vendors.
- Conduct Regular Risk Assessments: Formal processes ranging from cybersecurity questionnaires to on-site visits can help you obtain a complete understanding of how well your employees, vendors and suppliers adhere to supply chain security best practices. While these initiatives can be time-consuming, they deliver significant benefits in the long run. Consider investing in Third-Party Risk Management (TPRM) frameworks.
- Implement Least Privileged Access: Refrain from providing undue, excessive access and permissions to employees, partners and other third parties. Supply chain attacks are easier to execute where wider range access has been provided. Implementing the Zero-Trust Approach is one way of achieving this. It is easier to mitigate security risks by granting the least privileged access rights to the essential team members while providing software with only necessary permissions.
- Implement Network Segmentation. Third parties should not access critical points within your network unless necessary. Implement Network Segmentation to split the network into various zones based on your business functions. A properly segmented and access-controlled network is more of a challenge for hackers trying to compromise your business operations.
- Consider Honeytokens: Honeytokens operate as data decoys, tempting hackers towards seemingly valuable assets which in reality, work as traps. As hackers work their way towards these data decoys, a signal alerts the organization to the presence of hackers, which the cybersecurity team can encounter swiftly and effectively. By implementing Honeytokens, you can avoid serious security threats.
- Threat Hunting: Knowing whether your organization has been breached and identifying ways to reduce risk is crucial to preventing your organization from data breach risk. Security Operations Centres (SOC) analysts can protect your organization from attack by improving endpoint, network, cloud and mobile security by proactively and iteratively searching through networks, endpoints, and datasets for evidence of a breach.
- Follow DevSecOps Practices: Integrate DevSecOps Security Practices into your development lifecycle; this makes it easier to detect whether or not the software has tampered. Building secure software while keeping up with the speed and scale requirements of the market is a paradox that most companies often face, which can be addressed by employing DevSecOps best practices, including Security as Code (SaC) and Infrastructure as Code (IaC).
- Address The Fourth-Party Risk: Supply chain risks do not begin and end with third parties. Your vendors likely have a long list of subcontractors and vendors of their own. Mitigating Fourth-Party Risk remains challenging, although some cybersecurity tools can provide monitoring and tracking options for fourth-party groups.
- Spread Cybersecurity Awareness: Run a series of exercises within your organization to help employees understand Phishing, Smishing, Malware and Ransomware threats. Cybersecurity Awareness initiatives should transpire year-round, including intelligible information about any common security threats brewing in the industry and step-by-sept guidelines to prevent a falling victim to these.
- Always Be Ready: Although one cannot secure their supply chain 100% from cyber-attacks, always have an Incident Response Plan in place when there is more time for thoughtful preparation, as it is harder to protect your business when an attack is in progress. Ensure that your suppliers and vendors also have one.