What is a Supply Chain Attack?
A supply chain attack, also known as a value-chain attack, occurs when a cybercriminal attacks your systems through an external partner or service provider with access to your network and data. The attack seeks to damage an organization by targeting less-secure elements in the supply chain. With more suppliers and service providers getting access to your network, the supply chain attack is dramatically changing an enterprise’s attack surface.
Key Takeaways
- A supply chain attack occurs when hackers attack organizations through an outside service provider or partner
- SolarWinds incident and FireEye breach are prime examples of supply chain attacks.
- Recent supply chain attacks are a sign that most organizations are not prepared for supply chain attacks.
- Conduct proper due diligence before contracting a vendor to mitigate supply chain risk. You can also implement the least privilege model or partner with a managed security service provider
How it Works
To understand how supply chain attacks work, it is essential to learn about the supply chain. A supply chain is a system of activities involved in manufacturing, processing, handling, and distributing goods to move resources from vendors or suppliers to the end-user. The system comprises interconnected players meeting demand and supply for a product.
In reference to cybersecurity, a supply chain attack involves tampering with IT resources, such as computers, networks, and software products, to install undetectable malware to harm players further down a supply chain system.
Cybercriminals have access to resources and advanced tools to create a storm in cyberspace. As businesses rely on third-party ways to establish supply chain trust, hackers can violate the chain of trust to access systems and information. Most frequently, supply chain attacks begin with advanced persistent threats that identify a supply chain player with exploitable vulnerabilities.
Supply chain attacks are attractive to malicious actors. For instance, when criminals compromise popular services or applications, they potentially gain access to all enterprises that use the product. Hackers typically tamper with the development of a product by installing a rootkit, malware, or hardware-based spying components.
A supply chain attack can occur in any industry, from the financial sector to the oil industry to government agencies.
Supply Chain Attacks are More Popular Today
With evolving customer and market expectations, enterprises create intelligence supply chains that offer greater resilience, speed, and transparency. Manufacturers, governments, and suppliers are digitally transforming traditional supply chains to achieve more flexibility and closely connected chain networks.
The current supply chain transformations are introducing more connection points with the outside world. More data is flowing between various players, providing essential business agility and speed. However, this trend is massively increasing the risk profile by expanding the cybersecurity attack surface.
As organizations operate in a complex, interlinked world, security is no longer about safeguarding the company’s perimeter. Instead, it involves protecting the whole network of relationships in a supply chain. As the statement goes, you are as secure as the weakest link in the supply chain.
Open Source Supply Chain Threat
Sonatype’s 2020 State of the Software Supply Chain Report state that supply chain attacks targeting open-source software projects are a significant issue for organizations, considering that 90 percent of all applications contain open source code, and 11 percent of the products have known vulnerabilities.
A case in point is the 2017 Equifax breach. In this incident, attackers exploited an unpatched Apache Struts (a free, open-source, MVC framework for creating elegant, modern Java web applications) vulnerability, costing the company $2 billion.
Without proper security measures, attackers will continuously create vulnerabilities, deliberately compromising supply chains through the open-source development and distribution process.
Examples of Supply Chain Attacks
1. SolarWinds Incident
SolarWinds incident is an excellent example of a supply chain attack. A group believed to be Russia’s Cozy Bear gained access to government and other organizations through a compromised update to SolarWinds’ Orion software (a partner to those organizations). The attack enabled criminals to access systems belonging to the US Treasury and Commerce, a discovery that triggered an emergency meeting of the US National Security Council. Other organizations that might have been affected include 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all US Military branches, the Pentagon, the State Department, and hundreds of universities and colleges globally.
2. FireEye Breach
In another notable case, nation-state hackers carried out an attack through FireEye’s updates to a popular network monitoring product. FireEye is one of the world’s top cybersecurity firms with major enterprise and government customers globally. The company delivers top-notch research on state-sponsored threat actors and provides reliable incident response capabilities. The breach allowed highly sophisticated threat actors to access government organizations and other companies.
Washington Post reported that the attackers are the hacking arm of Russia’s SVR foreign intelligence service, commonly known as Cozy Bear or APT29. The criminals sought information related to FireEye’s customers, specifically government agencies.
Preventing Supply Chain Attacks
An apparent lesson from these incidents is that most organizations are not prepared for supply chain attacks. You can follow these steps to prevent future supply chain attacks:
1. In-depth Due Diligence
In addition to negotiating a contract with a vendor, enterprises should conduct proper due diligence to manage supply chain risk. The processes involve establishing formal programs to manage third-party risks. Some examples of due diligence procedures include questionnaire assessments, documentation reviews, remote assessments, cybersecurity ratings, and onsite security evaluations.
However, questionnaire assessments should be accompanied by another procedure, such as onsite security evaluations. Enterprises should not believe vendor responses but should get proof that their suppliers meet security requirements. Businesses can request software vendors to provide their bill of materials that lists all the code components in software products. Such information can aid in identifying potential vulnerabilities related to application components.
Organizations should implement and impose robust vendor controls on suppliers to abide by a list of approved security protocols. Besides, they should conduct occasional site audits at partner’s locations to enhance security posture.
2. Least Privilege
Organizations should double-down on least privilege. Suppose a vendor-supplied software requires communication with the internet. In that case, users can enhance their security by limiting access permissions to predetermined sites to prevent the application from communicating with malicious command and control servers.
3. Security by Design
Software vendors should design security features into the software to proactively detect unauthorized code access and modification. They should test and harden the software’s security occasionally.
4. Partnering with Managed Security Service Provider
Organizations can leverage expertise from security service providers. Security vendors offer automated threat forensics and dynamic malware protection against familiar and new threats in supply chains.