In today’s connected business ecosystem, digital threats are everywhere. Total known data breaches were down slightly in 2020, but the numbers are still beyond scary. And the scope of some of the worst attacks, like FireEye and SolarWinds, looks truly devastating: the full impact may not be known for months, even years.
When you think of a data breach or cyber attack, you likely imagine a direct assault: a bad actor looks for vulnerabilities in your company’s systems, seeking a way in. This kind of attack is relatively common, and it gets a lot of attention. However, there’s another, potentially more dangerous attack vector you need to be aware of.
As businesses grow more connected and rely more heavily on tools from vendors and suppliers, the cybersecurity picture grows more complicated. In addition to dns attacks and other direct security threats, a new category of threat has emerged: the supply chain attack.
Supply Chain Attacks: A Definition
Despite the name, in the context of information security, a supply chain attack doesn’t have to do with your business’s conventional supply chain at all. Instead, the term describes attacks on your organization’s network that come by way of vendors, connected devices, application installers, and the like.
In other words, supply chain attacks aren’t direct attacks on your network. They’re much sneakier. A supply chain attack targets another entity that you’ve given access to your network (say, software vendor, a payment processor, a cloud backup solution, a software updater, or any of a host of other functions). If that entity is compromised, the bad actor could gain some form of access to your network.
These entities form your IT and software supply chain. You rely on them for various functions and features in your IT ecosystem. They provide critical functionality you can’t or don’t want to build yourself. But the access they need to perform their functions is itself a vector of attack.
As these third-party solutions grow in complexity, they grow in their need to access increasingly sensitive types of data. As a result, the threat of a supply chain attack generally increases as your complexity and reliance on third-party tools increase.
How Supply Chain Attacks Happen
Supply chain attacks can originate from a wide range of vectors. We’ll look at several of these in the examples in the following sections. But first, a general overview.
Most IT supply chain attacks occur when cybercriminals go after a smaller or deeply integrated company. Hackers look for the same sorts of vulnerabilities they exploit in other scenarios. But they strategically target companies with inroads to larger, more valuable targets, like enterprise or government entities.
The strategy here makes sense as a hacker: sure, targeting giant companies like AWS or Microsoft would net a rich bounty for a successful hacker. But directly breaching those companies is incredibly difficult— not to mention dangerous. Just like everyday thieves tend to look for the softest, lowest-risk targets rather than high-risk ones like banks, hackers are looking for lower-risk, high-reward digital targets.
In contrast, it’s much simpler to breach a small business with 20 or 40 employees. Find a company that’s offering a vital service to a much larger firm, and you might just have your ticket in the backdoor to deliver the payload.
Interestingly, as connected devices and endpoints increasingly permeate every aspect of business, traditional supply chains are encountering these same digital threats. Speaking more in that context, Curtis Simpson, CISO at Armis, explains that using breached smaller entities as the vehicle to perpetrate much larger attacks on much larger customers is a growing threat, in part due to insecure devices and credentials.
Most breaches of supply chain entities occur in predictable ways. Network vulnerabilities, unpatched software, and plain old social engineering (stealing credentials to gain access to a system) are easily three of the top methods.
Types of Supply Chain Attacks (With Examples)
What are the primary vectors that attackers use to conduct a supply chain attack? There are quite a few, and it’s easy to get way too far into the weeds on each one. Below, we’ll outline the most common types and provide well-documented examples of each category.
Software Update Attacks
One of the biggest threats of a supply chain attack comes in the form of software updates. The devastating SolarWinds attack was in this category, which has put the software supply chain and the software development processes in the spotlight (More on that below.)
Nearly every business has a dependency on a host of third-party software solutions to get business done. Historically, IT security professionals have warned about the dangers of software vulnerabilities — and this threat remains persistent. The classic answer is to ensure that software remains patched and up to date.
But what if those updates and patches themselves are compromised? One of the most formidable threats to spot is when vulnerabilities, exploits or even malware are intentionally built into software updates.
No company would do this on purpose, of course. But if a company and their development environment have been compromised, a bad actor could inject a string of malware into a software update. Once the update pushes out to your system, the malicious code begins spreading itself throughout your network.
So, how did this work in the SolarWinds attack? Well, it’s complicated, and experts are still debating aspects of it. Software Supply chain attacks like Solarwind's could be a prelude to a mass ransomware attack, or foreshadow something more sinister. What is known is that someone, likely a state-backed group and likely from Russia, compromised a software update package at SolarWinds for their Orion Network Management System.
This infected update pushed out to an unknown number of systems at an unknown number of businesses and even US government agencies. It was a highly sophisticated attack, and we still don’t know how deep the damage goes.
This type of attack is brutal. Thankfully, it’s very difficult to execute. Gaining enough access to a company to embed malware within a legitimate software update is just plain hard to do.
Devices with Preinstalled Malware
Another supply chain attack threat vector is any physical device you’re adding to your infrastructure. There have been numerous scenarios where devices have shipped with malware preinstalled. Lenovo made the news back in 2015 for the Superfish scandal, where it was shipping laptops with adware running behind the scenes. It was a bad faith move, and security researchers pointed out how risky it was.
There have also been numerous instances of USB drives loaded with malware and network equipment shipping with preinstalled malware, sometimes with hazy ties to the Chinese government.
Third-Party Credential Loss or Theft
Your CISO will tell you: by far, the greatest threat to your information security is the bad habits of your own workforce. They use and reuse terrible passwords if you let them, and they write them down in plain view. They click on phishing emails, even the ones that aren’t particularly convincing. And on and on it goes.
The trouble is, the same thing goes for your third-party vendors. You may have to give them login credentials that gain access to sensitive data, and there’s not much you can do to ensure they do what they should with those credentials. If a bad actor steals your vendor’s credentials, you could be in for a world of hurt.
Remember the infamous Target breach of 2013? This is exactly what happened. Bad actors didn’t attack Target directly. All they did was steal credentials from an HVAC system maintenance vendor. That was all the access the hackers needed to worm their way into a treasure trove of customer information.
So far, we’ve covered just three of the avenues for supply chain attacks. There are plenty more that we don’t have time to cover, including code-sign certificate shenanigans, compromises to the tools used to build and update software, and “Inception-style” attacks of the supply chain inside the supply chain.
Top Tips for How to Prevent Supply Chain Attacks in Your Organization
Given what you now know about supply chain attacks, you’re likely wondering what your company can do to prevent them. Here are some strategies for risk management.
Control Software Installation Rights
A no-brainer in enterprise businesses, locking down software installation rights is necessary no matter your business’s size. Use administrator security controls and other IT tools to limit access to installing software and updates. Your IT security or managed security team needs to vet updates and third-party software carefully before installations are approved.
Implement Strict File and Network Access Control
Not every employee needs access to every file, and the same goes for your vendors. In Target’s case, there was no good reason for the HVAC control systems to be connected to customer payment data. Make sure your vendors have access only to what they need, and nothing more.
Audit and Map Your IT Supply Chain
Do you have a clear understanding of your IT supply chain? Where can you make improvements to reduce your attack surface correlated to your supply chain? Are your third party vendors compliant with the strictest of cybersecurity standards? How do they conduct the build process of their software? Alarmingly, many businesses do not have these answers. Take the time to map out which vendors do what as well as what they have access to. Develop security questionnaires and be willing to ask your vendors uncomfortable questions about what they’re doing to keep your data safe. Consider building security expectations into your contracts as well. In addition, If Vendors activate two factor authentication, threat actors will be presented with an additional chasm to cross between themselves and a vendor's internal systems.
Develop a Connected Device Security Strategy
More and more devices are internet-enabled (often called IoT devices). You have to use them because they provide robust functionality and performance. But they add greater risk: every connected device is a potential security threat.
If you can’t ban them (and you can’t), then manage them. Invest in developing a cybersecurity strategy for these connected devices.
Continue Educating Yourself and Your Team
Securing your network requires both strong technical knowledge and vigilance in keeping up with the latest threats and threat vectors. New hazards emerge rapidly, and they can be more than many IT professionals are prepared for.
Are you as prepared as you need to be to prevent cyber intrusions, including supply chain attacks? If you know where to look within your infrastructure, you might discover some blind spots or weak points that need addressing. If you don’t know where to look, that’s where managed security services come into play.