Early this year alone, three major supply chain attacks took place, and this number only seems to be growing. So how do you defend yourself against such attacks?

The supply chain network is a frequent target for cyber criminals, as a weak link in the supply chain can grant them access to a larger organisation in custody of the data sought after.

What is a Supply Chain Attack?

A supply chain attack, or third-party attack, is an attack strategy that targets an organisation through vulnerabilities in its supply chain. These vulnerable areas are usually linked to vendors (with poor or weaker security practices).

A data breach through a third-party vendor is possible because vendors require access to sensitive data to integrate with internal systems. When a vendor is compromised, this shared pool of data is breached.

Because vendors store potentially sensitive data for multiple different clients, a single supply chain attack can results in multiple businesses suffering a breach.

More technical details

Supply chain attacks work though piggybacking legitimate processes to gain access into a business’s systems.

It starts with defeating a vendor’s security defences. This process is usually much simpler than attacking a victim directly due to the weaker cybersecurity practices of many vendors.

Once injected into a vendor’s ecosystem, the malicious code needs to embed itself into a digitally signed process of its host.

This is the key to gaining access to a vendor’s client network. A digital signature verifies that a piece of software is authentic to the manufacturer, which permits the transmission of the software to all networked parties.

By hiding behind this digital signature, malicious code is carried over the software update traffic between a compromised vendor and its clients’ networks.

When a victim installs the compromised software update from a vendor, the malicious code is also installed with the same permissions as the digitally signed software. Once installed, a remote access trojan (RAT) is usually activated to give access to each infected host.

Examples of (recent) Supply Chain Attacks

  • April 2021, Password manager PASSWORDSTATE from the company ClickStudios was breached and informed it’s 29K users of an infected update.
  • April 2021, Supply Chain Attack potential found in GitHub release functionality. GitHub says this is intended behaviour.
  • March 2020, Cyber Security company FireEye and a decent chunk of the US Government fell victim to the SolarWinds attack.
  • June-October 2018, ASUS devices received malware through an automatic update from ASUS itself.
  • September 2017, Equifax was breached and had sensitive data stolen of 147 million of their customers.

How to proceed

There is no absolute, bullet-proof way to prevent supply chain attacks.  Nevertheless, it is possible to minimize the risk of being affected by one, as well as the *impact*.

As for minimizing the risk, due diligence in the process of selecting/acquiring (IT) components and services is in order.  The acquisition process is usually driven and dominated by time-to-market considerations, upfront cost analysis, and less tangible but nevertheless very substantial factors of fashionability — feeling compelled to take a certain path out of the, often hyped-up, perception, that this is ‘modern’, ‘the future’, and fear of ‘missing the boat’.  The perception that everybody’s doing ‘X’. so you should too.  ‘X’ may or may not be a good thing, but the fact that ‘X’ is hip and happening is or should not be an intrinsic reason to go with ‘X’.

Much less consideration is given to the hidden costs and risk of both *failures* in the acquired component, as wel as dependencies (e.g., fatal lock-in) introduced by one.  Deep vendor-lock in, often due to lack of openness in data formats, communication protocols and API’s, is a very real thing.  If you drive a truck into a one-way street, there’s no turning it around later.

To mitigate these risks (and keep related costs in check) an exit strategy should be an integral part of component/supplier selection.

As for the impact of an incident delivered through the supply chain, resilience should be part of the fabric of the implemented business processes.  The Zero Trust aims precisely to provide the ability to detect incidents and address issues early, and to keep them contained in any case.  Specifically, containment of incidents by applying logical segmentation and adding security controls ‘surgically’ helps prevent small incidents turning full catastrophe.

 

Alex van Eersel and Jeroen Scheerder
Pentester & Research Lead