Published March 25, 2021
WRITTEN BY MICHAEL SOLOMON
Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
The successful attack in 2020 on the SolarWinds Orion network management software showed that indirect, or third-party, attacks on organizations of all sizes are feasible. Where direct attacks used to be the most common attack vector, especially when attempting to target large organizations, attacking smaller suppliers is becoming a more attractive approach.
Any attack that attempts to compromise an organization by directly attacking one of its suppliers of hardware or software is called a supply chain attack. The SolarWinds attack was not the first attack on the IT supply chain, and it looks like the number of similar attacks is increasing.
As more organizations become more secure, attackers are looking for creative ways to sneak their attacks in under the radar. Let’s look at the risk of IT supply chain attacks and what you can do to mitigate them.
Understanding supply chain attacks
Supply chain attacks were up 430% in 2020 over the previous year. The dramatic increase in supply chain attacks means that organizations must mobilize immediately to counter this emerging threat.
Cybersecurity specialists are getting better all the time. Cybersecurity education and training is becoming more commonplace and in-depth, along with the development of increasingly sophisticated tools and techniques.
Unfortunately, cybercriminals are getting better as well. Over the last decade, the increased level of security awareness and control sophistication has driven cybercriminals to search for softer targets.
Security defense maturity is often consistent with size. Larger organizations generally have larger security budgets and can end up maintaining more secure IT environments. Saying that larger means more secure isn’t always accurate; there are lots of insecure large organizations and many very secure smaller ones. On average, though, cybercriminals know that smaller organizations are more likely to lack sophisticated security controls.
Simply put, smaller organizations often do not have the budget for the best security. Consequently, many cybercriminals are recognizing a unique opportunity to indirectly attack large organizations by focusing their efforts on the smaller — hopefully softer — suppliers that those large organizations use.
The basic approach in a supply chain attack is for the cybercriminals to add malicious code to software products during the development or release process. The malicious code becomes part of a software product that then gets sold to — and installed in — numerous unsuspecting customers’ environments. While the direct target of the attack is the supplier’s code, the eventual target is the customer’s environment into which the tainted code gets installed.
The main reason an attack like this works is due to its novelty and the presence of general trust between supplies and customers. Few customers of SolarWinds products probably worried about the quality of the SolarWinds product line before the news of the Orion attack. The general perception is that a trusted supplier takes the necessary precautions to ensure their software is clean. Very few existing security tools or procedures validate the security of purchased products. That’s the problem, and the opportunity for cybercriminals.
It has long been known that tampering with a product during delivery is possible, and controls are commonly in place to detect tampering. Similar to using anti-tampering pill bottles to prevent physical risk, many software vendors sign their code using digital certificates to prevent virtual risk. Signed code isn’t as hard to open as today’s pill bottles, but the practice makes any tampering evident.
Unfortunately, even code signing doesn’t guarantee clean code. Attackers have circumvented code signing by either stealing valid certificates and using them, or creating phony certificates and hoping no one validates the certificate signer.
The goal in a supply chain attack is for compromised software to be deployed to hundreds or thousands of the supplier’s customer sites. Consequently, the most attractive attack vector is to insert the malicious payload in the supplier’s deployment process after much of the security checks for software have been completed. The build process provides a potential opportunity to replace tested code with malicious code.
Exploring the risk
Traditional IT security controls assume that distinct trust boundaries exist. Communication and data that travels across a trust boundary encounters one or more layers of controls to protect the internal environment.
Building and maintaining an IT environment requires the acquisition of many software and hardware components from multiple vendors. Although vendors have historically been implicitly trusted, the SolarWinds attack punctuates that every product or service acquired from a third party carries risk. The level of risk depends on the strength of that organization’s security, not yours.
One weak supply chain partner could result in a compromise of your IT environment. Compromised software building tools (an IDE, build tools, libraries, consumed services, etc.) or updated infrastructure (firmware, configuration settings, hardware, etc.) are possible targets for a supply chain attack.
To hide the evidence of compromised code and make malicious code appear safe, attackers may also steal code-sign certificates or signed malicious apps using the identity of the development organization. Cybercriminals may also introduce compromised specialized code in hardware or firmware components, or even pre-install malware on devices such as cameras, USBs or phones. In the last example, no action is even required by the consumer or user; the device enters service compromised.
These attack vectors are all results of the ongoing move away from business process centralization. Information sharing due to decentralization and globalization results in increased risk of information leakage and violated trust of critical business function components.
And this violated trust doesn’t only affect immediate suppliers. According to Investopedia, “Interconnectivity of supply chains is raising risk. In 2020, Accenture indicated that 40% of cyberattacks originated from the extended supply chain.” The problem of a supply chain attack is that it encompasses many more than just your direct suppliers.
Remember that tier-one suppliers (those that provide products or services to your organization) likely have their own tier-one suppliers, which become tier-two suppliers to your organization. While many supplier agreements include minimum security requirements, it is uncommon to extend those requirements to a supplier’s own tier-one (or tier-two) suppliers. For those that do, there is no standard approach to guaranteeing a desired level of security across multiple suppliers. And, if that isn’t challenging enough, proper security guarantees would require that each tier-one supplier enforce the same level of security guarantees across all of its tier-one suppliers.
Even for organizations that have tackled this problem, there is lingering doubt of security guarantees. According to a CSO Online article, a mere “34% of risk professionals say they believe the vendors’ responses.”
Protecting your organization from attack
While there is no silver bullet for stopping a supply chain attack, there are steps your organization can take. If you are a customer, be wary of any code that you receive from a third party. Ensure your organization uses strong code integrity controls that only allow authorized apps to execute. Enforce endpoint detection and response solutions that have the ability to detect and remediate suspicious activities automatically. And, of course, demand comprehensive security assessments and quality guarantees from your suppliers. Avoid any supplier that cannot or will not provide rigorous security assurance of their products and services.
From ISG, here is a list of steps you can take to best defend against supply chain attacks:
- Know what suppliers have what data
- Know where your data is physically stored
- Know the number and identities of system administrators at your suppliers who manage systems that contain your data
- Encrypt your data when transmitting
- Assure that all software patches from relevant software providers are installed on your suppliers’ computers in a timely manner
- Verify that supplier policies regarding systems access for both active and terminated employees (including username and password changes or cancellations) are addressed and reviewed frequently with all employees
- Verify supplier policies regarding handheld devices and laptop security
- Verify supplier wireless network security procedures and monitoring capabilities
- Back up all critical data frequently
- Assure that suppliers are maintaining all firewalls and anti-virus software to their latest releases
- Routinely review all access and permissions to mission-critical files (and semi-annually review business requirements for authorizations)
- Make sure you have a documented and tested disaster recovery and risk communications plan
Supply chain attacks aren’t going anywhere. Despite the difficulty associated with trying to ensure your suppliers (and their suppliers, and so on) are delivering secure code, the effort does help to thwart many types of attacks.
Encouraging universally secure coding and building practices benefits us all. We just have to continually spread the word — and strive to only do business with those who do likewise.
Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.