Supply chain attacks target high-value industries such as security companies, fuel distribution pipelines, large retailers, energy companies, hospitals, and even government facilities. Cybercriminals carry out these attacks by injecting malicious code somewhere along a target company’s supply chain. It could be in code purchased from a vendor, open source code downloaded from a trusted internet site, or even internally developed code.
Supply chain attacks result in millions of dollars in lost revenue, reduced consumer confidence, damaged reputations, and disruption of services. This type of attack has increased in recent years, and some cybersecurity professionals warn us that the worst is yet to come. This article explores the threat landscape and offers some advice on mitigation and prevention.
Why do cybercriminals target supply chains?
Cybercriminals generally attack easier targets, but in the case of ultimately attacking larger companies, the payoff in disruption, potential financial gains, and data theft, the extra effort to compromise a vulnerable supply chain is worth it. Most supply chain attacks begin as advanced persistent threats (APTs) where criminals infiltrate vendors along a supply chain with weak security.
Once inside a network, attackers steal data, credentials, and code from their victims. During these long-term attacks, criminals place malicious code inside programs, applications, and raw code that eventually becomes incorporated into the target company’s products. The malicious code might include viruses, worms, spyware, keyloggers, or ransomware. The code passes from vendor to vendor up a supply chain. It often goes undetected until the harmful code triggers a ransom, completes a significant data theft, or surfaces from some other event. Security admins might never discover APTs because cybercriminals exfiltrate data in tiny amounts or perform activities that don’t trigger monitoring alarms.
Why are supply chains vulnerable?
Some supply chains are vulnerable to attack because they have fewer security controls due to lack of security expertise, no regulatory requirements, insufficient funds to secure themselves properly, or neglect. Without regulatory compliance requirements and some type of oversight, supply chains that involve small vendors or community-based systems are especially vulnerable to malicious code injection and APTs.
Recent high-profile supply chain attacks have prompted regulatory attention to focus on third-party security and software risks. To illustrate this point, the following abstract is from the National Institute of Standards and Technology (NIST) Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. This document is available at NIST SP 800-161 Rev. 1
Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services containing potentially malicious functionality, counterfeit, or vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.
This publication guides federal agencies in identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM specific approach, including guidance on assessing supply chain risk and using mitigation techniques.
This publication refers to federal agencies; however, government contractors and their supply chain vendors are affected by this document and its guidelines. Interestingly, the NIST originally published this document in April 2015, so the threats, risks, and prevention and mitigation have been well known for several years preceding these recent attacks.
What are the sources of supply chain attacks?
Observers often blame so-called free and open source software (FOSS) for having malicious code injections in products and code snippets. Still, the fact is that even proprietary and closed source applications can have harmful code embedded into them. The FOSS ecosystem of allowing anyone to view, submit, correct, and alter code is the point of controversy. Some FOSS sources are less reliable than others, but developers should always check for malicious code in any snippet or code block borrowed from any FOSS project or project site.
Developers who write sloppy code can introduce exploitable vulnerabilities that get included in applications deployed in a production environment. A developer can, and should, perform multiple vulnerability scans on their raw code before compilation into an application. There are commercial and online code checkers that scan for vulnerabilities and provide extensive reporting on potential problems.
Advanced persistent threats are long-term, well-planned attacks against high-value targets. These attacks are sophisticated, well thought out, and might occur for years rather than minutes, as is the case of less sophisticated attacks. Those who launch APTs aren’t after the low-hanging fruit or a quick payoff from exploiting a website or single internet host. Nation-states, hacktivists, or other groups whose sole purpose is to disrupt, control, and extort an organization or service are often the ones who carry out APTs.
Supply chain weak links aren’t who you think they are
Small business owners often believe that “they’re too small to worry about” when it comes to being a target of an APT group or other criminal organization. But, quite the opposite is true. Cybercriminals know that most businesses are small and that they lack the resources to protect themselves from threats. Small companies and community-driven sites, such as those in the FOSS realm, are definitely on the collective criminal radar. When these small businesses are in the supply chains of larger companies identified as high-value targets, they become ancillary targets. They are much easier to exploit and compromise than the primary target is.
FOSS developers and their sites are vulnerable for the same reasons small businesses don’t have the resources to protect themselves fully. Additionally, FOSS developers supply code to the greater internet community for the good of that community and don’t supply code with the thought that anyone will exploit it for criminal purposes. Unfortunately, this is a short-sighted viewpoint and can eventually lead to costly attacks.
Public repositories have the same issues as the others in this discussion, with the bonus that many of these repositories are not monitored or only periodically checked for maintenance purposes. Malicious actors can download good code, alter it, and upload harmful code that’s picked up and used by unsuspecting developers all along a supply chain path or within the target organization itself.
Supply Chain Attack Prevention
Prevention is better than detection and mitigation, and there are several techniques available to help prevent the accidental inclusion of malicious code into existing software or the software development lifecycle. There are some general standard guidelines for preventing malicious code injection into existing projects, such as:
- Network-wide anti-malware software deployment
- Multi-factor authentication
- Limiting the number of sources of borrowed code blocks
- Implementation of data leak protection services
- Periodic vendor security audits
What isn’t standard is to scan and check code earlier in the development lifecycle, also known as “shifting left,” to catch problems before compilation and integration into production software applications. Early code scanning and validation can prevent malicious code injections from all sources. No developer should use a software snippet or block before performing a vulnerability scan on it. For an extensive list of guidelines to help prevent malicious code injection and other security breaches, please read the previously referred document: NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.