What is a Supply Chain Attack and How Can Organizations Defend Against Them?
Supply chain attacks were responsible for 62% of system intrusion incidents, according to Verizon’s 2022 Data Breach Investigations Report. This type of attack is one of the most effective ways to compromise organizations because it targets the weakest link in the security chain. Supply chain attacks usually begin by compromising a supply chain partner, such as a developer, distributor, or supplier. Once inside the organization, attackers may steal data, damage systems, or even shut down whole organizations, introducing disruptions down the line.
There are many types of software supply chain attacks. Some focus on gaining access to sensitive information, while others try to manipulate it. Attackers sometimes use social engineering techniques to trick people into installing malware. Others attempt to steal intellectual property. Still, others seek out vulnerabilities in software development processes. These are just a few examples of what supply chain attacks can do.
This article will look at the fundamentals of a supply chain attack: what it is, how it occurs, and the devastating impact it can have on your organization.
What is a Supply Chain Attack?
A supply chain attack is a cyber attack where a malicious actor compromises an outside partner or supplier to conduct attacks against the supplier’s customers.
With a supply chain, attacks often start by compromising a vendor or supplier to gain access to its customer base. Once in the vendor’s system, attackers have broad access to steal data, alter records, or delete files. They can utilize this access to install malware on the vendor’s systems, gaining the ability to spy on the vendor’s customers or alter software products to push similar malware into the customer’s environment.
These attacks are known as “supply chain attacks” because they target weaknesses in the entire supply chain rather than targeting individual companies one by one. By compromising the supplier as a critical player in the supply chain, attackers can build the attack to target several customers along the way.
A real-world example would be attackers targeting a software development firm where applications are created for customers. The attack affects everyone who uses it by compromising the software or application. This attack method results in a much broader reach for malicious actors.
What is the Software Supply Chain?
Understanding a supply chain attack requires an understanding of application development. In the past, applications were monolithic pieces of software that were self-contained, and developers created every ounce of code internally. Now, to speed up development processes and avoid re-solving common problems, applications will leverage standard components such as libraries, frameworks, web services, and databases. These components all work together to create and run the application.
The problem is more complex because each component is similarly developed from other components. For example, a common logging library, Log4J, is part of the Apache framework and comprises other components. When a vulnerability in Log4J was discovered, it affected all applications that used it.
The layered approach to application development expedites development but creates risk if a single layer is compromised.
How Do Supply Chain Attacks Work?
There are a variety of software supply chain attacks. They each take a different approach to gaining access to sensitive information, each with its own goal for the data. Some attacks use social engineering techniques to trick employees into doing as they wish, while others aim to exploit vulnerabilities to gain a foothold in the organization.
One version of a supply chain attack targets a supplier’s systems, where a vulnerability on an internet-exposed system is used by MSPs to manage their clients. After the compromise, malicious actors take control and use this access to send out malicious scripts to install malware to clients managed by these systems. A useful tool for now weaponized.
An alternative type of supply chain attack is a “man-in-the-middle” attack. With this attack, an attacker compromises a trusted entity through a vulnerability or social engineering to trick a user into installing malicious software. Once installed, this software intercepts communications between the victim and other systems. It uses information gathered to impersonate the victim and exfiltrate data that passes through it.
Attacks of this nature are challenging to detect because they rely on users to use the power and access they are granted to install malware. This looks like the user behaves normally rather than attempting an attack to misuse a system.
What are Some Recent Supply Chain Attacks?
One example of a supply chain attack was the SolarWinds attack in 2020. Attackers gained access to the Solarwinds network and used it to inject malicious code into the Orion network performance monitoring and management product. Routine software updates distributed the malicious changes to users, which provided a backdoor into networks utilizing the product. This granted attackers unfettered access to any network that deployed the corrupt code and was connected to the internet.
Administrative credentials are also a powerful magnifier of supply chain attacks. Attackers gain access to customer data if a provider has administrative credentials stolen. This can include sensitive information or credentials the provider uses to access customer assets allowing attackers to masquerade as the provider with the same level of access.
Can You Defend Against a Supply Chain Attack?
There is no foolproof way to defend against a supply chain attack, but there are ways to make it harder for an attacker to utilize a supplier to attack your organization. You can reduce your organizational risk by lowering the level of trust given to suppliers and applications from a third party.
For example, instead of trusting all patches and updates from a “trusted” source, test and analyze them in a test environment before applying them. Similarly, limiting the access that an application from an external source has to your internal network will reduce the ability of an attacker to pivot if it is compromised. Scoping access to network resources to just the necessary components and using an administrative account rather than a domain-level account can also hinder attackers. If an attacker gains control due to a supplier issue, they cannot quickly gain access to your internal resources.
Defending Against Supply Chain Attacks with Fortra
One of the best ways to protect your organization against supply chain attacks is take preventative measures and assess your environment before an attack ever occurs. Fortra has a portfolio of integrated and scalable solutions to help your organization proactively improve defenses against supply chain attacks. For example, regular scanning with Frontline VM helps identify and prioritize vulnerabilities in assets so you can eliminate them and reduce your risk of supply chain attacks.
Organizations can also verify the strength of their software supply chain by deploying penetration tests with Core Impact or engaging in adversary simulation exercises with Cobalt Strike to find out whether a solution vendor is also serving as an attack vector. With our offensive security solutions, we can help simplify your security and strengthen your supply chain.
What Other Cybersecurity Challenges Should You Prioritize this Year?
Find out about other security trends like geo-political influences, targeted ransomware, mobile attacks and more in our guide, Cybersecurity Trends and Predictions for 2022-2023.