Supply chain attacks are on the rise. The European Union Agency for Cybersecurity found 66% of attacks are now focused on the supplier’s code. Forward-thinking threat actors have begun looking past interfering with an organisation’s IT system directly and have started looking at the trusted software and hardware the organisation utilises. These malicious actors have realised they can cause a huge amount of damage to organisations with good security posture by taking advantage of that trust and going through the back door.
Why should I worry about supply chain attacks?
In general, a supply chain is a system of resources involved in supplying a service or product. When it comes to technology, businesses rely on third-party software vendors to deliver their services or products – mostly software they don’t have control over or is not developed in-house, but which is needed to deliver their services to their clients.
In turn, hackers – or malicious actors – have turned to targeting these third-party software vendors. When organisations install the third-party applications, or run software updates or patches for the app, they must grant permission to the application, which in turn gives the application access to sensitive data and assets. By compromising just a single supplier – who stores sensitive data for multiple clients or customers – the malicious actors can potentially gain hundreds or even thousands of victims.
So, instead of trying to infiltrate organisations or government agencies with solid security posture, cyber criminals have started targeting the third-party software vendors. These vendors don’t, or can’t, invest in the same cybersecurity resources as larger organisations, and the trust between a third-party vendor and organisation is then exploited. This strategy is called a supply chain attack. It enables malicious actors access to many organisations, where the malicious actors can extort them for all they’re worth.
How supply chain attacks work
When a business or organisation installs a vendor’s software, it provides the software with a digital signature, which verifies that the software is authentic to the organisation, allowing for the transmission of software to all networked parties. However, hidden within the vendor software, relying on the trust that signature brings, is the malicious code, previously injected by malicious actors without the vendor’s knowledge.
Through the legitimate process of software installation or update, the malicious code can gain access to organisation’s restricted IT system – known as the attack vector. While it may not be activated immediately, malicious actors are then able to activate the code remotely.
As the code has the same access privileges as the vendor’s software, it will also have access to the same data or IT infrastructure. The malicious actor can then perform various cyberattacks, such as mass ransomware attacks. Many malicious actors try to do this work without rousing any suspicion from the organisation, stealing their data without being noticed.
Other ways malicious actors can infiltrate an IT supply chain is through open-source code or foreign threat.
Open-source code is packaged computer programming code developed with the intent of free distribution. Sonatype’s 2020 State of the Software Supply Chain Report found that supply chain attacks targeting open-source software projects are a major issue for enterprises, as 90% of all applications contain open-source code and 11% have known vulnerabilities. These code packages can be enhanced or modified or included and built upon.
Most applications today include some form of open-source code. As it is free, it doesn’t have much security around it, making it much simpler for malicious actors to gain access to.
The second way, foreign threat, leads malicious actors to target software developed in countries where the development is low-cost, adding another layer of supply chain attack risk to organisations.
Protecting against supply chain attacks
The best way for businesses and organisations to protect themselves from supply chain attack is to ensure every third-party vendor they use complies with strict cyber security standards. Adherence should be checked regularly; trusted vendors should be scrutinised based on the access their software needs, and the data the software will have access to. With more sensitive data, higher scrutiny is required. Each third-party assessment should be unique to the software being installed and should be conducted by a security expert.
Two-factor authentication should also be used by the vendor, as this provides another hurdle malicious actors need to jump over to gain access.
Once attacked, some businesses never recover.
If you’d like to know more about risk management, security vulnerabilities, and the supply chain risk to your business, talk to the cyber security experts at INTELLIWORX today.