Supply chain vulnerabilities are not new. However, attacks on numerous high-profile companies have highlighted the criticality of understanding supply chain vulnerabilities. Every company, big or small, has supply chains. Therefore, all organizations need to be concerned with vulnerabilities within these access points into their organization. Previous attacks also highlight the numerous methods attackers use to take advantage of vulnerabilities within the supply chains of their targets.
A supply chain attack uses vulnerabilities and third parties to access a malicious actor’s primary target (any industry is a target for supply chain attacks). Supply chains sometimes have weaker security and have access to some of the most sensitive data within an organization, which is why they are enticing to malicious actors wanting access to more heavily defended primary targets. Additionally, malicious actors want to gain access to source codes, build processes, or update means by getting legitimate software to distribute malware.
Supply chain attacks do not only come from an organization’s supply chain. They can also come from the supply chain of the supply chain. When a determined malicious actor who has time and resources wants to inject themselves into a supply chain, they do not just target the first supply chain from their target. Instead, these actors often go after the supply chain of the supply chain. Sometimes these attacks go after embedded components that will go into a device that will give the attackers access. These hardware attacks are hard to detect. However, hardware is not the only attack vector utilized by these actors. They also try to get into the software.
One method used in attacking software updates is the use of content delivery networks (CDN). The use of CDNs is especially insidious due to how trusted they have in many organizations. CDNs are regionally dispersed proxy servers and data centers for vendor software and updates, so downloads are high availability and can occur faster with better performance. However, spreading out these services also increases the attack surface. These networks are trusted increases their desirability as a launch point for further attacks into those that use CDNs. Since CDNs are a centralized repository of vendor software, they attack multiple organizations at once. Targeting CDNs also allows for some target specificity due to how CDNs are employed. For example, CDNs are in specific geographic areas. Therefore, a malicious actor could determine which CDNs their victim’s systems would reach for the infected updates or new software and just infect those. In addition, having limited distribution inside CDNs may lead to less of a chance for discovery.
These attacks may seem overwhelming, especially since the attackers only need to be successful once, while the defenders must be perfect. Nevertheless, there are things organizations can do to decrease successful attack probability. Some of these methods are buying from vendors who can detail their supply chain and the security they utilize to ensure they are not compromised. Another is to work with partners in minimizing attack vectors and susceptibility to supply chain attacks.
Even with supply chain attacks, there are mitigations that organizations can employ. These include checking hashes of any downloaded or updates to systems. If you run these in a lab environment, first look inside the files to ensure no hidden features or backdoors are embedded. Do not just check to see if it runs without issues in your network.
Since it is difficult for CDN operators to protect all their proxies, software developers should use hash validation to ensure only known updates can be accepted if provided by CDN servers. However, simply signing updates or using hash checks is not enough; and organizations should employ other methods to validate updates before being accepted as valid. For example, besides checking hashes, the cyber threat intelligence team can download files from different CDNs to understand their differences and track changes.
Audit third parties, your supply chain to ensure they are adhering to the same standards. Auditing and monitoring your supply chain to ensure they are not drastically increasing your threat landscape. The requirements for monitoring can be time-consuming. Therefore, turning to third parties, a vendor, to assist can improve an organization’s security processes. One such vendor is ProcessBolt. The ProcessBolt Platform is just one example of vendor threat landscape management.
Even though supply chain attacks are an ever-increasing threat, there are actions and processes an organization can put into place to mitigate most of the risks. Understanding the risks of supply chains is the first step in mitigating them. Do not let its supply chain attack your organization. Take action to understand the risks and reduce threats.
About the Author: Vince Peeler served for 25 years in the U.S. Navy as an electronic countermeasures officer and an Information Dominance Warfare Officer specializing in intelligence. After retiring from the Navy, Vince led cyber intelligence for Optum and Cargill. Currently, Vince is the CTO for a small security company contracting with the U.S. government and a Fortune 10 company. Learn more: https://www.linkedin.com/in/vince-p-323a27b/