Supply chain attacks: understanding the risk

Supply chain attacks are on the rise — and have been since the start of the coronavirus pandemic. There are a variety of reasons for this, from businesses' reliance on software to the proliferation of hybrid work environments and new communication tools.

While many of these tools are necessary in today's workplace, they each create a number of vulnerabilities that, in many cases, aren't being addressed. And, unfortunately, the transport and distribution sector is one of the most heavily targeted.

In this post, we're going to cover the basics of supply chain attacks, from the various types to how you can protect your business against them.

What is a supply chain attack?

A supply chain attack is a type of cyberattack wherein the bad actor targets a business by compromising a vulnerability in its supply chain.

The attacker then uses this access to insert malicious code or software into the company's products or systems. This can then be used to steal data or disrupt operations in a variety of ways, with the long-term aim of holding the disrupted operations/data for ransom.

The ultimate strategy of a supply chain attack is to start small and work upwards. Infect one device, get past one legitimate update cycle, and work through the victim's operations from there.

Types of supply chain attacks

Compromised software building tools

A common type of supply chain attack involves compromising the software building tools that are used to create a company's products. This can be done by infecting the tools with malware or by stealing the tools themselves and using them to insert malicious code into the products.

Stolen code-sign certificates

Other supply chain attacks involve the theft of code-signing certificates. These certificates are used to verify the authenticity of software, and by stealing them, attackers can sign their own malicious code with a valid certificate. This can make it difficult for companies to detect and block the malicious code.

Compromised specialized code

Supply chain attacks can also be executed by compromising specialized code within a company's products. This code could be used to perform malicious activities, such as data withdrawals or remote code execution.

Pre-installed malware

The last major type of supply chain attack involves pre-installing malware on devices. This type of attack is often used by attackers to target IoT devices or to infect software that is sold or distributed by a third party.

What does a ransomware supply chain attack look like?

You don’t have to look far to find a real-world supply chain attack example — and an illustration of how things can go wrong fast.

Take the attack on IT solutions developer, Kaseya, for instance. Here, hackers exploited a vulnerability in the company's VSA software to begin a supply chain attack.

0.1% of the company’s customers — between 800 and 1500 small to medium-sized businesses — were affected by the breach. So although this was, by definition, a relatively small-scale attack, it just goes to show how even the smallest vulnerability can affect hundreds and potentially thousands of businesses and consumers.

Why are supply chain attacks on the rise?

New opportunities for bad actors

One of the main reasons that we’re seeing more supply chain attacks right now is that, for hackers, it’s a bit of an untapped market. Businesses have been investing in security elsewhere, leaving reduced protection in the supply chain sector. With the improvement of security technologies like firewalls, WAFs, SEGs and email hygiene, attacks against the perimeter have become harder. Supply chain attacks provide a route to circumvent these security investments.

Attackers have now caught on to this fact and are using it to exploit vulnerabilities that many businesses have overlooked.

The Software Supply chain is becoming increasingly complex

Then there’s the impact of an increasingly complex supply chain software set-up. This complexity makes it more difficult to secure, as there are more opportunities for attackers to exploit vulnerabilities.

The complexity of supply chain software can also make it more difficult for organizations to detect and respond to attacks; in some circumstances, there are more points of weakness than a business can even comprehend. The challenge isn't just preventing attacks, but also being aware of when and how they've occurred.

DevOps and containers present new challenges

The use of DevOps and containers are another factor that contributes to the rise of supply chain attacks.

Both of these practices involve automating and shortening the amount of time that goes into developing software. And to a certain extent (especially within containerization), businesses end up relying on third-party components from various registries. The key issue that causes problems here is that in a devops environment, and especially where a solution is containerized, it is common practice to rely on multiple components, often third party, which are assembled into a final product. It is hard to understand the supply chain dependencies of all of the components making up an application in this way. Between the automation and use of third-party components, it's no wonder that there are plenty of chances for malicious actions to take place.

How you can protect your business against a supply chain attack

To protect against supply-chain attacks we need to first consider the main types of supply-chain attacks. Primarily these include:

• compromised software development and build tool-chains.
• stolen code-signing certificates or apps masquerading as coming from a trusted source.
• compromised code shipped as firmware on hardware
• pre-installed malware on devices such as USB keys.

The main ways we can protect ourselves against these are:

• maintaining strong code integrity policies to ensure that only trusted code and authorized applications are run.
• deploying detection and response to quickly detect and react to unusual activity
• deploying zero trust to limit the scope for lateral movement of any attackers.

Deploy a "zero trust" strategy

A "zero trust" strategy requires all users to authenticate before they can access any data or systems.

In other words, no one is able to access anything by good faith (or trust) alone. They need to prove that they are who they say they are, and they need to have the right permissions to access your data and systems.

By requiring all users to authenticate, you can make it more difficult for attackers to gain access to your systems. Think about it like this: You wouldn't install locks on some of the doors in your home. You would ensure that each door is securely locked, otherwise you're inviting risk.

Use endpoint detection and analyze network activity

Endpoint detection and response systems are another highly effective way to protect against supply chain threats. These are automated defense systems that can instantly detect when an attack has or may be taking place — and, by doing so, stop any lateral movement a bad actor may attempt once they’ve breached your outer layer.

Circling back to the ultimate strategy of a supply chain attack we shared at the start of this article — to infect one device, get past one legitimate update cycle, and work through your operations from there — it’s clear just how important having endpoint detection and response technology in place can be for supply chain protection.

However it is important to note that EDR may actually not be enough, as EDR does not focus on the network where a lot of suspicious activity resulting from a supply chain attack becomes visible. In fact the problem with EDR in a supply-chain attack is that the compromised applications may even be trusted by the EDR. Sometimes the only way to detect applications which have been compromised via their software supply chain is to pick up suspicious network activity - for instance C&C communication or exfiltration of data.

For more information on how you can secure your business with a best-in-class endpoint detection and response system, reach out to Samurai XDR today.