Supply Chain Attacks use the trust of users to launch their attacks instead of technical weakness of the company's resources. By attacking software manufacturers, vendors & partners instead of the target company's direct technological units, they exploit a backdoor way to attack any corporation they want.
One upstream attack can cascade into multiple downstream corporations. When it is finally noticed that the target has been breached, the cause will often be old, sometimes weeks or months before it is noticed.
How Supply Chain Attacks work:
1. Compromise of the vendor's electronic resources.
2. How the malicious payload is added to the vendor's product, and in some cases, how it may change the way the vendor's product operates.
3. How the malicious payload is then distributed to other companies.
4. How the target company (and ultimately the attacker) can utilize the compromised resources without raising any alarms.
While the specific details will vary from one incident to another, there are common tools and techniques that attackers tend to use against a wide range of organizations.
These common tactics include:
1. Compromising the development pipeline: Attackers use automated build processes or misconfigured continuous integration / continuous deployment (CI/CD) to inject backdoor code.
For example, Attackers can run the command below to view environment variables in the pipeline.
printenv | grep SECRET
2. Misusing digital certificates: Attackers use valid signing certificates to make it appear that their malicious software updates were created by legitimate organizations.
3. Exploiting third-party APIs: Attackers can gain lateral movement between systems using unprotected or weak API credentials or by finding exposed APIs.
4. Phishing for credentials or using vendor’s credentials: When a vendor’s user account is compromised, an attacker may gain access to a number of companies’ accounts.
Real-world examples
Example 1: Software update attack
A popular network monitoring product was distributed by attackers through the software update mechanism. The attacker was able to send the malicious update to thousands of client organizations, resulting in many of them downloading the update without knowing it was malicious. The attackers maintained persistent access to those organizations' systems for a long period of time before they were detected.
Example 2: Compromise of the hardware supply chain
Network routers and switches were shipped with a pre-installed backdoor for all clients of those devices. Attackers did not discover the issue until they saw unusual outbound activity from the router. Attackers discovered that it had affected several different organizations across multiple geographic regions.
Example 3: A breach of third-party cloud service provider
A vendor cloud service provider's secure cloud storage account was hacked. Attackers gained access to the customer's stored data through the cloud storage provider's API without launching a direct attack against those customers' systems.
Executive Leaders must analyze:
1. Access Policies/Privilege Review for Vendors.
2. Security of all Development Pipelines and Update Mechanisms.
3. Monitoring of suspicious activity from trusted sources.
4. Vendors' Contractual Obligations and Regulatory Requirements regarding Security.
Ways to Reduce Supply Chain Risk
The following steps can help you minimize the impact of supply chain risk:
1. Maintain a list of your most important vendors, including their associated access levels.
2. Ensure that you implement the least-privilege principle for all vendor relationships.
3. Monitor for unusual or unexpected updates and configuration changes made by your third-party vendors.
4. Periodically conduct security audits on your critical vendor partners.
5. Create and develop incident response playbooks that specifically address scenarios associated with your company’s supply chain.
Supply Chain Attacks Exploit Trust, Not Firewalls.
As Your Organization Relies on External Service Providers, the Potential Impact of a Single Breach Is Much Greater.
Thus, Since The Leadership of Your Organization Should Focus on Governance, Monitoring, and Verification, This Is the More Effective Method than the Application of Just Technical Security Defenses.
