A supply chain attack is a type of cyberattack carried out against an organization’s suppliers as a means to gain unauthorized access to that organization’s systems or data. Sometimes called value chain or third-party software attacks, they involve significant planning by threat actors use malicious code to infiltrate an organization’s systems, and they can have a devastating blast radius after the initial compromise, as in the case of the 2020 SolarWinds attacks.
There are two major types of supply chain attacks that focus on an organization’s supply or value life cycle.
Island Hopping Attacks
“Island hopping” attacks occur when cybercriminals infiltrate large companies by targeting smaller organizations, or those likely to have less sophisticated security controls, that are part of the larger company’s value chain. As the name implies, the attackers “hop” from organization to organization to close in on their main target.
Island hopping attacks typically target prominent organizations, which tend to rely on a broad digital ecosystem of suppliers. These may include managed services providers, hardware and software vendors, and technology and business partners, many of which are connected into various applications and databases through a plethora of vulnerable endpoints.
Supply Chain Attacks
“Supply chain” attacks, such as theSolarWindscyberattack, are slightly different. Instead of seeking out a third-party vendor’s vulnerabilities as a way into another company’s network, they explicitly aim to exploit the trust between legitimate organizations used in normal business operations.
How a Supply Chain Attack Works
Supply chain attacks seek to gain access by implanting a backdoor into products, typically software, used by the target organizations. This allows the attackers to deliver automated patches or “trojanized” software updates that open the door for malware and other attacks.
Island hopping and supply chain attacks have been the source of high-profile, costly breaches, but the “island” organizations can also incur severe reputational and business damages, even though they’re not the actual targets of such a campaign.
The Impact of Supply Chain Attacks
In the SolarWinds Orion attack in 2020, an adversary was able to gain access to SolarWinds systems through a backdoor and create trojanized updates to the SolarWinds Orion platform. The trojanized Orion update allowed attackers to deploy stealthy malware on the networks of 18,000 SolarWinds customers, which included many US government agencies and organizations, including the Pentagon, the Department of Homeland Security, the FBI, the Army, the Navy, and many more.
The backdoor was delivered through a legitimate software update to a known (trusted) monitoring and management tool. After the installation of the backdoor, the adversary took steps to avert sandbox detection, including waiting days before for any callback to its command-and-control (C2) system.
Why Are They So Dangerous?
Security researchers state that supply chain attacks are some of the most difficult threats to prevent because they take advantage of inherent trust. Beyond that, they're difficult to detect, and they can have longer lasting residual effects. Mitigating and remediating a supply chain attack isn’t as simple as installing an antivirus or resetting your operating system. These attacks come after your processes, which is why they need to be solid from the ground up.
Security experts have been warning for many years that [supply chain attacks] are some of the hardest types of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.
Software supply chain vulnerabilities begin in the development of the chain itself. It’s important to remediate potential cybersecurity risks that present themselves in the development process so you can keep supply chain security incidents to a minimum.
Let’s explore how software development can create vulnerable attack vectors when not secured properly.
What Are Secrets?
As they pertain to software development, secrets are means of authentication—such as tokens, encryption keys, passwords, APIs, and so on—that allow for user-to-app and app-to-app access to sensitive information. Quite often, hackers and ransomwaregroups such as NotPetya will scour an organization’s source code to discover vulnerabilities within it to exploit at a later time.
The Risks of Open Source
Despite its ubiquitous nature, open source software (OSS) often leaves an organization vulnerable to attack. OSS, although effective for software development, increases the attack surface and leaves the door open for data breaches and malware—two of the most frequent offenders in software supply chain attacks.
Does the SolarWinds Attack Highlight Supply Chain Risk?
The SolarWinds attack demonstrates to organizations that they must have their guard up at all times when it comes to their supply chains. It displays the particular vulnerabilities of manufacturing a software supply chain and how they can pose a risk for high-profile, highly protected companies such as Cisco, Intel, and Microsoft. It also shows IT security leaders that once a bad actor has infiltrated one part of the chain, they’ve infiltrated the whole thing.
To help you keep your organization protected from these dangerous threats, in the next section, we’ve put together a list of best practices that will help keep your business protected from these groups and threats alike.
Best Practices for Protecting Your Organization
Supply chain attacks are still evolving, and there’s no doubt adversaries will find new ways to compromise the operations and sensitive data of public agencies and private companies alike. To reduce supply chain risk and increase supply chain security as much as possible, Zscaler recommends taking these steps:
Eliminate your internet-facing attack surface, stop lateral movement, minimize permissions, and block C2 with azero trust architecture.
Enforce protections for known C2 traffic with continuous updates as new destinations emerge.
Require multifactor authentication for any access to high-value targets.
Limit the impact of lateral movement with identity-basedmicrosegmentation for cloud workloads.
Choose vendors that can attest to the highest levels of confidentiality, integrity, and availability.
Perform continual risk assessments and prioritize risk management to ensure your organization is under the best possible protection.
Conduct frequent cybersecurity awareness training with best practices to ensure your employees know what to look out for (phishing emails, etc.)
Implement a proper incident response framework in the event an attack is detected in your network.
To carry out these supply chain security best practices, you need to recruit the services of a trusted name in cybersecurity with a platform that inspects traffic inline, removing the threat of harmful malware and ransomware attacks before they infiltrate your organization—Zscaler.
Protecting Against Supply Chain Attacks with Zscaler
Supply chain attacks are sophisticated and difficult to detect. In addition to understanding the security posture of all partner organizations, it’s important to have multiple layers of protection and visibility into all of your organization’s traffic. What follows are some of the integrated services enabled by theZscaler Zero Trust Exchange™ that protect against supply chain attacks by enabling you to:
Identify and stop malicious activity from compromised servers by routing all server traffic throughZscaler Internet Access.
Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.
How Are Supply Chain Attacks Different From Data Breaches?
Supply chain attacks exploit legitimate tools that are already trusted within your ecosystem to gain access to your network— injecting malware and backdoors into software patches and updates. These attacks can infect hundreds or thousands of companies at once without discovery.
How Will Supply Chain Attacks Evolve In the Future?
We’ll start to see multi-tier supply chain attacks as adversaries become more advanced: they could breach one software vendor to gain access to their customers’ networks. Some of those customers could also be software companies, and adversaries will attempt to infect those companies’ software updates to reach even more organizations.