What Is a Supply Chain Attack? A supply chain attack is a type of cyberattack carried out against an organization’s suppliers as a means to gain unauthorized access to that organization’s systems or data. They’re sometimes called value chain or third-party software attacks. These attacks involve significant planning by threat actors, use malicious code to infiltrate an organization’s systems, and can have a devastating blast radius after the initial compromise, as in the case of the 2020 SolarWinds attacks.

Examples of Supply Chain Attacks

There are two major types of supply chain attacks that focus on an organization’s supply or value life cycle.

Island Hopping Attacks

“Island hopping” attacks occur when cybercriminals infiltrate large companies by targeting smaller organizations, or those likely to have less sophisticated security controls, that are part of the larger company’s value chain. As the name implies, the attackers “hop” from organization to organization to close in on their main target.

Island hopping attacks typically target prominent organizations, which tend to rely on a broad digital ecosystem of suppliers. These may include managed services providers, hardware and software vendors, and technology and business partners, many of which are connected into various applications and databases through a plethora of vulnerable endpoints.

Supply Chain Attacks

“Supply chain” attacks, such as the SolarWinds cyberattack, are slightly different. Instead of seeking out a partner’s vulnerabilities as a way into another company’s network, they explicitly aim to exploit the trust between legitimate organizations used in normal business operations.

How a Supply Chain Attack Works

Supply chain attacks seek to gain access by implanting a backdoor into products, typically software, used by the target organizations. This allows the attackers to deliver automated patches or “trojanized” software updates that open the door for malware and other attacks.

Island hopping and supply chain attacks have been the source of high-profile, costly breaches, but the “island” organizations can also incur severe reputational and business damages, even though they’re not the actual targets of such a campaign.

The Impact of Supply Chain Attacks

In the SolarWinds Orion attack in 2020, an adversary was able to gain access to SolarWinds systems through a backdoor and create trojanized updates to the SolarWinds Orion platform. The trojanized Orion update allowed attackers to deploy stealthy malware on the networks of 18,000 SolarWinds customers, which included many US government agencies and organizations, including the Pentagon, the Department of Homeland Security, the FBI, the Army, the Navy, and many more.

The backdoor was delivered through a legitimate software update to a known (trusted) monitoring and management tool. After the installation of the backdoor, the adversary took steps to avert sandbox detection, including waiting days before for any callback to its command-and-control (C2) system.

Why Are They So Dangerous?

Security researchers state that supply chain attacks are some of the most difficult threats to prevent because they take advantage of inherent trust. Beyond that, they're difficult to detect, and they can have longer lasting residual effects.

Why the Software Development Life Cycle Matters

Software supply chain vulnerabilities begin in the development of the chain itself. It’s important to remediate potential cybersecurity risks that present themselves in the development process so you can keep supply chain security incidents to a minimum.

Let’s explore how software development can create vulnerable attack vectors when not secured properly.

What Are Secrets?

As they pertain to software development, secrets are means of authentication—such as tokens, encryption keys, passwords, APIs, and so on—that allow for user-to-app and app-to-app access to sensitive data. Quite often, hackers and ransomware groups such as NotPetya will scour an organization’s source code to discover vulnerabilities within it to exploit at a later time.

The Risks of Open Source

Despite its ubiquitous nature, open source software (OSS) often leaves an organization vulnerable to attack. OSS, although effective for software development, increases the attack surface and leaves the door open for data breaches and malware—two of the most frequent offenders in software supply chain attacks.

Does the SolarWinds Attack Highlight Supply Chain Risk?

The SolarWinds attack demonstrates to organizations that they must have their guard up at all times when it comes to their supply chains. It displays the particular vulnerabilities of manufacturing a software supply chain, and it shows IT security leaders that once a bad actor has infiltrated one part of the chain, they’ve infiltrated the whole thing.

To help you keep your organization protected from these dangerous threats, in the next section, we’ve put together a list of best practices that will help keep your business protected from these groups and threats alike.

Best Practices for Protecting Your Organization

Supply chain attacks are still evolving, and there’s no doubt adversaries will find new ways to compromise the operations and sensitive data of public agencies and private companies alike. To reduce supply chain risk and increase supply chain security as much as possible, Zscaler recommends taking these steps:

• Eliminate your internet-facing attack surface, stop lateral movement, minimize permissions, and block C2 with a zero trust architecture.
• Enable full TLS/SSL inspection functionality and advanced threat prevention on workload-to-internet traffic.
• Run an inline cloud sandbox to identify and stop unknown threats.
• Enforce protections for known C2 traffic with continuous updates as new destinations emerge.
• Require multifactor authentication for any access to high-value targets.
• Limit the impact of lateral movement with identity-based microsegmentation for cloud workloads.
• Choose vendors that can attest to the highest levels of confidentiality, integrity, and availability.
• Perform continual risk assessments and prioritize risk management to ensure your organization is under the best possible protection.

To carry out these supply chain security best practices, you need to recruit the services of a trusted name in cybersecurity with a platform that inspects traffic inline, removing the threat of harmful malware and ransomware injection before it infiltrates your organization—Zscaler.

Protecting Against Supply Chain Attacks with Zscaler

Supply chain attacks are sophisticated and difficult to detect. In addition to understanding the security posture of all partner organizations, it’s important to have multiple layers of protection and visibility into all of your organization’s traffic. What follows are some of the integrated services enabled by the Zscaler Zero Trust Exchange™ that protect against supply chain attacks by enabling you to:

1. Identify and stop malicious activity from compromised servers by routing all server traffic through Zscaler Internet Access.
2. Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.
3. Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources.
4. Turn on Advanced Threat Protection to block all known C2 domains.
5. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations.
6. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
7. Limit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation (Zscaler Workload Segmentation) and a zero trust architecture.
8. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access.

Here are some next steps to consider:

1. Watch this video to learn more about the Zscaler Zero Trust Exchange.
2. Learn how to protect your applications from build to runtime with Posture Control.
3. Visit this page to understand what to do in the event of a SolarWinds-style cyberattack.