Supply chain security: are third parties the weakest link?


Although supply chain attacks have been a security risk for many years, this threat has come to the fore after a series of high-profile incidents that clearly demonstrate the large-scale impact of such attacks on organizations and their customers. Here we take a look at breaches resulting from weaknesses in the supply chain and how mitigation approaches.

According to a 2021 survey, 86% of organizations believe that in three years software supply chain attacks could become one of the biggest threats, and only 36% vetted all new and existing suppliers for security reasons in the last 12 months. Meanwhile, 45% of respondents said their organization had suffered at least one supply chain attack in the last 12 months, and 59% of respondents that experienced a supply chain attack did not have a response plan prepared.

A recent example of supply chain dangers is a security breach at the major provider of authentication services Okta, where the extortion group Lapsus$ stole valuable data from the company’s internal network. The hackers gained access to the network through a compromised account of a customer support engineer working at Sitel, an Okta sub-processor that provides contract workers for customer support. The attackers had access to the Sitel’s network for five days between 16-21 January 2022, until they were detected and purged from the network.

A supply chain attack refers to a cyber-attack where an organization’s digital infrastructure is targeted via a trusted third-party vendor who provides software or services vital to the supply chain. By compromising a business supply chain threat, actors can gain access to a company that offers software and services to other organizations making it possible to breach multiple victims at once.

With numerous components like hardware, firmware, system and application software, frameworkscloud infrastructure, etc., often provided by third parties, risk of supply chain attacks aimed at software or hardware increases. Software supply chain attacks involve attackers infecting an application with malicious code to compromise all its users, while hardware supply chain attacks target vulnerabilities in physical components.

Software supply chains are more vulnerable as they often involve software developed by third parties, such as off-the-shelf programs, open source code, or APIs. Vulnerabilities in application software can also pose a security risk for a supply chain, especially if vulnerable apps are widely popular and users run them with admin permissions.

The impact of supply chain attacks on businesses can be devastating as they can lead to data theft, loss of information due to the deployment of malware (for example, data wipers), or even disruption of supply chain itself, which may have severe consequences, both financial and reputational.

Hackers use a variety of attack vectors to breach software suppliers and conduct a successful attack via the development pipeline. The most common vectors security researchers observed in 2021 included the exploitation of open source software flaws, poisoning widely used open source packages, compromising CI/CD tools and code integrity, manipulating the build process.

The past few years saw an increase in volume, sophistication and severity of supply chain attacks highlighting the need of more thorough approach to cybersecurity. The 2020 SolarWinds hack is a prime example. In this attack threat actors injected a backdoor in Orion software updates from IT services provider SolarWinds that were downloaded by 18,000 customers, including several US government agencies.

The victims, as per the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them. While, most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors deliberately target the weakest link, get fast results, frequently remain undetected and unpunished. Attribution of sophisticated APT attacks, such as SolarWinds and subsequently its customers, remain a highly complicated, time-consuming and costly task.

The 2021 ransomware attack on IT solutions developer for MSPs and enterprise clients Kaseya raised awareness of the damaging effects of supply chain attacks. In this case, malicious actors exploited a previously unknown vulnerability in Kaseya’s VSA software to deploy the REvil ransomware on systems of the managed service providers’ customers. The massive ransomware attack impacted between 800 and 1,500 downstream businesses.

Most of the attacks, even those involving exploitation of zero-day vulnerabilities, could have been prevented by defense-in-depth and zero-trust models. Many of the large-scale intrusions were exploited due to lack of attack surface visibility, and vulnerable software with security flaws publicly disclosed many months or even few years ago, or primitive password reuse attacks successful due to missing 2FA and other pretty simple security mechanisms designed to stop human-focused attacks.

Supply chain attacks target not only commercial software, but also open source software projects. In fact, a report indicates that supply chain attacks aimed at open source software are a serious security threat for businesses and organizations, since the top 10% of most popular OSS project versions are 29% likely on average to contain known vulnerabilities.

In a highly publicized incident, threat actors exploited vulnerabilities in the open-source Apache Log4 logging library present in millions of Java-based applications. These bugs allowed an attacker to achieve remote code execution on the servers running vulnerable applications without requiring authentication, or trigger denial-of-service condition. The problem here is that Log4 is used in numerous commercial applications, and that introduces an additional security risk for organizations that are not aware they are actually using vulnerable software.

Supply chain attacks show that any organization is vulnerable and can be compromised, that is why an efficient strategy for supply chain security risk management is a must-have. To reduce risk, organizations can implement security measures, such as fully mapping out the software supply chain, ensuring that the organization’s supply chain vendors have validated and certified security policies and procedures, and controlling what data third party vendors have access to.

Visibility of an organization’s assets (hardware, software, cloud, data, users and licenses) is an indispensable starting point. Following a holistic inventory of assets, a similar inventory exercise should be performed on the suppliers and trusted third parties that have privileged access to data or infrastructure.

Third Party Risk Management (TPRM) should be a risk-based process implemented in a continuous manner. Where appropriate, vendors are to be audited in addition to paper-based questionnaires and attestations. Vendors who blindly sign any agreements to protect an organization’s data – should serve as a red flag: commonly vendors, who intend to comply with the organization’s data protection requirements, will carefully read and negotiate the contracts.

Independent vendor scoring and a holistic TPRM program will likely mitigate harsh regulatory sanctions and penalties in case of a data breach stemming from a supply chain attack. The more evidence of compliance the organization has, the better it is. Proof of continuous TPRM improvement and adequate adoption to the emerging threats is essential as well.

Over the past few years, supply chain attacks have become one of the biggest cybersecurity threats, and security experts predict that they will likely peak in 2022 becoming a major problem. Therefore, assessing the risks stemming from the supply chain will be a center of attention for organizations in 2022 and beyond.