Software supply chains have become essential resources for today’s businesses. Tapping into such a chain rather than developing the software on its own allows companies to boost productivity and efficiency while lowering costs. Yet, there’s a downside: software supply chains are prime targets for cyber-attacks.
To understand what makes them attractive, imagine how a terrorist might poison a city’s population through its drinking water. The terrorist could go house to house, finding an opening in the plumbing to slip in deadly chemicals. He might find a time when the guard at the city’s public utilities facility was napping and dump poison into the water tower.
The same logic makes a software supply chain attractive to cyber-attackers. Once they insert their malware into the supply chain, potentially all the customers using that software will be infected.
If your organization relies on software supply chains, you’ll want an understanding of just how these chains are attacked and what best practices you can follow to help your company stay safe.
The Soft Underbelly: Software Vendors
Software supply chains are an efficient method for cyber-criminals to reach multiple targets. The attacker’s common methodology is to infiltrate a software vendor’s network and employ malicious code to compromise the software, which is sent to the vendor’s customers. It then compromises the customer’s data or system.
The infiltration can come when a company first acquires the vendor’s software or in subsequent actions, such as through a software patch or hotfix. In these cases, the compromise still occurs before the patch or hotfix enters the customer’s network. This is referred to as going “upstream” in the supply chain to compromise systems earlier in the software distribution process.
In short, attacks on software supply chains act as “force multipliers” in gaining access to hundreds or thousands of companies with a single compromise. What looks initially like a minor ripple on the attack surface can almost instantly become a cyber-attack tidal wave, damaging organizations near and far.
Overall, organizations are not well prepared for this threat. A full third of organizations are clueless about their software supply chain risk exposure. Only 22.5% monitor their entire supply chain, and 32% perform vendor risk assessments no more than once every six months (BlueVoyant).
How the Threat Actors Attack
The attackers use three common techniques to attack the software supply chain, often in combination or with other, less common methods.
-
Compromising Software Updates
Software vendors typically continuously distribute updates from centralized servers through cloud infrastructure to their customers. This is part of routine product maintenance. Threat actors can compromise an update by infiltrating the vendor’s network and either inserting malware into the outgoing update or altering the update to grant the threat actor control over the software’s normal functionality.
-
Undermining Code Signing
Code signing is used to validate the identity of the code’s author and the integrity of the code. Attackers undermine code signing by self-signing certificates, breaking signing systems or exploiting access control of misconfigured accounts. By undermining code signing, threat actors are able to successfully compromise software updates.
-
Exploiting Open-Source Code
Open-source code exploitation occurs when threat actors insert malicious code into publicly accessible code libraries, which unsuspecting developers – looking for free blocks of code to perform specific functions – then add to their own third-party code.
These compromised malicious libraries will often contain the same code and functionality as those they are impersonating, but they also include additional functionality that can be used for malicious purposes.
Best Practices for Protecting Your Organization
These methods have all resulted in great success for attackers, so companies need to ramp up their defenses to stay safe. The best practices that result from this understanding include the following:
- Ensure suppliers implement security practices: You’ll need everyone in the supply chain to implement their best housekeeping to secure your business from the very beginning of the supply chain.
- Limit access to data: Prioritize who should be given access, restricting it to only those who need it.
- Implement effective auditing and reporting practices: Collect data and log it for review to understand the methods that work and those that don’t, then only employ the effective practices.
- Test your own security measures: Put your practices to the test and note how they hold up to various threats you may want to emulate.
- Work in collaboration: Communication is key to keeping a good relationship and prioritizing a smooth supply chain exchange of goods.
The more these best practices are implemented, the better the business will be to nullify the attackers from the onset