Supply Chain Attacks: When Things Go Wrong

Written by

Ongoing digital transformation is pushing business of all sectors to bring to market highly innovative digital products. As development teams are pushed to develop advanced applications in record time, using third-party code has become a standard practice — 66% of modern applications’ code comes from third-parties.

This increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are the order of the day and software development teams are pushed to deliver highly advanced applications in record time — which means that creating every single line of code from the ground up is often not a sustainable practice. 

Integrating external scripts and using code dependencies is now standard practice when developing software. Some of the most widely-used pieces of code come from reputable third-party providers such as Google, and we don’t expect attackers to be able to compromise their scripts.

However, companies of this size and magnitude frequently use third-party scripts which come from small companies or individual developers whose own security systems can be very simple or even non-existent. Most third-party code providers don’t have enterprise-grade security systems, and yet this external code has the same permissions as the code that companies develop in-house.

Attackers have clearly identified this weakest link in the software supply chain - being able to breach high-profile companies without ever having to go near their servers or code. Witness the major attacks that took place last year, including the Magecart attacks on British Airways and Ticketmaster. The holy grail is to now target dependencies or scripts which are developed by third-parties and used by thousands of companies - something that we now have come to know as supply chain attacks.

Modern applications are not part of a closed environment. By using and integrating third-party code, they are granting it the same privileges as all the remaining first-party code (code that’s developed internally).

The OWASP Top 10 Application Security Risks prominently features “Using Components with Known Vulnerabilities”, stating that “Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application.” With one single attack on a very small company or developer, attackers can breach thousands of major enterprises.

Supply Chain Attacks
A supply chain attack is characterized as “an intentional malicious action (e.g., insertion, substitution or modification) taken to create and ultimately exploit a vulnerability in information and communication technology (hardware, software, firmware) at any point within the supply chain with the primary goal of disrupting or surveilling a mission using cyber resources.”

In software development, a supply chain attack is typically performed by inserting malicious code into a code dependency or third-party service integration. Common attack objectives include gaining unauthorized access to information, reducing availability, causing the system to malfunction, or causing end users to do unintended things.

Unlike typical cyber-attacks, supply chain attacks provide two major advantages to attackers. Firstly, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies). In this way, the potential return on investment for the attack is higher.

Secondly, and unlike common cyber-attacks, supply chain attacks can remain undetected by perimeter defenses, as they are often initiated by an embedded change to a component of the system which is trusted by default. Following on from this, an approved delivery mechanism (such as a software update) delivers the supply chain attack without arousing the suspicion of network defenders.

In the current panorama of application security, there’s no infallible way of being sure that malicious code or markup isn’t injected into companies’ applications. The next best thing is to gain visibility about injections and be able to react in real-time. Past supply chain attacks have one common metric that contributed to their magnitude: a very long time period between attack and subsequent detection.

Adopting a solution that detects supply chain attacks in real-time enables companies to react instantly and mitigate them before any serious damage occurs.

First and foremost, it’s vital that security professionals and management understand that mitigating supply chain attacks requires a security-in-depth approach. Investing resources solely on periphery defenses is not a suitable approach.

Good practices such as using a content security policy, subresource integrity, and assessing the security of third-party code providers become crucial. However, when you consider that supply chain attacks frequently arise through changes manifested on the client-side, investing in client-side security solutions (such as web page monitoring) becomes a key step of the whole process.

At a time when we are seeing supply chain attacks becoming a common occurrence, companies that fail to employ an in-depth security approach will in all likeliness become another victim in a long list of data breaches.

What’s hot on Infosecurity Magazine?