It’s easy for organisations to fall into the trap of focusing on defending their IT networks with virus scanning for potentially harmful files or stringent password rules, oblivious that the enemy may have made its way in through a trusted source. These kinds of attacks are called supply chain attacks. They sneakily enter an organisation’s IT systems through their supply chain without being noticed until it’s too late.
Cyber-attacks like supply chain attacks and ransomware attacks can severely hurt a business. Some businesses never recover.
Malicious actors have slyly found a vulnerability in the supply chain of IT systems. All organisations use third-party software that hasn’t been developed in-house. This can be anything from word processing to inventory systems to virus scanners. It is essential software an organisation needs to deliver its products and services to its clients and customers.
These software vendors are trusted by organisations and their software is placed on their application whitelist. A whitelist is a list of trusted applications that are given permission to run on an IT system. Organisations will run this trusted software without a second thought that it may have been tampered with.
Threat actors have understood now that they do not need to waste their time trying to hack into government organisations or large companies that have strong security. To exploit such organisations and many, many more, with a single effort they will secretly find their way into third party vendor software. They know it will be easier to infiltrate their security in comparison to large organisations who are guarding a lot of sensitive information.
Malicious actors will embed malicious code into a software application, or a software update, or even a security patch, of third-party vendor software. When their software is distributed to all their customers, malicious code is also distributed. This is called an attack vector. On all the IT systems that use this vendor software, a digital certificate will be granted, and the software will be provided with clearance to install.
It could be weeks later, and the organisation may not notice the malicious code at all, but eventually the malicious actor will remotely activate the malicious code. What it will do depends on the objectives of its creator.
It may distribute itself through the network. It may be a ransomware attack. It may email itself to all the email contacts in the organisation’s email list.
This malicious code will have access to whatever digital assets and sensitive business information the vendor software has access to. But the important thing to note is that a supply chain attack will do this to all the software vendor’s clients simultaneously. So, it can create a lot of damage in one attack. This is why the European Union Agency for Cybersecurity this year predicted a four-fold increase in these types of attacks over the next year - it’s less effort for malicious actors to gain maximum effect.
To demonstrate just how catastrophic a supply chain attack can be, last year Russian attackers who work for Russia’s foreign intelligence agency, hacked their way into the software firm SolarWinds. Implanting malicious code into their project management tool Orion. With a client base of at least 18,000 networks, these cyber criminals were able to create an attack vector into US federal agencies including NASA, the State Department, the Department of Defense, and the Department of Justice.
Similarly, China, which has strong control over its citizens, can very easily launch a supply chain attack. A lot of the world’s software originates from countries like China or other countries where the cost of developing software is low. But the flip side of this is the risk that low cost creates.
Most software today contains some sort of open-source code. Open-source code is source code that is packaged and used as a foundation for new software development. Most open-source code is free, and it allows software development to accelerate by eliminating the need to reinvent.
Unfortunately, the security around open-source code is not as strong as it can be. Malicious actors exploit this vulnerability by trying to embed malicious code within open-source code. Or they might develop their own open-source code which may do something wonderful but, within it, malicious code may exist.
The best way to protect your business from supply chain risk is to implement strong supply chain security by thoroughly investigating third party software vendors.
A security expert will know what to look for when it comes to compliance with strict cyber security standards. Does the vendor use open-source code? Is there software developed overseas? These are the kinds of questions that can form part of a security checklist for each vendor.
Only vendors that meet certain criteria should be allowed to run freely on your IT network. Application whitelisting and checking that permitted software is installed as it should be is another way third-party software can be checked for supply chain attacks - as too is multi-factor authentication. All software that has not been checked should not be allowed to run. Checks should be done regularly to ensure everything is up to date.
If you’d like to know more about the importance of risk management and how your business can be protected from supply chain attacks and other security vulnerabilities, talk to the security experts at Essential Tech today.