What is a supply chain attack?
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm. The recent SolarWinds attack is a prime example.
SolarWinds attack highlights supply chain risk
The news about last year’s nation-state attack against up to 18,000 customers of networking tools vendor SolarWinds just keeps getting worse. According to a recent report by the New York Times, the SolarWinds attacks, attributed to Russia, penetrated many more than a “few dozen” government and enterprise networks, as first believed. As many as 250 organizations were affected, and the attackers took advantage of multiple supply chain layers.
It’s a violation of the chain of trust, says Steve Zalewski, deputy CISO at Levi Strauss. “That’s the big issues with all of this third party stuff,” he says. “We don’t keep it in house anymore. We’re having to rely on third-party ways to establish this trust, and there’s no national way or international way to do that.”
The problem is continually getting worse, with enterprises more and more reliant on outside providers, Zalewski says, adding that it’s time to look at the whole ecosystem of the software industry to address this problem. “To solve it completely, what we need is an international chain of trust, like a global PKI system,” he says, “where we can all agree on a global set of tools and practices.”
Unfortunately, there’s no practical way to do that. “We need a legal, regulatory, collective defense,” Zalewski says. “But it’s going to take years and years and years to do this.”
Security rating firm Bitsight estimates that the SolarWinds attack could cost cyber insurance companies up to $90 million. That’s only because government agencies don’t buy cyber insurance. Plus, the attackers tried to keep as low a profile as possible to steal information, so didn’t do much damage to systems.
Another supply chain attack in 2017, also attributed to Russia, compromised Ukrainian accounting software as part of an attack designed to target the country’s infrastructure, but the malware spread quickly to other countries. NotPetya wound up doing more than $10 billion in damage and disrupted operations for multinational corporations such as Maersk, FedEx and Merck.
Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers could potentially gain access to all the enterprises that use that software.
All tech vendors vulnerable to supply chain attacks
Any company that produces software or hardware for other organizations is a potential target of attackers. Nation-state actors have deep resources and the skills to penetrate even the most security-conscious firms.
Even security vendors can be targets. In the case of SolarWinds, for example, one of the higher-profile companies breached was FireEye, a cybersecurity vendor. FireEye says that the attackers didn’t get into customer-facing systems, just the penetration tools used for security testing. The fact that it got hit at all is worrisome.
Other vendors hit by the Solar Winds attackers include Microsoft and Malwarebytes, another security vendor. “Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse-engineering our own software,” company CEO Marcin Kleczynski said in a January 19 post.
Email security vendor Mimecast announced in January that it was also hit by a sophisticated threat actor, and there have been reports that it’s the same group as the one behind the SolarWinds hack.
These attacks show that any vendor is vulnerable and could be compromised. In fact, this fall, security vendor Immuniweb reported that 97% of the world’s top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web – and 91 companies had exploitable website security vulnerabilities.
These kinds of attacks aren’t a recent development. In 2011, RSA Security admitted that its SecurID tokens were hacked. One of its customers, Lockheed Martin, was attacked as a result.
In addition to attacks like SolarWinds, which involve compromises of commercial software vendors, there are two other types of supply chain attacks — attacks against open-source software projects and cases where governments directly interfere in vendor products that originate in their jurisdictions.
The open-source supply chain threat
Commercial software isn’t the only target of supply chain attacks. According to Sonatype’s 2020 State of the Software Supply Chain Report, supply chain attacks targeting open-source software projects are a major issue for enterprises, since 90% of all applications contain open-source code and 11% of those have known vulnerabilities.
For example, in the 2017 Equifax breach, which the company says cost it nearly $2 billion, attackers took advantage of an unpatched Apache Struts vulnerability. Twenty-one percent of companies say they experience an open-source-related breach in the previous 12 months.
More recently, attackers have exploited vulnerabilities in the open-source Apache Log4 logging library used in millions of Java-based applications. The exploits are difficult to detect and mitigate. One of the Log4j exploits allows remote-code execution on the servers running vulnerable applications without requiring authentication. That has earned the vulnerability a severity rating of 10 on the CVSS scale. Another vulnerability can lead to a denial-of-service condition.
Because Log4j is used in many commercial applications, organizations might be vulnerable without knowing that they are actually using the logging library. This has led to companies scrambling to determine their level of risk from the threat and hoping that the vendors provide effective patches in a timely manner.
Attackers don’t have to wait around for a vulnerability to magically appear in open-source software. Over the past few years, they’ve begun deliberately compromising the open-source development or distribution process, and it’s working. According to the Sonatype survey, these kinds of next-generation attacks increased 430% over the previous year.
The foreign sourcing threat
Why bother to hack into a software company when you can just march in and order them to install malware in their products? That’s not so much of an option for Russia, since it’s not exactly known as a technology exporter. But China is.
“Compromised electronics in US military, government and critical civilian platforms give China potential backdoors to compromise these systems,” says US Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) in a statement announcing the bipartisan 2019 MICROCHIPS Act.
Nearly every government organization and private company is exposed, to some degree, to technology that originates in China or other low-cost countries, says Steve Wilson, VP and principal analyst at Constellation Research.
How to guard against supply chain attacks
So, what can enterprises do? Some regulatory frameworks, such as those in the financial sector or healthcare, already provide for third-party risk testing, or have some standards that vendors need to comply with. “Within PCI, there’s a software quality component to test the quality of mobile payment components,” says Wilson, referring to the Payment Card Industry Data Security Standard (PCI-DSS).
There are also more general frameworks, such as the Capability Maturity Model (CMM), ISO 9001, Common Criteria, SOC 2. “I’m a huge fan of CMM audits,” says Wilson. “On the other hand, I acknowledge the cost. The only people who insist on Common Criteria, until recently, are the spooks.”
There’s also FiPS-140 accreditation for cryptographic modules. “It’s really expensive,” says Wilson. “It’s a million dollars to get an app certified to FIPS-140 and unless you’re selling Blackberries to the federal government, you don’t do it.”
Enterprises have gotten too comfortable with software that is cheap and fast. “We need to accept that we’ve been writing software on the cheap for decades and the chickens are coming home to roost,” Wilson says.
If enterprises start demanding more testing, however, or regulators step in and mandate better controls, then the costs of the audits are likely to drop. “If people start investing more in testing then the testing business will see more revenue and more competition,” Wilson says. There will also be more innovation, such as in automated testing.
At Levi Strauss, the company vets its software vendors, says Zalewski. “We require them to have demonstrable, auditable proof that they have implemented a security framework and can demonstrate compliance with that framework,” he says. Levi Strauss doesn’t dictate what specific framework vendors have to follow, he adds. “But we want a commitment that you’re willing to write down what your security controls and practices are, so we can make sure they’re compatible with ours. That’s how we manage the risk and that’s about the best you can do.”
One thing that data centers should not do is stop deploying patches. In fact, Levi Strauss’ patch management process meant that the fixes to the SolarWinds software were installed before the news hit, protecting the company against any other attackers who might have wanted to jump on the SolarWinds train.
However, he admitted that the company’s systems weren’t able to catch the malware inside the SolarWinds update. Of course, nobody did — FireEye and Microsoft both missed it, as well. The problem, Zalewski says, is that it’s difficult to scan updates for suspicious behavior since the update is, by definition, designed to change the way that software behaves.
“It’s simply the nature of how software works,” Zalewski says. “The problem is in the ecosystem and the way it’s put together. The bad guys are looking at the gaps and exploiting them.”
Supply chain attacks are still a lot more rare than attacks against known vulnerabilities, says Shimon Oren, VP of research at security firm Deep Instinct. “The risk of an unpatched vulnerability or a security update that hasn’t been implemented greatly, I’d say, greatly outweighs the risk of a supply chain attack.” According to IBM’s 2020 Cost of a Data Breach report, vulnerabilities in third-party software are the root cause of 16% of all breaches.
Instead of delaying patches, Oren suggests that enterprises ask their vendors what mechanism they have in place to protect their software from compromise. “What kind of security posture do they have? What kind of code verification mechanisms do they have in place today?”
Unfortunately, there isn’t a set of standards available that specifically addresses the security of the software development process, he says. “I don’t think there’s anything that says that your code is safe.”
One organization working to address that lack is the Consortium for Information and Software Quality, a special interest group under the technology standards body Object Management Group. One of the standards the organization is working on is the software equivalent of a bill of materials, for example. It will let enterprise customers know the components that go into the software they’re using, and if any of those components have known security problems.
“It’s in the process right now and we anticipate it will be completed sometime this spring,” says executive director Bill Curtis. Microsoft is involved, he says, as is the Linux Foundation and other big players — about 30 companies total.
Gaps in supply chain risk assessments
Doing proper due diligence is critical, says attorney Ieuan Jolly, co-chair of the privacy, security and data innovations practice at Loeb & Loeb, is as important, or even more important than the contract that the enterprise can negotiate with its vendor. If the vendor goes out of business as a result of a breach they caused, then their customers won’t be able to recover any damages. If they do recover damages, “It will never be an adequate remedy for the reputation costs the company suffers,” he says.
According to a recent survey of risk management professionals by Mastercard’s RiskRecon and the Cyentia Institute, 79% of organizations currently have formal programs in place to manage third-party risk. The most common risk assessment methods are questionnaires, used by 84% of companies and documentation reviews, used by 69%. Half of companies use remote assessments, 42% use cybersecurity ratings, and 34% use onsite security evaluations.
Despite the popularity of questionnaires, only 34% of risk professionals say they believe the vendors’ responses. However, when a problem is found, 81% of companies rarely require remediation, and only 14% are highly confident that the vendors are meeting their security requirements.
In the wake of the SolarWinds attack in particular, organizations need to look at their software suppliers, particularly those with software that has privileged access to company assets, says Kelly White, CEO and co-founder of RiskRecon. That includes expanding assessment criteria to include the integrity of the software development process, he says, “to ensure that controls are sufficient to prevent introduction of malicious code.”
This is also the time to double-down on least privilege, White says. “During my time as CISO of a large financial institution, any software that required communication with the internet was limited in its web access permissions to only accessing pre-determined update sites,” he says. White was previously CISO at Zions Bancorporation.
Such a policy not only prevents software from communicating with malicious command and control servers, but also has the benefit of raising alerts if it tries to do so, White says.
Editor’s note: This article, originally published in May 2017, has been updated to reflect current trends.