With a successful supply chain attack against just one organization—often an unremarkable technology vendor—a criminal group can gain privileged access to the network of one (or all) of its customers.
Think about it. Perhaps your organization has a world-class cybersecurity program… But can you say the same for all of your suppliers? Like any defense, an organization’s security program is only as strong as its weakest point—and for most organizations, that weak point is somewhere in their supply chain.
What is a Software Supply Chain Attack?
In a software supply chain attack, a bad actor infiltrates a technology vendor’s network and abuses its trusted relationship with its customers to access one or more target networks.
An organization’s technology supply chain can include hundreds of retailers, distributors, suppliers, and developers that play some role in creating, distributing, selling, and maintaining hardware, software, and IT services.
The rationale for a supply chain attack is simple. Breaching one or more desired targets—for example, government departments or critical infrastructure providers—is harder than infiltrating a single weak link in the supply chain. The successful compromise of a single technology vendor can allow a criminal or state-sponsored group to compromise dozens of high-value targets, each of which would have been challenging to infiltrate directly.
Supply Chain Attack Vectors
The most common form of supply chain attack involves infiltrating an IT vendor’s network and inserting malicious code into a legitimate software product before it is sent to the customer. Due to the trusted nature of its source, the customer assumes this compromised software to be legitimate and installs it. This results in the customer’s network being compromised.
There are four common ways that software supply chain attacks can occur:
Developer is a bad actor. This is the most obvious and hard-to-combat scenario. If a bad actor has direct access to the development process and environment, they will have many opportunities to inject malicious code. This situation could conceivably arise through blackmail or bribery, but more likely, an advanced threat group would plant the bad actor by positioning them as a legitimate, highly-qualified applicant who makes their way through the hiring process.
Compromising open-source code. Many developers use open source code libraries—sections of pre-written code—as ‘building blocks to add common functionality into their own code. Unfortunately, it has become common practice for bad actors to inject malicious code into popular open-source projects and distribute them via fake websites. Since open-source code is routinely built into commercial software, this can lead to serious vulnerabilities in popular software products. Worse, customers typically don’t know products contain open source code, so they cannot act if it later arises that the code includes vulnerabilities.
Hijacking software updates. Software updates are essential to fix bugs, add new features, and resolve security weaknesses. Customers typically download software updates from a central server owned by the software vendor. By hijacking this infrastructure, bad actors can inject malicious code into legitimate software updates, which are trusted implicitly and installed by customers.
Undermining codesigning. Software vendors use codesigning to verify the source, authenticity, and integrity of software downloads and updates. Bad actors can subvert codesigning by self-signing certificates, abusing signing systems, or exploiting account access controls. This enables them to disguise malicious software as legitimate software or updates, often including expected legitimate functionality to avoid arousing suspicion.
Addressing the U.S. Software Supply Chain Risk
Supply chain attacks pose a huge threat to federal agencies, critical infrastructure providers… and really, every organization in the U.S. There’s no doubt that organizations across all industries need to vet their suppliers to minimize supply chain risk more thoroughly.
To adequately protect the U.S. economy, citizens, and critical infrastructure from supply chain attacks, regulators should consider a legal mandate that requires technology vendors to implement:
- A higher standard of cybersecurity in the development environment and across the business.
- A robust risk assessment of their own supply chains to protect against similar threats.
However, this will not be enough. Our new report, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of supply chain risk management (SCRM).
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have for federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- The proposed approach by Cimcor to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
