The increasing prevalence of software supply chain attacks has grabbed headlines and industry attention alike. Where headlines may focus on victims (especially when there are high profile victims), within the cybersecurity industry the focus may be on the consequences of the attack for the supplier at the centre, and what this could mean for other similar companies.
It is therefore important for organisations to take precautions to prevent software supply chain attacks originating from them, and how to avoid being that supplier.
What are software supply chain attacks?
Software supply chain attacks target software developers and suppliers in order to travel up and down their supply chain, ultimately gaining access to their customers.
Software supply chain attacks are usually carried out for two motivations. The first motivation for a software supply chain attack is to gain access to multiple victims from just the one attack (an attack method known as a Watering Hole attack, and the ultimate in multiplier effects), for example as in the Kaseya ransomware attack in July 2021.
The second motivation for a software supply chain attack is to gain access to a high profile victim by targeting a smaller, potentially less secure supplier, such as in the SolarWinds software supply chain attack in December 2020, where the supplier SolarWinds was used to gain access to key US government departments.
The common perception from attackers, victims, and the wider security community, is that the software vendors at the centre of these attacks have poor security postures. This in turn will influence the response to that supplier in the aftermath of an attack. For example, note how these two attack examples above are referred to by the name of the supplier at the centre of the attack rather than the name of the attackers.
Why suppliers should take software supply chain attacks seriously
Software supply chain attacks are increasing
According to Sonatype, 2021 saw a staggering 650% increase in software supply chain attacks aimed at exploiting weaknesses in upstream open source ecosystems. This compares to a 430% increase in 2020, which was the year that brought supply chain attacks into the mainstream.
Software supply chain attacks are a major concern for organisations of all sizes and industries
CrowdStrike’s Global Security Attitude Survey 2021 found that 45% of organisations experienced at least one software supply chain attack in the previous 12 months, and that 84% of organisations believe that supply chain attacks could pose one of the biggest cyber threats to their organisations. As a result, companies have begun to investigate the security posture of their suppliers in more depth.
For suppliers, they can now expect more scrutiny, typically through security questionnaires, but also including evidence of audits or penetration tests or requirements by a potential customer to carry out an audit or testing as part of the sales process.
Software supply chain attacks can be catastrophic for business
Taking just one example, that of SolarWinds, being at the heart of a software supply chain attack has severely impacted their bottom line. In January 2021 a class action lawsuit was filed against them because of their security failures which led to their compromise. Their share price has also crashed. In December 2020, the share price was $47.40 and over the past year it has fallen in several stages to a current price of around $13.00 in April 2022 (a drop of over 70%!).
New regulations targeting supply chain cybersecurity
Supplier security has caught the eye of governments. The UK government carried out an enquiry into supplier chain cybersecurity in 2021, and subsequently announced that supply chain cybersecurity could become subject to law, for example through requiring businesses to adhere to the NCSC Cyber Assessment Framework.
In the United States, following the Colonial Pipeline ransomware attack in May, the government issued Executive Order 14028 on “Improving the Nation’s Cybersecurity” placing emphasis on the security and integrity of the software supply chain.
Types of software supply chain attacks
- Update hijacking: Attackers hijack an update by infiltrating a vendor’s network and inserting malware into the update, or altering the update to grant them control over the software within customer’s networks.
- Undermining code signing: Attackers self-sign certificates, break signing systems, or exploit misconfigured account access controls in order to undermine code signed by the vendor’s developers. This enables the attacker to hijack software updates by impersonating the trusted vendor and inserting malicious code into an update.
- Compromised open-source code: Threat actors insert malicious code into publicly accessible code libraries which can then be added to products by unsuspecting developers, giving the attackers access to any number of downstream code.
How to avoid becoming a software supply chain catastrophe
Software vendors and developers should take the following precautions to reduce the risk of compromise which could turn into a software supply chain attack.
Incorporate security at every point of the software development life cycle
- Implement secure coding practices.
- Identify threats to the software and develop securely to reduce their risk.
- Implement SSL for all update channels.
- Implement certificate pinning.
- Sign all code, including configuration files, scripts, XML, and packages.
- Verify the security of all third party libraries, packages, and dependencies incorporated into code.
- Establish the security posture of the product with third party penetration testing.
Protect the environment surrounding the product
- Avoid update hijacks by ensuring that the build and update infrastructure is highly secure.
- Scan operating system and software patches for all tools in use in the infrastructure prior to deployment.
- Validate the update source before applying tool updates.
- Verify the security of tool suppliers.
- Restrict access to critical systems, utilise the principle of least privilege, and require multi-factor authentication.
- Monitor use of privilege accounts.
Be prepared for supply chain attacks
- Develop and rehearse incident response plans to respond quickly and effectively in the event of an attack, and limit their damage.
- Incident response plans must include processes for timely and accurate notifications to customers and authorities.
Software supply chain attacks can happen to any organisation, no matter their size. But for small software vendors whose success relies on their reputation, being central to a software supply chain attack can be catastrophic. The security of products in the supply chain is under more scrutiny than ever, making it imperative that organisations place additional emphasis on their security.