Some of the most disastrous cyberattacks in recent memory have come about because of dedicated supply chain attacks and it’s plain to see why. Any attack that hinges on infiltrating a program or a hardware component before it’s even in the hands of the customer can do serious damage to any system or network that finds itself downstream from the compromise. But when we talk about supply chain attacks, it’s important to differentiate between its two common applications: The first is when a cyberattack attempts to infiltrate a device during the manufacturing process, such as a rootkit, while the second is when a software provider is compromised such that malicious software can be bundled into their software, distributing the malicious software to anyone who applies the tainted update. An example of the second type of attack is the SolarWinds hack, in which state-sponsored hackers compromised a SolarWinds update server where they added their SUNBURST code to all software versions between March and June of 2020. This single point of weakness in SolarWinds’ update server resulted in the compromise of at least 9 federal agencies and a hundred private companies.
Either is a scenario that keeps system administrators up late at night. In most cases, supply chain attacks are extremely difficult to identify and even harder still to protect against. Information security is largely an exercise in trust; when you purchase server hardware from Dell or cloud services from AWS, you are placing your trust in the manufacturer or provider that the hardware they provide you with is free of tampering. You can, and should, do your utmost to verify this yourself, but it is completely infeasible to strip every piece of technology that enters an organization to its bare essentials or to inspect every firmware driver. The phrase “trust but verify” comes to mind. But at the end of the day, you must accept the risk and trust your suppliers if for no other reason than to avoid the logistical nightmare of verifying the validity of every system deployed and every line of code run on organizational systems.
What happens, though, when you install an update from a trusted software vendor that contains malicious software? By all rights, there are no outward signs that the update is out of sorts: the digital certificate is valid, perhaps the checksums match on the installer, the file size is reasonable, and you reasonably trust the source. Once you deploy that patch, though, it could be game over even if it isn’t immediately apparent. Supply chain attacks are so effective because they exploit the trust that administrators have with their vendors, as well as their complacency, to get a foot in the door. This is why it’s so hard to protect against as well, considering that system administrators can apply dozens of patches per month across an entire environment without the time, workforce, or the will to painstakingly verify every patch that is deployed.
That’s not to say that there’s nothing that can be done to protect against supply chain attacks, however. Just like all other forms of malware, all but the most complex supply chain attacks can be stymied by rigorous security controls and a defense-in-depth approach. Multiple layers of security controls deployed throughout the organization can create insurmountable obstacles for the malicious actor, vastly reducing their ability to pivot their ill-obtained access into a better position within your critical infrastructure. Having a strong cybersecurity posture that prioritizes good cyber hygiene is the best way to protect against not only supply chain attacks, but also other cyber risks such as ransomware. Protecting digital assets by creating multiple strong layers of defenses throughout your environment, creating testing environments to trial new patches before they are pushed out to critical infrastructure, and doing your best to verify the authenticity of hardware and software are the key to minimizing risk to supply chain attacks.
Supply chain attacks are a terrifying attack utilized by some of the most skilled threat groups out there. Their very nature makes them incredibly difficult to protect yourself against because they are introduced into your ecosystem like a trojan horse from a trusted vendor. Yet, there are tools, processes, and security practices that can at least minimize the risk and impact of a potential supply chain attack. Good cyber hygiene practices, proper network segmentation, defense in depth, and a proper testing environment to ensure patch compatibility are some of many solutions.