What is Supply Chain attack and Why should you worry about your Vendors?

Published in

UCSC ISACA Student Group

7 min readSep 28, 2021

Introduction to Supply Chain — What is a Supply Chain Attack?

A Supply Chain Attack occurs when someone infiltrates your system through an external partner or supplier who can access your systems and data. It is also known as a value chain or a third-party assault. In the last few years, this has substantially transformed the attack surface of the ordinary companies, with more suppliers and service providers having access than touching sensitive data.

It is feasible to violate data via a third-party provider as suppliers, who can access sensitive information within the internal systems. This data violation can occur when a vendor is hacked.

Since a single supply chain attack typically causes several intellectual property violations in the organizations. Because; many vendors maintain sensitive data for several clients.

A Software supply chain consists of,

SDLC process elements, including systems building, developing, and testing environments
Open source or third-party software which is utilized in business software as components
Open-source platforms that are utilized directly by companies such as Magento or WordPress
Vendors who offer services for professional usage, consultation, or development
Cloud services (including IaaS, PaaS, and SaaS)

Attackers frequently seek for the weakest connections in a supply chain, such as small-scale vendors with no cybersecurity controls or open-source components with a small community or insufficient security safeguards.

Most supply chain attacks are the result of introducing backdoors to validate and approve software or compromise third-party provider systems. With current cybersecurity protections, these assaults are difficult to detect.

Supply chain assaults come in a variety of flavors.

Supply chain attacks on the software can target the source code, the update mechanism, or the build procedures of vendor software. Any of the following vectors might compromise a victim.

Updates to third-party software
Malware placed on connected devices, such as external hard drives, cameras, phones, and so on
Installers of applications

What is a Supply Chain Attack?

Let’s discuss some assaults identified in Supply Chain Attack with examples:

All tech vendors vulnerable to supply chain attacks

Any organization that creates software or hardware for other companies is a possible target for attackers. Nation-state actors have extensive resources and the ability to infiltrate even the most security-conscious organizations.

Security suppliers can also be targets. One of the higher-profile firms compromised in the case of SolarWinds was FireEye, a cybersecurity provider. According to FireEye, the attackers did not get access to customer-facing systems but to penetration tools used for security testing. The fact that it was struck at all is concerning.

Microsoft and Malwarebytes, another security firm, were also targeted by the SolarWinds attackers. “Given the supply chain nature of the SolarWinds attack, and out of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build, and delivery processes, including reverse-engineering our own software,” company CEO Marcin Kleczynski wrote in a blog post on January 19.

2. The open-source supply chain threat

Commercial software isn’t the only thing under attack in the supply chain. Supply chain assaults targeting open-source software projects are a big concern for companies, according to Sonatype’s 2020 State of the Software Supply Chain Report, since 90 % of all apps use open-source code, and 11 % of them have known vulnerabilities.

For example, attackers exploited an unpatched Apache Struts vulnerability in the 2017 Equifax hack, which the firm claims cost them almost $2 billion. Twenty-one percent of businesses reported an open-source-related breach in the preceding year.

The following chart summarizes the SolarWinds supply chain attack operation. The whole process of third-party injection, malware deployment, and data communication initiation via a back door is the foundation of all supply chain assaults.

3. The dangers of foreign sourcing

Why bother hacking into a software business when you can simply march in and command malware to be installed in their products? That isn’t an option for Russia, which isn’t recognized for being a technology exporter. However, China is.

“Compromised electronics in US military, government, and vital civilian platforms provide China with possible backdoors to compromise these systems,” US Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) said in a statement introducing the bipartisan 2019 MICROCHIPS Act.

4. Attack on the supply chain of Paradise Papers

On November 17, 2017

Third-party legal firm Appleby violated confidential offshore investment records known as the Paradise Papers. The confidential information revealed 13.4 million investment records of the rich where 1% included Donald Trump, Justin Trudeau, Vladimir Putin’s son-in-law, and even Queen Elizabeth.

The Enemy Within Modern Supply Chain Attacks

How does a supply chain attack deploy?

Supply chain attacks use legal methods to obtain unrestricted access to a company’s ecosystem.

This assault begins by breaching a vendor’s security defenses. Due to many firms’ terrible myopic cybersecurity policies, this approach is generally simpler than directly assaulting a victim.

Penetration might occur through a variety of attack routes. Once within a vendor’s ecosystem, rogue malware must embed itself in a digitally signed process of its host.

This is the key to getting access to the client network of a provider. A digital signature validates that a piece of software is legitimate to the maker, allowing the software to be distributed to all networked parties.

Malicious malware can ride the constant stream of software update communication between a hacked vendor and its client network by hiding behind this digital signature.

Best Practices for Supply Chain Cybersecurity

Map Out the Threat Landscape

Software composition analysis (SCA) tools, for example, may be used to uncover which software dependencies are hidden within an organization’s software projects and scan them for security and licensing problems. However, this is not sufficient; you must also do a thorough inventory of all third-party tools and services utilized in your software projects.

Governance and Policies

Internal governance is required for vendors to ensure that security systems and processes are in place.

Contracts between the firm and its suppliers must clearly define the norms and criteria for data access and usage to correctly allocate liability in the event of breaches. Suppliers should be required to notify the organization if their agreements are broken. There must also be explicit procedures for reducing risk when a supplier’s relationship terminates.

Control Information Privileges

When first addressing supply chain security, it is critical to perform an audit to identify the existing situation — who has access to the data and what they are doing with it — and then utilize this knowledge to limit data access.

This is especially essential for third-party providers, who are frequently targeted by hackers due to their weak security measures than those of the business. Consider a vendor’s cybersecurity strategy, do due diligence, and change what sort of data they may be exposed to as a result.

A “one-way feed” is one method of exchanging data with suppliers in which data requested by a single vendor is communicated with them.

Below, I have mentioned one of the service providers who provide protection against SCA.

Using Imperva to Protect Against Supply Chain Attacks

Imperva’s Runtime Application Self Protection (RASP) employs a lightweight security plug-in to evaluate application behavior and prevent undesirable activities, such as third-party libraries connecting to an external site for command and control (C&C).

Imperva RASP safeguards applications, runtime, servers, open-source dependencies, and third-party libraries. It installs in minutes by simply snapping into an application and does not require any code modifications or continuing signature updates.

Aside from supply chain threats, Imperva offers multi-layered security to ensure that websites and apps are always available, conveniently accessible, and secure.

The Imperva Web Application and API Protection platform combines RASP and Client-Side Protection with five additional best-of-breed application security solutions mentioned below.

How Imperva views API Gateway vs API Security

DDoS protection — Retain uptime in all circumstances. Prevent any size DDoS assault from limiting access to your website and network infrastructure.
CDN — With a CDN optimized for developers, you can improve website speed while lowering bandwidth expenses. Accelerate APIs and dynamic webpages by caching static resources at the edge.
WAF — Allows legal traffic while preventing attacks, protecting applications at the network’s edge or within it.
Bot management — Analyze your bot traffic for abnormalities, detect poor bot behavior, and validate suspicious activity using challenge methods that do not interfere with user traffic.

How to prevent supply chain attacks

The key to safeguarding your digital supply chain is to guarantee that all your third-party providers adhere to the most stringent cybersecurity standards, regardless of whether legislative obligations are implemented.

The fundamental incentive for supply chain assault susceptibility is complacency. This is due, in part, to organizations’ lack of awareness of how vulnerable even the most trusted providers are to data breaches.

Security questionnaires should be delivered to each of your third-party providers on a regular basis to continually examine their security posture.

Each questionnaire should be tailored to a certain sector and meet the specific organizational needs. You could develop the questions yourself or have a smart third-party risk management tool quickly populate and transmit them to you.

These questionnaires should be delivered promptly after observing a reduction in the security score for a certain vendor to provide your company with the best opportunity of mitigating supply chain threats.