Software supply chain security is a common theme in recent attacks such as on the Colonial Pipeline and SolarWinds. In response, President Biden released an executive order to improve the nation’s cyber security. The order is a testimony of the importance of the digital ecosystem today to our society, economy and way of life. Cyber security is critical in protecting it and the President’s clear message is that we need to do more.
The government want to improve its own cyber security practices and related agencies. It also proposes to remove barriers for information sharing, and enhancing software supply chain security. The software supply chain security is the only specific attack vector that is highlighted.
These attacks cause the most damage and at the same time businesses and governments are ill prepared. So what is a supply chain attack and how can it be mitigated?
What is a Software Supply Chain Attack?
A supply chain attack leverages the access of an external partner or provider to gain unauthorized entry to a system or network. It takes advantage of the inherent trust a target has in its suppliers, using it to infiltrate and launch the cyber-attack. Its use of stealth and its indirect ‘trusted’ approach make a supply chain attack an effective weapon in any threat actor’s arsenal.
Every organization and individual relies on third-party software in some way or another. When we install software, hardware, or use code from a trusted source, it is natural to assume that it hides no malicious intent. In addition to this inherent trust, a supply chain attack also uses the human element to bypass any perimeter security. As administrative users and software developers install software, hardware, or reuse third-party code, they do so on the internal network, bypassing any security controls that prevent external threats.
Supply chain attacks that target technology infrastructure come in many variations. Threat actors can infiltrate a software provider and embed malicious code that infects end users when they install or access the product. Another effective supply chain attack technique is infecting software code repositories that software developers leverage to create systems. Finally, threat actors can also infiltrate and infect the embedded software that operates the hardware on networking equipment, servers, and end-user devices.
What is a software supply chain?
Modern software development processes rely on code reuse to build systems rapidly and cost-effectively. By leveraging existing code, developers can quickly assemble a system with its needed components instead of coding the entire solution from a blank canvas. Typically, programmers either reuse internally developed software code or leverage third-party libraries and frameworks. These components and their dependencies form part of the software supply chain. In other words, a software supply chain is a list of elements that goes into or affects the code from development to production.
However, a software supply chain does not only pertain to software development. It can also refer to instances where organizations install and run third-party applications in their technology environment. For example, every organization leverages third-party software for email. It would be both inefficient and expensive to develop an in-house solution for this utility. The same goes for system monitoring, file sharing, security, and other commodities in a technology environment. All these third-party applications and the external code it uses in its custom-developed applications form part of an organization’s software supply chain.
The anatomy of a supply chain attack
A supply chain attack infects the third-party technologies organizations use. It then leverages this unauthorized access to infiltrate and attack their primary targets. Typically, supply chain attacks start when threat actors exploit a vulnerability to gain access to a supplier’s systems. Once they have gained entry, they embed malicious code into the supplier’s software or hardware with a particular payload. The threat actor then waits until the target organization or user runs the supplier’s infected software or installs its infected hardware. As this infiltration technique circumvents any perimeter security, its indirect attack methodology is highly effective. It is also successful in gaining access to secure environments as these attacks typically target less secure elements in the supply chain.
Supply chain attacks are not a new type of threat, but recent cases have raised their prominence in the public domain. If we look at past instances, the Target data breach where malware infected their Point of Sale systems occurred in 2013. In that instance, the attackers compromised the organization’s third-party refrigerator vendor to infect Target’s POS environment with malware that stole credit card details. Another significant example is the famous Stuxnet malware that nation-states used to sabotage Iran’s nuclear centrifuges in 2010. In this example, the attackers used the digital certificates of Realtek Semiconductor to make their malware look legitimate to system administrators and evade anti-virus.
More recently, in the SolarWinds supply chain attack, threat actors deployed malware during a routine update that emanated from SolarWinds’ servers. Every organization that ran the update was subsequently compromised, including technology companies and secure government agencies. As a result of this attack, the United States sanctioned Russia, believing that the Kremlin played a role in this mass infiltration. Other recent supply chain attacks include the narrowly averted PHP backdoor and the Code Dev incident.
These supply chain attack examples show that this technique has successfully infected many organizations around the world. What is of particular concern is that these supply chain attacks also succeeded in highly secure environments. The examples also show the extensive ramifications of a successful attack. One undetected infection can affect thousands of users and organizations.
Software supply chain security, the open-source risk
Many organizations use open-source software in some way, shape, or form. With open-source code present in 90% of modern applications, this vital element in the software development ecosystem is vulnerable to a supply chain attack. The recent PHP case mentioned earlier is a prime example. Modern software applications reuse open-source libraries, frameworks, and code snippets. Threat actors target these components as they are typically less secure.
The 2020 Sonatype State of the Software Supply Chain Report stated next-generation attacks increased by 430% in the preceding 12 months. Unlike commercial software, open-source relies on the community to ensure its security. However, it is up to the organizations that use the software to conduct regular analysis, security audits, and penetration tests.
Technology supply chain risk
The technology supply chain includes hardware and software. Although the focus of this article has been on software supply chain attacks, organizations cannot ignore the hardware risk. Numerous examples of mobile devices arriving with embedded malware and compromised networking equipment used to breach secure networks highlight this threat.
These instances illustrate that business and technology leaders need to consider their entire technology ecosystem when assessing their supply chain risk. As threat actors have shown they can infiltrate hardware vendors, global software corporations, and open-source code repositories, organizations need a comprehensive security strategy. A supply chain attack could come from multiple vectors, and enterprises need to ensure they cover all their bases.
Software supply chain security
Mitigating the risk of a software supply chain attack requires a defense-in-depth approach. Organizations need to conduct thorough security assessments and implement multiple measures to minimize this risk. For example, many regulatory security frameworks such as PCI DSS and the NIST Cybersecurity Framework mention supply chain risk. These compliance standards state that organizations should routinely assess third parties to ensure they comply with any contractual obligations.
As part of the contractual obligations organizations enforce on their suppliers, security testing must form a vital part of any technology deliverable. By placing the responsibility on the vendor to ensure their product is safe, organizations can enforce terms should the vendor fail to meet their obligations. In addition to requiring vendors to test, organizations should also implement internal security testing and monitoring. This layered defensive approach can help them identify any security issues the vendors may have missed.
However, when leveraging open-source software, enforcing contractual terms is not an option. As many open-source technologies come with set licensing terms, it compounds the problem even further. Organizations also need to consider the license and infringement risk, restricting how the company can use the software while protecting itself from a supply chain attack. In these instances, leveraging the services of a Software Composition Analysis (SCA) tool like MergeBase mitigates this open-source risk. As the onus is on the organization to test and validate the open-source components used in an application, an SCA tool like MergeBase adds the required defensive layer.
According to this Gartner Report, the information security of a supply chain must focus on data and IT infrastructure, products, and operations. If we consider the various security technologies in place at enterprises today, organizations implement a myriad of defensive technologies and processes. Firewalls, intrusion detection and prevention solutions, segmented networking, and vulnerability scanners are just some of the solutions that protect their IT landscape. However, these solutions typically safeguard against external threats. Organizations need to ensure the configuration of these platforms also scan and detect any internal anomalies which may indicate a successful supply chain attack.
Enterprises can also consider air gapping systems to mitigate the supply chain risk. Applications and networks not connected to the Internet have a much lower risk of compromise. However, in many cases, this approach is not feasible. They are also not foolproof. The Stuxnet example mentioned earlier was a successful attack against an air-gapped system.
Securing the software supply chain
Supply chain attacks target less secure elements in complex systems. As modern technology solutions rely on reusable components, threat actors target these elements to circumvent security controls. This type of cyber-attack is not new. However, recent discoveries have highlighted the risk organizations face. Traditionally, organizations have tailored their security solutions to mitigate external threats. With the increase in supply chain attacks, it is clear that threat actors target the supply chain to circumvent these controls.
The supply chain attack risk covers every element of an organization’s IT landscape. Attackers have succeeded in infiltrating the supply chain of hardware and software elements. With software development components being a key area of risk, organizations need to implement controls that ensure the security of their application ecosystem.
The MergeBase platform specializes in software supply chain security. It mitigates the risk of a software supply chain attack from development to production. It highlights risks and empowers developers to remedy any security issues during the early stages of the software development lifecycle. MergeBase also assesses software components for vulnerabilities during the build process, ensuring organizations do not release insecure code to production. However, once an application is in production, it may not remain secure. Researchers or threat actors discover software vulnerabilities all the time. MergeBase mitigates this risk with its monitoring and alerting capabilities keeping organizations protected against any new vulnerabilities in production.