Every day, thousands of companies download updates to their software. With a click of a button, they can walk away and return the next morning with everything reorganized and in order.
While a staple of modern life, this action is no longer completely harmless. It is now one of many attacks that bad actors use to access systems and execute supply chain attacks. The past few years have witnessed some of the most significant — and scary — breaches: SolarWinds, Log4J, and CircleCI are just a few supply chain attacks in the past few years.
And this concerning trend shows no signs of stopping. Gartner estimates that 45% of organizations will experience a software supply chain attack by 2025. Why? These attacks are very lucrative for bad actors: the hits they can get from a single weapon aren’t proportional to anything else in the industry.
Organizations need to evolve their approach to security to meet these sophisticated attacks. Here is what you need to know about supply chain attacks and how to advance your security to face them.
Quick summary: Supply chain attacks
- Supply chain attacks exploit trusted third parties and vendors to gain access to compromise the supply chain.
- Attackers use multiple methods to infiltrate networks, including malware injection, third-party software, counterfeit components and physical tampering.
- Organizations can protect themselves using regular assessments, vetting vendors, creating a response plan and educating stakeholders on the risk.
Keep reading to get more detail about supply chain attacks, how they work and — critically — the most effective ways you can protect your organization from an attack.
What is a supply chain attack?
A supply chain attack is a specific type of cyber breach that targets your organization's supply chain. It exploits trusted parties to access systems and compromise the supply chain. Supply chain attacks can seriously impact organizations, including the theft of sensitive data, reputational damage, disruption of operations, and financial losses.
The supply chain refers to all of the networks involved in creating and delivering your product or service to customers. This includes your organization as well as anything that directly impacts delivery:
In the digital era, few organizations work alone. Companies rely on third parties and outside vendors to perform essential duties and help maintain their digital systems. Supply chain attacks leverage this multi-pronged system to access sensitive data across multiple organizations without trying to hack into each individual one directly.
“Attacks like SolarWinds have shown that organizations have difficulty detecting when their internal appliances begin communicating to new external (possibly malicious) hosts. This lack of visibility contributes to the dreaded ‘supply chain compromise.’”
How supply chain attacks work
A supply chain attack exploits outside providers and partners that can access your systems to penetrate your digital infrastructure. Once in the system, they can…
- Hide malware
- Change source code
- Otherwise cause problems
Because the software comes from trusted third-party sources, the updates and apps are automatically signed and certified. Vendors are unaware that they have malicious code when they release them to the public, and the code can then run with the same permissions as the app.
Types of supply chain attacks
There is a multitude of methods and supply chain vulnerabilities that bad actors exploit to infiltrate a target organization’s network. Some of the most common types of supply chain attacks include:
- Malware injection. Attackers insert malicious code or malware into a software application or hardware component distributed through the supply chain.
- Third-party software. Bad actors use third-party software to gain access to the target’s network.
- Counterfeit components. Attackers introduce counterfeit hardware components into the supply chain to gain access to the network.
- Man-in-the-middle (MITM) attacks. Attackers intercept and modify data transmitted between the target organization and suppliers, enabling them to insert malware and other malicious code.
- Physical tampering. Bad actors physically tamper with devices and equipment during the manufacturing or shipping process, allowing them to access the network once the target installs it.
- Insider threats. Insiders, such as employees of suppliers or shipping companies, carry out attacks on the organization’s supply chain.
4 eays to defend against supply chain attacks
Any company that provides software or hardware to other organizations is a target for attackers. Even top security vendors, such as FireEye, Microsoft, and Malwarebytes, are not immune to supply chain attacks. However, there are ways to reduce the likelihood of an attack and reduce the damage to your company and reputation.
Vet suppliers & vendors
While no vendor is entirely immune to an attack, proper due diligence will go a long way. Ask the difficult questions upfront to protect your supply chain.
First, evaluate your supplier’s security posture. It should involve reviewing their security policies, conducting security audits, and assessing their compliance with relevant industry standards and regulations.
In addition, check on their security practices. Evaluate their physical security, network security, data protection and incident response capabilities. Checking on their security is not a one-and-done practice. Instead, continue monitoring their ongoing security practices to ensure they have adequate security controls.
The contractual agreement you hold with your vendors is also crucial to maintaining your security. Your agreement needs to include specific security requirements and outline their responsibility for protecting your data. Also, be sure that your contract stipulates that they provide you with regular security reviews.
Conduct regular audits
One of the issues that many organizations run into is that detecting supply chain attacks is difficult. We’ve done some research to find ways to detect attacks and explored potential cyber defense methods.
We found that focusing on JA3 and JA3s hashes using multiple Splunk queries and commands is a simple — yet clever — way to fingerprint TLS negotiations between a server and client. While there are no silver bullets to detecting malicious activity, especially supply chain attacks, abnormal JA3/s hashes have a high probability of detecting anomalous activity.
In many environments, JA3/s helps detect anomalous malicious activity that might not be picked up otherwise. Although not a perfect method, it provides an additional layer of protection crucial in an increasingly threatening environment.
Get more details in on this method in Detecting Supply Chain Attacks, a free whitepaper (PDF) from SURGe by Splunk.
Create an Incident Response Plan
For about 45% of businesses, the question is not if they will be victims of a supply chain attack — it’s when. Creating an incident response plan is important to reduce the impact of an attack and quickly recover from any damage.
Build a response team to help you create an incident response plan. It should include representatives from each department, including IT, security, legal and communications. Appoint an incident commander, too. They should each be trained on the steps to take in the event of a supply chain attack.
Once formed and educated, this team should establish incident response procedures that outline the steps to take should an attack occur. The procedures should include:
Communication is vital in the case of an attack, but it is too often the first thing to break down. Your team needs to establish communication protocols that outline how information about the event should be shared with employees, vendors and other stakeholders, including customers and law enforcement.
Your plan needs to be updated regularly to account for new or for employees, systems, vendors and threats. Regular updates will help you ensure it remains relevant and effective.
Educate employees & stakeholders
Your employees, vendors and key stakeholders represent the frontline of defense for your organization. Helping them understand the risks and how to respond is essential to reduce the risk of a successful attack. The more education IT and leadership can provide workers, the more effective your defenses will be.
Develop training materials that explain supply chain attacks, how they work and their potential impact on business. Written materials, videos, and webinars are all great ways to get information across your organization.
In your training, provide real-life examples of supply chain attacks so that everyone understands the risks and recognizes specific warning signs better. Although supply chain attacks are subtle and often hard to spot, the more that employees are aware, the more eyes you can have looking out for anything suspicious or off.
Your training also needs to include preventative measures to prevent attacks. This may include tips like verifying the identity of suppliers, monitoring network activity for suspicious behavior, and reporting suspicious activity to your IT or security team. Regularly reinforce the information in your training through internal communications, meetings, and other channels.
Evolving security defenses to face supply chain attacks
Supply chain attacks are the latest challenge in the cyber security world. They’re hard to spot and can have a larger ripple effect than most other attacks. Organizations need to take proactive steps and evolve their approach to security to protect their business and minimize the potential for damage.
With the right plans and safeguards in place, you can stay ahead of emerging threats and ensure the security of your entire supply chain.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.