Skip to main content

Supply Chain Attacks: Lowering the Barrier to Entry to Your Systems by Sean O’Toole

IT infrastructure and security is always a race to keep up with organizational needs while simultaneously working to keep systems as up-to-date and secure as possible. Third-party software platforms for business and IT management can be a huge help in making that challenge more manageable. But sometimes offloading part of the work to a third party comes with risks of its own.

Boise, ID – 08 DEC 2023 – As the Institute for Pervasive Cybersecurity looks to wrap up another year, it’s a good time to take a closer  look at some of the recurring cybersecurity trends that the student Engineers and Analysts have seen. Of these trends, one of the ones most encountered is how third-party software solutions shape and enable organizations. This is true of the Institute as well, in the form of Stellar Cyber’s Open XDR platform and its use in the Cyberdome, a collaborative hub for competency-based development, with the mission of reducing risk for rural communities while producing a “Ready to Work” cybersecurity workforce.

What are Third-Party Software Solutions?

The Institute for Pervasive Cybersecurity’s partnership with Stellar Cyber’s Open XDR platform has been a huge boon, allowing student workers to provide free monitoring and security service to Idaho cities, counties, and schools, while giving Cyber Analysts and Engineers hands-on experience in a real-world security setting. Combined with cloud-hosted documentation and ticketing services, the Cyberdome has used Stellar Cyber’s hardware and cloud-hosted software platform to greatly streamline the process of monitoring and providing security services, making Stellar’s products an essential part of daily operations.

This same dependent relationship exists in the wider business community between countless organizations. Companies buy licenses to software, purchase IT maintenance and monitoring services, and use myriad interconnected applications and programs to address their organizational needs. This makes the third-party service a part of the company’s supply chain, and it can be a win-win situation. Organizations avoid having to develop custom software for everything they do, and use pre-existing software to manage their supply chains and documentation. The third-party organization gets paid to keep the infrastructure or program running smoothly and securely. But the security aspect of contracting third-party organizations is exactly where some of the biggest hacks of the 21st century have occurred, and on closer inspection it’s not hard to see why.

What is a Supply Chain Attack?

Supply chain attacks refer to a class of cyber attacks against the infrastructure of an organization, generally against mission-critical software platforms and services. This can include everything from a point-of-sale software, a delivery management platform, or a full IT management solution. Malware is injected into the source repository of the software or added to an update package for customers, and then piggybacks on the software’s own update systems to both deliver the malware to targets and to prevent detection of the malware itself.

Supply chain attacks attempt to take advantage of cyber vulnerabilities in the third-party service to access customer systems and leverage the information they can gather to further the reach of the malware, disable or avoid detection systems, and disrupt operations. In some cases, like that of the SolarWinds Orion hack discovered in 2020, the primary goal seems to be information gathering and infiltration. In others, like the 2017 NotPetya attack, the malware’s primary intent is to maximize disruption and damage to the supply chains of organizations and government agencies reliant on the third-party system.

Why Are Supply Chain Attacks Such a Problem?

The dangers of supply chain attacks stem from heavy organizational reliance on the use of third-party vendor services and software. With the rise of Software as a Service (SaaS) and cloud-hosted platforms for managing systems and data, organizations can outsource paying postage, printing stamps on-demand, and full IT management software packages that manage and monitor whole organizational networks of databases, access control systems, and operating systems.

As previously mentioned, this outsourcing of tasks and infrastructure is generally a win-win for both parties. The customer organization can rely on the vendor to keep their software up-to-date without having to pay the costs of hiring and keeping the necessary software and operations experts on-hand, while the vendor can focus on just the services and software they provide and receive recurring revenue. However, this arrangement requires that the vendor have remote access to client software in some capacity, as well as the permissions to make changes to it. Although an organization may have top-tier security standards, any system reliant on third-party vendors is now impacted by the security standards of the vendor, and reliant on the vendor to be vigilant against possible compromise and forthcoming with information when a compromise occurs. Vendors become a potential weak link in your supply chain, one which you have limited control over.

When a supply chain software is compromised by a Supply Chain Attack, the risks presented are dependent on the aims of the actor responsible for the malware. This frequently results in the use of ransomware, threat of data leaks to blackmail an organization, and the theft of trade secrets and proprietary information. However, this can just as easily be used to hinder daily operations and cause financial damage. The power a successful supply chain attack has over organizational operations provides the attacker leverage, proportional to the criticality of the compromised platform, but almost invariably results in significant costs one way or another. Whether it’s in the form of unwanted systems replacement, changes to operations, or the risk of an undetected backdoor to your systems; Attacks come at a high cost that can sting  because an organization might have not taken any action to cause the attack in the first place.

Why Don’t We Expect Supply Chain Attacks to Go Away?

The challenges presented for catching and preventing Supply Chain Attacks are manifold:

  1. Detection can be difficult, in part because any element of the supply chain reliant on a third-party vendor service could be the entry point. For organizations of any significant scale and scope of operations, this can mean many different third-party software platforms and services exist within the organization, unless the entire company software ecosystem is developed in-house– often a prohibitively expensive endeavor. Additionally, Supply Chain Attack malware programs can check processes and Active Directory records to identify antivirus and malware-detecting programs, then disable or avoid communications which might trigger an alert. The malware used in the Solarwinds hack, dubbed “Sunburst”, is a good example of this.
  2. The specifics of what a Supply Chain Attack might look like and how it might occur will differ by organization, as the network setups and operating procedures will be customized to the needs of the organization and will change to meet new needs. There isn’t one standard template procedure to prevent Supply Chain Attacks, regardless of whether or not an organization follows industry standard practices for network design and management. Procedures have to be developed by each organization for their specific needs.
  3. The proliferation of Malware as a Service and ready-made hacking and exploit kits has made it easier and more common than ever for people to get into cybercrime. This has led to astronomical increases in the number of attempted attacks against organizations, large and small. This black market business, in turn, has vastly expanded the resources available to more ‘professional’ black-hat groups who develop the kits. One need only glance at articles about the slick website and offerings of DuckLogs to know that this is a seriously lucrative business. While most attackers remain unsophisticated and proper security training and practices can weed their efforts out, the expert black hats have responded to improving security standards across all industries by becoming more creative in their approaches to supply chain infiltration. A good example of this is the injection of malicious code into open-source projects, which has been documented by software security management companies for years now. The software security management and monitoring company Sonatype highlighted in their 2020 State of the Software Supply Chain that attempts to leverage open-source projects as vectors for malware injection have been skyrocketing, and the 2023 SotSSC reaffirms that the trend continues. Attacks have become more numerous and innovative with each passing year, making a sudden reversal of the trend quite unlikely.

What Can We Do?

While Supply Chain Attacks are, and will likely, remain a tough-to-resolve problem for the IT and cybersecurity industries, there are still a number of things that can be done to minimize the risk they present. Unfortunately, if you were hoping for a silver bullet solution, these are similar or identical to the practices recommended in cybersecurity frameworks like those of NIST and ISO:

  1. Ensure you have regulation-compliant procedures for resolving, recovering, and reporting cyber incidents when they occur to your organization. Make sure you’re meeting the required standards for your industry or field, and make sure the procedures are trained and practiced.
  2. Conduct regular reviews of your access control policies and permissions lists, and default to the least permissive option for a user or process when in doubt. Work with vendors to ensure systems have the permissions they need, but no more than necessary.
  3. Evaluate your network design and identify where a Supply Chain Attack could occur, and the processes by which you could isolate impacted systems to avoid further spread. If possible, work to create a list of the most likely scenarios and “game it out” with your teams.
  4. Continue to update and patch, but check cybersecurity news pages and organizational news feeds regularly to see if any major repositories or platforms have caught attempted malware injections in software your organization uses. While there is a risk of malware injection hidden in a software update, successful attacks occur far more frequently as a result of flaws in out-of-date software than they do as a result of up-to-date software.

When it comes to something as broad and challenging to address as Supply Chain Attacks, often the tried-and-true answer is the best one. At the Institute, pursuing the best path for helping clients protect themselves and their systems always provides an opportunity for collaboration and learning for our teams and our clients.