What Is Software Supply Chain Security?
Software supply chain security helps organizations detect, identify, analyze, and mitigate risks associated with the digital artifacts that enter their software via third parties like open source libraries, commercial software vendors, or outsourced development. A comprehensive supply chain security strategy combines risk management and cybersecurity principles to assess supply chain risks and implement measures to block, mitigate, or remediate them.
A supply chain attack is an attempt by a threat actor to infiltrate one or many organizations’ software and cloud environments. Attackers might exploit commercial trust among software vendors and their customers, or exploit implicit trust among developer communities.
For example, an attacker can inject malware into an update delivered by a software vendor, or can contribute malicious code to an open source project. Users of these artifacts trust the software that they are consuming, incorporate it into their projects and CI/CD pipelines, and unknowingly deploy the malware.
Recent supply chain attacks, such as the SolarWinds and Kaseya attacks allowed attackers to breach a large number of high-profile organizations with one concerted initiative. They achieved this by compromising elements in trusted IT management software offered by SolarWinds and Kaseya, which were deployed by their customers, bypassing existing security measures.
In this article:
Physical vs Software Chain Vulnerabilities
There are several aspects that define and differentiate physical and software supply chains. In this article we primarily focus on the software supply chain.
Physical Supply Chains
An analog or physical supply chain includes all physical materials and processes necessary to create a final, physical product which is delivered to a point of purchase. These materials, manufacturing, and logistics processes are usually leveraged by a vendor or supplier and then transferred to a final retailer for value-added finishing or sale to an end-user.
Software Supply Chains
Today, the majority of modern software projects are made up of ready-made components—either open source, provided by third-party software vendors, written as proprietary custom code, or consumed via external APIs.
It is no longer common for a single developer to build an application entirely on their own. The advantage of this digital supply chain is that it can accelerate application development. It can, however, also create critical security challenges by obscuring security risk visibility in upstream artifacts, or by complicating the risk remediation process for outsourced resources. A single compromised off-the-shelf component can make many organizations vulnerable to attack.
How Does a Software Supply Chain Attack Work?
A software supply chain attack exploits trusted relationships between entities. Any organization that uses third-party software, works with a software vendor, or outsources its development efforts, establishes a certain level of trust with an external party. This party is, therefore, part of the software supply chain.
Attacks on the supply chain can be successful despite an organization having established strong cybersecurity measures, simply due to an insecure trusted vendor. Once threat actors breach a vendor’s network or codebase, attackers can pivot to other networks and downstream attack surfaces through that chain of trust.
Managed service providers (MSPs) are common targets of digital supply chain attacks because MSPs often establish deep connections with their customers’ networks and cloud environments. MSPs offer attackers much broader access to networks and environments that would, otherwise, be hard to attack directly. Kaseya attackers, for example, took this approach and managed to infect many organizations with ransomware.
Software supply chain attacks can also deliver malware to an organization’s customers. During the SolarWinds attack, for example, threat actors managed to gain access to the build servers of the company and inject a backdoor into updates to the SolarWinds Orion network monitoring product. Once the updated code was pushed to SolarWinds’ customers, the threat actors gained access to customer networks as well.
Recent Supply Chain Attacks
Here are several mega-scale supply chain attacks publicized in recent years.
SolarWinds is an IT vendor with top-tier clients like the US government, Cisco, VMware, and Intel. In 2020, attackers managed to inject malware into Orion, an IT resource management system in the SolarWinds product portfolio.
Attackers infiltrated the SolarWinds build process and added the malware to a regular update of the software, signed by a SolarWinds certificate. This update was distributed to hundreds of SolarWinds customers, giving attackers complete access to the infrastructure of those clients. The attack began in March 2020 but was only detected and reported in December.
CodeCov is a software auditing tool that was breached in April 2021, allowing attackers to access the networks of many CodeCov users. The attack started earlier in the year when attackers compromised an uploader script that sends code coverage reports from clients back to CodeCov servers. The compromised script allowed attackers to gain access to credentials stored within client code and provided an easy way to exfiltrate the data.
Kaseya is a network monitoring system used by thousands of organizations. A high-profile ransomware group known as REvil injected their ransomware into a regular update of Kaseya’s Virtual System Administrator (VSA). Customers who installed this update also deployed REvil ransomware, known as Sodinokibi, and lost access to their files.
Kaseya reported up to 15,000 organizations may have been hit by the ransomware. A Swedish retailer, for example, had their IT systems paralyzed after the attack and was forced to shut down 800 stores.
Why Software Supply Chain Attacks Are Becoming More Common
There are a number of factors that make software supply chain attacks an especially attractive technique for cyber criminals.
Supply chain attacks are becoming increasingly popular because of their economies of scale. Attack campaigns usually operate like a for-profit business, attempting to achieve low operational costs and gain a high return on investment (ROI).
Software supply chain attacks can enable hacking at scale—threat actors can build a hacking operation that targets a single organization, gains an initial foothold, and then compromises hundreds or thousands of additional organizations with little additional effort.
These operations are often enabled by automation, which helps threat actors to compromise many organizations simultaneously, accelerates the speed of the attack, and makes human intervention in the attack less likely. Additionally, a supply chain can continue to yield benefits to attacks as long as the operation remains undetected.
Highly Accessible Attack Vector
Threat actors targeting the software supply chain are devising more creative methods of attack. Often, these attacks infiltrate a soft target with inadequate security measures, or exploit insecure permissions or misconfigurations in cloud environments. Attackers then surreptitiously install malware on these machines.
Once installed, attacks can instantiate and evolve with lessened chance of detection, assuming the target organization lacks adequate runtime security controls. This creates the possibility of propagating to the affected organization’s customers, vendors, or collaborators. As more stakeholders join the software supply chain, there are more points of entry. Each of these is an opportunity to stage a new phase of the attack.
Software supply chain attacks can be difficult to detect due to their complexity and the number of organizations and systems involved. Many supply chain attacks add a backdoor to legitimate software, as a method for exploiting trust when used as a security measure. Since the legitimate software is considered trustworthy, it is less scrutinized, and potentially malicious activity originating from within that software can be overlooked.
Traditional cybersecurity measures are often unsuccessful at detecting supply chain attacks. These tools were designed to find weaknesses in custom code or exploitable open source vulnerabilities. Because of the nature of the software supply chain, organizations often do not have access to source code or build artifacts necessary to perform application security testing and are, therefore, limited in their detection capabilities.
Lastly, software supply chain attacks tend to leverage advanced malware and evasion techniques to “change shape” and avoid leaving a trail of evidence. Consistent patterns of malicious activity may be non-existent. However, viewed in aggregate, seemingly unrelated artifacts embedded in the supply chain can add up to intrusion, data exfiltration, and package drops.
Cloud Native Environments
Many organizations use cloud native technologies, such as containerized applications, serverless functions, and infrastructure-as-code (IaC) templates, in single or multi-cloud environments. These architectures are attractive targets for supply chain attacks for the following reasons:
- Cloud native applications make extensive use of open source and other libraries that are often sourced from public registries and repositories. Attackers can threaten such libraries in a variety of ways, including posing as contributors to inject vulnerabilities, or by typosquatting.
- Cloud native applications tend to leverage both production and development environments hosted in public or private clouds. Configurations and security practices often differ between these environments. An application which cannot be exploited in production may be exploitable in a development environment, and malicious changes can be pushed into production later.
- Cloud native development methodologies rely on short development cycles, rapid releases, extensive integration, and automated processes. Traditional security tools cannot keep up with the pace of code shipping deadlines, and often do not deliver results fast enough for proper remediation. The result is that risky, untested artifacts are pushed to production.
- Cloud native applications are built to scale easily. This can improve the scalability of supply chain attacks, and allows malicious software to exploit permissions to access cloud resources at scale. Attackers can then perform additional actions, such as cryptomining or large scale network communication.
What Is The Impact of a Supply Chain Attack?
Supply chain attacks can have major impacts on an entire organization.
A supply chain attack can have an enormous impact on one or many organizations. Depending on the nature of the attack, each organization participating in the affected supply chain can face direct or indirect financial repercussions.
Damages can include the cost of incident response and forensic investigations, business interruptions, lost revenue, and loss of reputation.
A supply chain attack can cause organizations to violate regulations or industry standards, which may directly result in fines or inspire further audits of the organization. In the wake of an audit, remediation efforts for any detected shortcomings can generate major additional costs.
6 Supply Chain Security Best Practices
To mitigate the risks associated with third parties and to prevent supply chain attacks, apply the following practices.
Assess Your Supply Chain
Eliminating trust is a key security practice against software supply chain attacks. Investigate the cybersecurity practices of software vendors and third-party contributors, in addition to maintaining security best practices for the software your developers create and consume.
Do not grant access to your network to third party suppliers until you have fully vetted their security practices. Assess their security risk posture, governance policies, and compliance processes as well as their technical security controls.
This can help you gain greater visibility into supply chain risks and allow you to implement the processes and controls necessary to detect, address, or preclude supply chain attacks.
Identify Attack Vectors
To mitigate risks, you need to understand how threat actors can infiltrate your organization. This type of information can help inform the incident response process. A better understanding of the threat environment can also help you improve developer security education, take mitigation and remediation steps, and implement security testing procedures.
Be aware of limitations to each security tool or practice at your disposal, and ensure that there is a solution or procedure in place to detect or address any potential attack vector.
Perform Regular Audits
Perform regular audits of your network and environments, noting which people or tools have access to sensitive data or cloud resources. This will help you to properly assess your connections with suppliers and determine what data and systems are being shared. This will also help future forensics investigations if an attack is detected, facilitating remediation and helping to identify the attack killchain.
You also need to regularly audit the activity of your third-party suppliers. This can help ensure that all parties are following the appropriate security controls, reducing your exposure to the security inadequacies of others.
Monitor Third Parties
Regularly monitor and review all activities between your organization and third-party suppliers. This can help you identify suspicious or anomalous activity that might indicate a supply chain attack.
Remember that anomalous or malicious activity may not always be a deliberate act by a third party with whom you work. They may be the victim of an attack, resulting in your organization becoming compromised. Log activities on network devices and endpoints to make it easier to detect anomalies. This information is critical to detecting and mitigating threats, as well as responding to critical events.
Create an Incident Response Plan
Establish an incident response plan before an attack occurs. Any supporting policies, plans, and processes should be contextual, based on risk, and should account for all regulatory reporting requirements.
Your third-party supplier should also have an incident response plan, to enable them to quickly respond to attacks and mitigate any potential risk to your business. Ensure that any information gathered by security tools and processes is automatically delivered into the hands of those who need to take action, whether in-house or outside your organization.
Conduct Security Awareness Training
Employees must understand how software supply chain attacks can unfold and what each employee’s role is in the detection, remediation, and prevention of threats.
Security awareness training should educate employees on all aspects of cybersecurity, including password security, social engineering attack methods, secure coding, testing practices, and company policies. A better understanding of threats can help employees to preclude potential attacks, quickly react to active attacks, and help protect the organization’s critical systems and sensitive data.
Supply Chain Attack Protection with Aqua Security
Aqua Security provides enterprise-class security solutions to secure cloud native applications and environments from software supply chain attacks. Detect malware and anomalous activity that only manifests at runtime, without putting production environments and sensitive data at risk. Aqua Dynamic Threat Analysis (DTA) deploys containers in a secure sandbox environment and documents the entire attack killchain, providing unprecedented insight to security and forensics teams and establishing a security gate to block promotion of malicious artifacts into production.
For more information, find out how Aqua helps protect you from supply chain attacks ›