Lately, it seems like cyberattacks targeting software supply chains have been making headlines almost daily. Large-scale and high-profile events like the 2020 SolarWinds breach set off alarm bells among journalists, industry experts and members of the general public alike. In the SolarWinds incident, IT management software provided by a company with hundreds of thousands of customers all over the world (including the United States Department of Energy and the National Nuclear Security Administration (NNSA) was compromised by suspected nation-state attackers and used to deliver malware granting them backdoor access to victims’ networks.
While the SolarWinds breach may have been remarkable in its scale and scope, it’s by no means the only attack of this kind to have succeeded recently. Just a few weeks ago, Okta, an identity and access management provider whose authentication services are used by more than 15,000 customers worldwide, including major enterprises like FedEx and Moody’s Corporation, announced that it had experienced a customer-impacting breach. Though the full extent of this incident has yet to be made known, it took place when a privileged account belonging to a customer support engineer working for a sub-processor owned by a company to which Okta was outsourcing business services was compromised. Thus far, Okta says that only 2.5% of its customer base could have been affected by the breach, but this still means that hundreds of companies were impacted. Enterprise technology users may well wonder, if they can’t trust the software they rely on to keep their employees’ accounts and credentials safe, what can they trust?
It’s a fair question. If you’ve been following this blog for any amount of time, you’ll know that we at BTB Security don’t advocate for trusting anyone blindly — ever — with access to your data and systems. Instead, we recommend implementing ongoing monitoring, conducting frequent assessments and building solid processes for managing third-party vendor due diligence. In other words, trust but verify.
Although attacks targeting enterprises by going after the vendors and contractors in their supply networks — and especially, today, software and technology supply networks — are indeed alarming, they’re nothing new. Despite the fact that pundits commenting on the growing prevalence of this type of threat dubbed 2021 “the year of the software supply chain attack,” threat actors have long sought to target major enterprises (with enterprise-grade defenses) by going after their less-fortified suppliers. After all, directly targeting a Fortune 100 company will demand a lot of effort with no guarantee of success. Moving up the software supply chain to look for an easier victim is a much simpler way to find an entry point.
Software Supply Chain Attacks in the Days of Yore
Soon after people stopped worrying that the Y2K bug might unleash havoc in the ever more technologically-dependent western world, security researchers began calling attention to the risks that compromised software supply chains could present. As long ago as 2000, scholarly journals were publishing research documenting the known risks that society’s growing reliance on electronic systems posed to users. And the Stuxnet attacks, first uncovered in 2010, evidenced that belligerent governments (in the case of Stuxnet, most likely U.S. and Israeli-based intelligence agencies) could use software supply chains to deliver malicious code that would cause physical harm to industrial control systems.
Some of the most talked-about breaches of all time involved supply chain compromises. In the case of the notorious Target breach of 2013, for instance, attackers targeted an employee of a refrigeration contractor providing in-store services to the retail giant, and once they’d gained login credentials, were able to move laterally across Target’s internal network to exfiltrate payment card data and personal information belonging to 41 million Target customers.
Regulatory bodies and industry experts have warned of the potential dangers lurking in software supply chains for many years now. In 2013, for instance, the MITRE corporation published a software supply chain framework including an extensive catalog of the attack patterns that malicious actors might follow in a supply chain attack, together with a set of approaches for assessing whether malicious code had been inserted into a newly-acquired software product. Verizon’s 2014 Data Breach Investigations Report specifically mentioned that smaller organizations are often targeted for cyberattacks because of their size as well as their strategic position within supply chains, making them especially prone to cyber risk. And the U.K.’s National Cyber Security Centre’s 2015 CERT-UK report warned that “within supply chains all members are only as strong as the weakest member because of shared information and security arrangements across the supply chain.”
A Long History of Repeated Warnings
All of this is not to say that software supply chain attacks don’t have the potential to be extremely damaging. They do. But we want to contextualize the threat posed by the current wave of these attacks, reminding our readers that this type of activity has been an issue since the early days of the internet.
Gaining visibility into your software supply chain — let alone those used by your partners and vendors, and, in turn, theirs — has never been easy. In fact, it’s virtually impossible to detect if a rogue developer has planted a logic bomb somewhere across all of the software in use, one buried deep within a software library you probably didn’t know existed. However, following basic best practices can mitigate your most pressing risks.
Before worrying about how you might address code-level vulnerabilities in software that you might not even know about, invest in patching and hardening your systems. Resolve basic IT issues like misconfigurations. And implement multilayered defenses that include high-quality 24/7 monitoring of your environment.
It’s also important to keep track of your partners and vendors as well as any clients who might have access to your internal systems. Grant this sort of access as infrequently as possible, in a time-limited fashion, and only after following a formalized assessment and review process for each party involved. Document what software you have, and who it comes from. Include those suppliers in your Third-Party Management processes. Remember that the responsibility always falls on you to understand exactly what it is that you’ve outsourced, and to plan for the eventuality that one of your partners will be compromised.
Asking questions will always be a good idea. Interrogate your vendors about the security processes they follow, ask in-house developers which secure design principles they employ, and inquire about how early and often they test code for vulnerabilities. Put the same questions to the vendors whose software you rely on.
Ultimately, software supply chain risks are both omnipresent and unavoidable. That’s the reason you should be building multi-layered defenses and robust processes. Doing this well, over the long term, is what’s most important. Not the latest news item
Want more expert advice on which cybersecurity risks are most relevant to your business? Learn more about our comprehensive third-party risk management (TPRM) services, or contact us for a no-obligation demonstration.