Cyber threats are on everyone's radar, and supply chain concerns are a primary source of anxiety for many enterprises. Just how prevalent are software supply chain attacks in the first place? Sonatype research showed a 430% increase in software supply chain attacks between 2019 and 2020, and that was quickly followed up by a 650% increase between 2020 and 2021.
The ever-increasing level of connectivity across the board is only going to continue to motivate attackers to target the software supply chain when just a few lines of code can hand you the veritable keys to the castle. Luckily, there are a number of ways to prevent these supply chain attacks that we'll cover shortly.
How Much Damage Can Be Done?
Those numbers are concerning, but they could easily represent a new attack vector that security teams have since pivoted to address. How much damage can a software supply chain attack really do? Look no further than the SolarWinds and Kaseya attacks.
The SolarWinds breach occurred in 2020 and enabled attackers not only to gain access to their network but also to customers' networks. Some of the most notable customers included the United States Department of Defense, Department of Homeland Security, and Department of Justice.
In July 2021, IT provider Kaseya fell victim to a supply chain attack that allowed criminals to launch ransomware downstream into their supply chain. This caused 800 Swedish supermarkets to close and resulted in over 1,000 individual businesses losing access to their networks and computers.
A 2022 attack shut down wind farms across central Europe. If these examples don't illustrate the persistence of this threat over time and the sheer scope and range across which it can be applied, then I don't know what more it would take.
What Is a Software Supply Chain Attack?
It's easy to see how one might be confused given the nature of the name. Is this an attack on the supply chain or is it an attack on software? Well, it's actually both. A software supply chain attack is a type of cyber attack that involves at least two separate incidents. The first targets software of some type that will be passed downstream to other entities as either an IT product or a component of one like an API. In that first attack, malicious code is inserted into the software that will allow the attackers to eventually gain access to the client's networks.
The second attack exploits those third party vulnerabilities to execute the end-stage attack on the client. This can be something like a standard data breach to exfiltrate sensitive information for monetary gain or far more sinister like a ransomware attack shutting down networks in a hospital system prior to a terrorist attack. With the extreme potential for widespread and advanced persistent threats, finding ways to prevent supply chain attacks has never been more important.
Supply Chain Attack Prevention
Evaluate Your Threat Landscape
One of the primary ways to prevent supply chain attacks is by determining where your potential vulnerabilities exist in the first place. Only by taking a look at your software supply chain and identifying where open source tools or components or IT and cloud service-dependent functions are in use can you begin to secure your supply chain. Knowing where attackers can strike is the first box that your security team should be checking.
Limit Information Access
Instead of open flows of information back and forth between your vendors' systems and your own, a more secure option is a one-way flow of information. Setting a policy such as this ensures that only the information required by your vendor is provided to them and only at the specific point in time that the data is necessary. This prevents cyber threats that your vendors may be experiencing from traveling into your own network, and it is actually related to our next recommended best practice.
Now that we've covered controlling the flow of sensitive information to your vendors, let's talk about traffic within your own network. Dividing your network into separately secured segments that require unique login credentials for each prevents cyber attackers from getting access to all of your valuable assets with just one compromised account.
Role Based Access Controls
Each and every employee should only be permitted access to the sensitive information that is absolutely necessary to complete their daily tasks. Larger enterprises may find it easier to have their IT staff create roles with specific permissions inside the network to which each employee can be assigned where they best fit. This streamlines the process instead of having to individually set permissions for each employee.
Apply Zero Trust Policies
When speaking of software supply chain security, it's important to question each connection to your system. No user, account, or program should be trusted inherently, and they should each be challenged and required to prove their identity both to connect and to proceed further through your network. Use of multifactor authentication should be seriously considered.
Security Tool Selection and Upkeep
Firewalls, antivirus, anti-malware, and network scanning tools are all viable options to combat the cyber threats resulting from a supply chain attack. Detecting security breaches early can hinge on identifying suspicious activity in user behavior, permissions changes, or even changes to the network itself. Whatever programs you select should be tailored to the likely attack vectors that you identified during your evaluation process. Updates and patches should be immediately applied when they are pushed out to be sure that your systems are protected properly.
One of the best security tools that is often overlooked is the use of honeytokens. These mimic valuable assets in your network, and as cyber attackers proceed toward them, your security team is immediately notified and can take action.
Implement an Incident Response Plan
In order for those team members to take effective action, you have to have an incident response plan in place. It is best to treat a security breach as a foregone conclusion; this allows you to develop and put into place the best cyber incident response plan that you can. This plan must be developed with detection, containment, and business continuity in mind, and it must be tested, evaluated, and updated regularly. This includes up to date contact information for critical team members, vendors, executives, and even PR personnel.
It isn't enough to just have the plan in place either. All of your employees must be trained on the incident response plan and the suspicious behaviors that would trigger the activation of the plan.
Hands down, the best way to test your security controls and incident response plan is to have them put through their paces with penetration testing. To make this testing the most effective, it should be conducted by an independent third party and their evaluation and recommendations should be given serious weight. Penetration testing should also be conducted with no notice to cyber security staff, or at the very least, notification should be limited to senior management or executive level staff. This provides the most realistic setting for the testers and the best feedback on your security controls.
At Venture Lynk, we specialize in third party vendor risk management. Our staff of cyber security experts are well-versed in supply chain security concerns and can help you better secure your business from a wide range of cyber threats. However, we don't just limit ourselves to third party risk management. We provide everything from intellectual property risk management to operational risk management and everything in between. Whether you're looking for a comprehensive vendor management program, cyber security risk analysis, or even assistance in developing and deploying information security policies, our staff can compile a custom program to address your needs. Contact us today to see what we can offer for your unique concerns.