Supply chain attacks have been on the threat radar of many organizations and their security teams for several years. However, since the infamous SolarWinds attack in 2020 — which led to widespread and damaging compromises of data, networks and systems — the supply chain attack vector has taken on a new level of focus. Indeed, supply chain attacks, which have become an effective way for hackers to gain access to IT networks at scale, and as such, are among the most worrying cybersecurity risks currently facing organizations today.
Supply chain risks come in many forms — from complex to relatively simplistic. The UK government’s Cyber Security Breaches Survey, which explores organizations’ policies, processes, and approaches to cybersecurity and is used to inform government cybersecurity policy, looked at this in its latest report. The 2022 survey reveals that just 13 percent of businesses review the risks posed by their immediate suppliers, with that number dropping to 7 percent for their wider supply chain. Possibly even more concerning, many organizations commonly perceive ‘big tech’ companies to be “invulnerable to cyber attacks”.
With the SolarWinds attack a clear contradiction of this belief, it’s vital that organizations across all sectors start taking all types of supply chain risk more seriously. SolarWinds represents just one of a growing list of disruptive and damaging supply chain incidents. Another was seen when Kaseya — an IT management software business — suffered a breach in which attackers used malicious software updates containing ransomware to target around 50 of its Managed Service Provider (MSP) customers.
This initiated a chain of events whereby an additional 1,500 customers of those MSPs were also breached, data was encrypted and organizations were significantly disrupted as they worked to restore their systems. In some cases, victims are thought to have paid ransom demands but were sent decryption keys from the attackers that didn’t release their data in full.
Securing the supply chain
Among a range of preventative and mitigating factors, better cyber hygiene — particularly, separating some SolarWinds servers from outbound internet traffic — could have frustrated the efforts of the attackers, according to the Cybersecurity and Infrastructure Security Agency (CISA). Improving employee training and standard prevention measures can significantly reduce the chances of a successful supply chain attack from being initiated.
In addition, CISA also states that a software bill of materials (SBOM) – which is an inventory of ingredients that make up a software component – has “emerged as a key building block in software security and software supply chain risk management.” Among other things, these can be used to create security advisories that indicate “whether a product or products are affected by a known vulnerability or vulnerabilities.”
Also key to securing supply chains is to deliver proactive protection against the risks inherent in the exchange of documents and files. Embedding malware within the most common file types has long been a standard tactic for cybercriminals, who go to elaborate lengths to trick employees into opening them and triggering an attack.
The results can be devastating, as seen with the recent breach at cryptocurrency game developer, Sky Mavis, which resulted in the world’s biggest crypto heist of $620 million. The cybercriminals behind the attack staged an elaborate — and highly convincing — fake recruitment and interview process via LinkedIn and were able to access Sky Mavis’ servers when an employee opened a spyware-infected PDF-based job offer letter.
But why is it so challenging for organizations to stop these attacks? Current cybersecurity tactics frequently rely on detection-based methods to halt malware outbreaks. Although these technologies, like antivirus and sandboxing solutions, are essential components of a comprehensive cybersecurity strategy, they also have operational blindspots that can expose networks to risk.
For instance, reactive security solutions that typically serve as the first line of defense are initially unaware of new, zero-day vulnerabilities or exploits. This can result in a “protection gap” that might last up to 18 days until software updates are developed, and antivirus programs are updated. As a result, zero-day tactics are now far more effective because antivirus and sandboxing solutions take time to catch up to these new dangers.
Part of the problem is that 70 percent of malware found in files when it is received is of an unknown form, rendering it invisible to reactive cybersecurity solutions. Instead, businesses need to take a proactive approach to file security, utilizing tools like Content Disarm and Reconstruction (CDR) technology, which quickly cleans and rebuilds files to conform to their manufacturer’s published criteria, removing any potential dangers.
By doing this, security teams not only narrow the protection gap that threatens the integrity of their networks, but they also remove the burden off staff members to function as infrastructure guardians. As CISA also puts it, today’s threat actors have the “resources, patience, and expertise to gain access to and privileges over highly sensitive information.” Until organizations can more effectively secure the supply chain, they will remain vulnerable to increasingly sophisticated adversaries.
Photo credit: Sashkin / Shutterstock
Paul Farrington is Chief Product Officer at Glasswall.