Educate your boss about…”supply chain attacks”

A guide for "upstairs consumption" on a range of contemporary IT issues. This time: the software supply chain.
15 June 2022

Everyone thinks they understand malware. Malware is the malicious code that hackers and phishers get onto your system that corrupts, encrypts, destroys, or otherwise incapacitates your data, your systems, or your business, right?

Right. That hasn’t changed, though the kinds of things the code is being asked to do are growing more and more diverse. What is changing is the way that threat actors are getting their malware into your systems.

Traditionally, malware attacks have been exactly that – attacks sent directly from the threat actors to your systems, aimed at infiltrating them through some act of permission, from a hastily clicked web link to an inserted USB drive. So far, so standard.

Supply chain attacks are bigger, more random, and much more effective than standard malware attacks. They don’t attack your systems in particular. They infect some element much further up the supply chain – hardware, software, the coding on a popular app you buy or download. Something which neither you as the user nor the good faith supplier has any reason to pre-suppose is infected.

Then, when the infected elements are used – when the app is downloaded, the hardware plugged in, the software installed – the malware is spread into every system that uses the infected element of the supply chain.

A Real-World Analog

Think about this. If someone wanted to poison your morning OJ, they’d have to con their way into your house (system) at just the right time, distract you (make you click a link, for instance), add the poison to your glass or the carton (transfer the malware from the link to your system), and leave before you got suspicious. That’s a standard malware attack.

If someone didn’t care about you particularly, but wanted to poison a lot of OJ, they could contaminate a whole batch at the processing plant (higher up the supply chain). It would still be contaminated in supermarket chiller cabinets (without the supermarket knowing), it would still be contaminated in your refrigerator (without you knowing), and when you poured it down your throat, it would do its job and kill you – just as the rest of the batch was killing lots of other people around the neighborhood.

That’s the real-world analog of a supply chain attack.

Thankfully, no-one’s trying to poison your OJ. But stealing cryptocurrency, stealing passwords, stealing credit card details, using the same technique, where poison equals malicious code – that’s the supply chain attacker’s big pay day.

Source: Shutterstock

Types of supply chain attacks

There are different ways supply chain attacks can be implemented.

  • Software building tools can be compromised, so the malware is “innocently” transferred to every piece of software on which they’re subsequently used
  • Code-sign certificates can be stolen, or the identity of developer companies can be stolen and used incognito
  • Specialized malware code can be added into hardware or firmware components – again, without the manufacturer being any the wiser
  • Or malware can be pre-installed on devices (including cameras, USB, phones, etc.) This is probably the closest to a traditional malware attack that supply chain attacks get.

Supply chain attacks are particularly easy to affect on third-party or open source code and apps. And they’re evolving, increasingly going further up the chain, and attacking the open source elements that feed the global supply chain. The more that’s infected, the bigger the threat actor’s pay day can become.

So, what can you do? How do you make sure you’re not using some perfectly innocent looking software or hardware that’s corrupted with the intention to rob you or your customers blind?

Protecting against supply chain attacks

Just as, with Covid, the emergence of a new health threat demanded a new level of vigilance, so, with supply chain attacks, there are necessary “new normals” to adopt to beat supply chain attacks.

  1. First, wherever possible, ensure you work with only exemplary third-party open source suppliers. They will maintain a highly secure build and upgrade infrastructure, and ensure their update channels require SSL, to make it hard for supply chain attacks to attach themselves to patches and updates.
  2. Implement your own strong code integrity policies, so that only apps that have been checked and authorized can run. That reduces the risk of random open source elements infecting your systems.
  3. Invest in endpoint detection and response solutions. This may not be cheap, but the ability to automatically detect and remediate suspicious activities – and to do it fast – will be worth the investment, because supply chain attacks are the way threat actors are moving, and they will continue to be a problem for the foreseeable future.
  4. While focusing on protecting your systems from upstream attacks via open source elements, don’t take your eye off the downstream ball. There will still be value in protecting against traditional malware attacks for the foreseeable future too.