You Don’t Need To Be In IT To Understand A Supply Chain Hack
Originally written for Forbes.
Once you understand a supply chain attack, it’s hard not to question whether you might have already been a part of one. We are all familiar with direct cyberattacks, which is why your company’s IT department consistently warns of phishing emails. The attackers need to find a way inside. But what if they were able to find a way in where their malware got brought in by the target themselves? Welcome to the world of supply chain attacks.
Supply chains are a fact of life for every aspect of any IT system and enterprise. Most of the software that we run was made by another company. The hardware it runs on is manufactured by hundreds of different vendors and, in many cases, is hosted and managed by a third party. Even the software we build internally relies heavily on libraries and other software components that are simply imported from other sources. An attacker who can modify anything in the upstream supply chains in any of these scenarios would find themselves already inside hundreds or thousands of environments without having to exert any effort. Scary right?
I’ll give you an example. In 2020, attackers targeted many businesses and organizations, including one notable attack involving SolarWinds. You can read more about this attack via extensive reporting from several media outlets, including Forbes and The Washington Post. A company called Kaseya, which makes another remote monitoring and management (RMM) tool, had something similar occur.
If you’re not in cybersecurity or IT, don’t worry if you don’t completely understand the significance of what could happen in a supply chain attack. Hackers can break into the internal systems used by an organization and add their own malicious code to the real software. When a vendor like this then updates the software used by their customers, they unknowingly send out the malicious code with it.
In some cases of supply chain attacks, thousands, if not tens of thousands, of companies are affected. That’s thousands of separate companies that these attackers are able to sneak their malware into by simply attacking a single organization. Once those companies install an update (which is what security wonks like me are constantly telling folks to do!), the attackers can gain access to those companies’ information technology systems and are able to install even more malware. Think of it as a trickle-down effect. The really scary part is that hacks like these are often undetected for months, gaining access to both government and private entities.
These hacks can be stealthy, where they avoid detection for months, or the attacker can choose to take more noticeable actions with it, perhaps by delivering ransomware. In the case of ransomware, the impact is obvious, but the source is elusive, as these tools are often seen as the defense, not the attack vector.
The impacts of a supply chain attack vary from data breaches to malware installation and financial loss. Detecting this malicious code can be incredibly difficult. And removing the malicious code can be even more challenging, if not impossible.
Attribution is incredibly difficult in these cases, but given the rewards available to a successful operation, it is believed that nation-states and organized cybercrime groups are actively pursuing supply chain attacks to further their own interests.
If only we could go back to only worrying about those phishing emails.
So, what can you do to reduce your own exposure to a supply chain attack? Supply chain attacks may be the most challenging cybersecurity risks we are going to face. But here’s a start.
- Baseline what normal behavior is. “Should our server monitoring software be making connections to the internet?”
- Avoid the temptation to omit any activity executed by “trusted” applications from your threat detection process. That software should behave reliably. You must understand normal to understand abnormal.
- Use software that receives third-party security verification and ensure the vendor can provide up-to-date information like a software bill of materials
- Build an incident response playbook for what to do if one of your trusted utilities is suddenly unavailable to you, especially during a security incident investigation.
- Supply chain attacks are the initial access for these attackers. Plan on catching them when they start moving to the next phase of their operation.
We’ve just scratched the surface of what you can do about supply chain attacks. Stay tuned for the next chapter in our supply chain series, including a deeper dive into what companies can do to block these hackers and an answer to the question, “Will cybersecurity ever be solved?”
Read the original article here: You Don’t Need To Be In IT To Understand A Supply Chain Hack (forbes.com)
OnDefend Media Contact: Lauren Verno, Lauren.verno@ondefend.com