Supply Chain Attacks: What You Need to Know to Protect Against Them

Before 2020, only logistics nerds ever talked about supply chains. Then came the blatantly disruptive supply chain crunch, courtesy of the COVID-19 pandemic. West Coast ports began to choke, and Chicago railyards swelled with traffic impeding the timely shipments of goods. This led to political finger-pointing, heavy corporate profits and losses, and disgruntled consumers nationwide.  

In 2020, we began hearing much more about supply chains and the issues facing them – but bogged down ports, crowded railways, and delayed shipping times were not the primary issues making headlines. Before all of this, most had never heard of a supply chain attack in the cyber sense until reports of the SolarWinds breach came out that year.  

Prior to this expansive cyberattack, asking most folks what a supply chain attack was might conjure images of a Somali pirate heist on a container ship, plotting to resell stolen consumer goods on the black market. From a technological standpoint however, a supply chain attack involves software rather than ships, and is merely analogous to an actual chain of supplies. 

A Supply Chain Attack, Defined

The heart of a supply chain attack involves corrupting a trusted application, allowing the attacker to leverage that trust and gain access to any or all users of the corrupted application. The “supply chain” references derive from the fact that modern software build applications comprise a mixture of third-party components, completely new code, and code connecting all the pieces together to solve some problem for the users of the software.  

Software developers integrate the various components of the application and build or deploy the software for use. In this type of attack, malware or a “back door” gets inserted into the software itself, either through one of the third-party components, or by getting malware built in as its own component, compromising the application itself.  

As an example, if an attacker were able to get into a web browser, then everyone who downloaded the browser would be downloading malware as well. In the case of SolarWinds, the attackers penetrated the corporate network, and after many months of quiet effort, gained access to the software build system of the company’s most popular product.  

After that compromised SolarWinds product was installed, the inserted malware notified the attackers that it was inside a corporate network. The attackers could then use the malware to gain access to that network.  From their new perch, they could deploy any number of other malware tools to exploit the corporate network. 

Now what if you aren’t a software company? Can you simply ignore supply chain attacks? Probably not. Most companies write software—whether for internal use, for partners, or their customers—even if it’s only their corporate website. Any software or website can be infiltrated and used to deliver malware to the ultimate. Consequently, most companies have some inherent vulnerability to supply chain attacks. 

Keeping Supply Attacks at Bay

So what should you do to prevent supply chain attackers? The most important factor is to limit access to critical assets that are part of the software development lifecycle. This means identifying which assets are critical to software creation.  

The first line of defense is to ensure that they can’t get to your assets in the first place.  If these critical assets are in your data center, you should implement network access control (NAC) to ensure that only authorized users on authorized devices have access to your network. For cloud assets, zero-trust network access (ZTNA) serves a similar access control function. Both NAC and ZTNA allow for micro-segmentation of network access so that users can only access required assets because limiting lateral movement can dramatically decrease the impact of any breach. 

Additionally, critical assets should be protected by privilege access management (PAM), a tool that acts as a proxy between users and assets.  The user logs into the PAM—preferably with multi-factor authentication—and the PAM logs into the asset itself, often auditing all user actions while logged-in.  

For network devices, TACACS+ is a similar kind of proxy used for accessing network devices, which are also critical assets in any supply chain.  Along the same lines, implementing the principle of least privilege limits what any given account can do in the event of a compromise. 

Key Takeaways

A robust vulnerability management program strongly complements access control because it reduces the likelihood that an attacker could leverage an unpatched vulnerability in any of your software to slip past layers of access control. Controlling access, limiting lateral movement, and reducing risk from software vulnerabilities provide considerable protection against the risk of a supply chain attack.