With reference to cyber-security, we speak about software supply chain attacks where we see malicious code injections to a provider of third-party code for the purpose of bringing harm to an entity further down the digital supply chain network. These were perfectly illustrated by the Magecart attacks on British Airways and Ticketmaster last year.
To delve a little deeper, a supply chain attack can be characterised as an intentional malicious action (e.g., insertion, substitution or modification) taken to create and ultimately exploit a vulnerability in Information and Communication Technology (hardware, software, firmware) at any point within the supply chain with the primary goal of disrupting or surveilling a mission using cyber resources. In software development, a supply chain attack is typically performed by inserting malicious code into a code dependency or third-party service integration.
Integrating external scripts and using code dependencies is now standard practice when developing software. Some of the most widely-used pieces of code come from reputable third-party providers such as Google, companies that we shouldn’t expect attackers to be able to compromise. However, large companies like these frequently use third-party scripts which come from small companies or individual developers whose own security systems can leave a lot to be desired.
Most third-party code providers don’t have enterprise-grade security systems, and yet this external code has the same permissions as the code that companies develop in-house. Attackers have clearly identified this weakest link in the software supply chain – being able to breach high-profile companies without ever having to go near their servers or code. Witness the major attacks that took place last year, including the Magecart attacks on British Airways and Ticketmaster. The holy grail of cyber attacks is to now target dependencies or scripts which are developed by third-parties and used by thousands of companies – something that we now have come to know as supply chain attacks.
Common attack objectives
So what are some of the common attack objectives for supply chain hackers, then? Well, looking at recent supply chain attacks, we see that attackers certainly want to gain unauthorised access to information – credit card info and account credentials. They may also seek to reduce the integrity of the overall system (making it malfunction) so that users end up not trusting the information or information system; the end user could also end up doing unintended things. Attackers might also seek to reduce the availability of the system or information / resources i.e. make it unavailable when it is actually needed by the user. They will also undoubtedly seek to use resources for illegitimate purposes or for potentially harmful reasons. In this way, they can violate the confidentiality or availability of other resources that trust the information asset being attacked.
When compared to typical cyber attacks, supply chain attacks provide two major advantages to attackers.
Firstly, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies and external scripts); as such, the potential return of investment of the attack is higher. Secondly, and unlike common cyber attacks, supply chain attacks can remain undetected by perimeter defences, as they are often inserted by an embedded change to a component of the system which is trusted by default; then, an approved delivery mechanism (such as a software update) delivers the supply chain attack without any detection by network defences.
Mitigating Supply Chain Attacks
There are several high-level cyber resiliency techniques for mitigating cyber attacks. These include:
- Adaptive Response — Optimize the organization’s ability to respond in a timely and appropriate manner to adverse conditions, stresses, or attacks, thus maximizing the ability to maintain mission operations, limit consequences, and avoid destabilization.
- Analytic Monitoring — Gather, fuse, and analyze data on an ongoing basis and in a coordinated way to identify potential vulnerabilities, adverse conditions, stresses, or attacks, and damage
- Coordinated Defence — Ensure that failure of a single defensive barrier does not expose critical assets to threat exposure. Require threat events to overcome multiple safeguards (…).
- Deception — Mislead, confuse, or hide critical assets from the adversary
- Diversity — Use heterogeneity to minimize common mode failures, particularly attacks exploiting common vulnerabilities
- Redundancy — Provide multiple protected instances of critical resources
- Substantiated Integrity — Detect attempts by an adversary to deliver compromised data, software, or hardware, as well as successful modification or fabrication
- Unpredictability — Make changes randomly or unpredictable
It is very important that security professionals and IT management understand that mitigating supply chain attacks requires a security-in-depth approach. There must be awareness that investing resources on periphery defenses alone is not a suitable approach. There is often a misconception that SAST (Static Application Security Testing) is a suitable approach to prevent supply chain attacks. However, these attacks exploit weaknesses and introduce malicious logic into existing code. As this is not a vulnerability, it remains undetected by SAST.
Taking into account that supply chain attacks frequently operate through changes that are manifested on the client-side, investing in client-side security becomes a key step of the process. In the current panorama of Application Security, there’s no infallible way of being sure malicious code or markup isn’t injected into companies’ applications. The next best thing is to gain visibility about such injections and be able to react in real-time. As we saw in past supply chain attacks, the magnitude of the attack is directly linked to how long companies take to detect it and take action – and some past supply chain attacks remained undetected for months.
It’s all about visibility and timing. If companies are able to detect supply chain attacks in real-time, they can react instantly and mitigate the attack before any serious damage occurs.
Pedro Fortuna, CTO at Jscrambler
- Keep your devices protected from the latest cyber threats with the best antivirus