Three steps to protect your business from supply chain attacks

In a previous article [1], I have provided three steps (or areas) where software companies need to take appropriate defensive security measures. In this article, I will elaborate on a specific attack vector from the third area, namely: Supply Chain Attacks.

Definition & Trends

According to ENISA, a supply chain attack is:

"A combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets." [2]

More than a decade ago, Stuxnet made the headlines after it targeted Siemens PLCs that controlled the operation of nuclear centrifuges [3]. The malware can be categorized as supply chain attack since it leveraged the trust of legitimate certificates [4].

In December 2020, FireEye announced that its security testing tool was stolen as a result of a sophisticated cyber attack [5]. Further investigation showed that a malicious code injected into Orion, a software developed by SolarWinds, has affected around 18000 customers, including U.S. government agencies [6].

In April 2021, Codecov announced that an error in Docker image creation process allowed a malicious actor to manipulate one of their scripts, resulting in a backdoor [8]. HashiCorp, among other customers, quickly announced the remediation actions taken as a result of Codecov incident [9].

According to NCC Group, supply chain attack have increased by 51% in the second half of 2021 [10]. In early 2022, Lapsus$ attack group claimed to have breached Okta, spreading fears among its customers [11].

In the following sections, I will provide some recommendations to help you address supply chain attacks.

1. Identify and minimize shadow IT

In order to prevent, detect and respond to potential attacks arising from suppliers, it is necessary to have good visibility on all suppliers and associated risk profile. This can be accomplished by defining a formal process to select your suppliers. One of the main inhibitor to this process is Shadow IT.

Shadow IT refers to the use of IT systems, services, or software without formal approval. This is a common problem particularly in large organization. According to various researches, it is estimated that 30 to 50% of enterprise spending involve shadow IT [12].

Shadow IT expands the attack surface beyond the boundaries of your monitoring capabilities. Addressing Shadow IT starts with rising awareness through communication and education. Also make sure your supplier on-boarding process is fairly transparent and practical. Otherwise your employees will finds ways to circumvent the process. In certain cases, shadow IT can be tolerated and even beneficial.

Off-boarding unnecessary suppliers is also important. Ensure any access granted to external party will expire or gets revoked as soon as it is no longer needed.

2. Request a Software Bill of Material (SBOM)

In May 2021, the white house issued an executive order on cybersecurity, to improve transparency on software supply chain [13]. NIST has later issued detailed recommendations to ensure the software suppliers of government agencies are able to provide SBOM [14]. The EU is also discussing the successor of Network and Information Systems (NIS) directive, which introduce more stringent controls on supply chain relationships [15].

"A SBOM is a nested inventory, a list of ingredients that make up software components." [16]

Requesting SBOM from your software suppliers makes it easier for you to identify known vulnerabilities in the supplied code. You might also consider providing an SBOM to your own customers, even before they ask for it. This practice allows all businesses in the entire supply chain to react more quickly to 0-day vulnerabilities.

3. Continuous Monitoring and Discovery

You can rely on widely used NIST Cyber Security Framework (CSF) to ensure continuous monitoring of your assets [17]. The framework consist of five core functions:

1. Identify: What assets need protection?
2. Protect: Implement appropriate countermeasures to protect your assets.
3. Detect: Implement appropriate measures to detect potential incidents.
4. Respond: Develop appropriate techniques to respond to potential harmful events and limit their impact.
5. Recover: Implement appropriate steps to restore the capabilities of your business.

The functions above are performed in recurrent cycles, and can help you maintain your asset inventory and continuously improve your defensive measures by feeding back the lessons learned from potential incidents.

Beyond the boundaries of your organization, you might need to implement alerts on events associated with your business. Think of events related to domain name creation and certificate issuance, just to cite a few.

Besides, a continuous monitoring of the threat landscape, namely threat intelligence, helps you adapt your strategy to defend against the most relevant adversaries [18].

Conclusion

At the end of the day, supply chain attack abuses the trust you have in your supplier(s), resulting in larger attack surface, often beyond the area of visibility. In order to reduce your exposure, you simply need to: Improve your visibility on your supply chain; Eliminate suppliers with little to no added value, or those with high risk profile; and Concentrate your capabilities around your valuable assets.