Fighting back against the rising tide of software supply-chain attacks

Of all the issues being faced by IT security teams, one that is gaining increased attention is the threat of a successful software supply chain attack.

These attacks, mounted by cybercriminals who inject malicious code into a legitimate software application, can cause costly disruption on a massive scale.

One example is the high-profile SolarWinds supply chain attack that sent shockwaves around the world. During the attack, cybercriminals gained access to SolarWind’s Orion platform which comprises a suite of IT management products used by many large organisations.

The cybercriminals successfully hijacked the software compilation process for the platform and placed a backdoor inside legitimate Orion software updates. Those compromised updates were then pushed out to thousands of customers over the next several months.

Experts warn that supply-chain attacks can affect hardware as well as software. This makes it difficult to totally trust any components that are added to an organisation’s IT infrastructure.

Open-source code libraries are another concern for IT security teams. Many infrastructures use at least some open-source code and if that contains malicious code it could cause significant problems at a later date.

 The current risk landscape

When it comes to protecting against a supply-chain attack, the biggest challenge facing most organisations stems from the complexity of their IT infrastructures. In many cases they have been gradually expanded over many years and all components may not be fully understood.

This, in turn, means they could be opportunities for cybercriminals to mount a supply-chain attack. It may take significant skills, however, if the potential payback is large enough, the criminals will invest the time and money it takes to launch an attack.

Another risk of disruption arises from the fact that many organisations do not have a comprehensive map of their IT infrastructure. If an attack does occur and external security consultants are brought in, they will likely have to waste valuable time mapping the infrastructure and identifying all linkages.

Further risks occur because of the potentially long dwell times that cybercriminals can use before launching an attack. They may gain access and then quietly spend time scoping out the infrastructure to determine what is of most value or how they can cause the maximum disruption.

Improving cyber resilience

There are certain key steps that organisations can take to reduce their chances of falling victim to an attack. These include:

  • Assess critical assets:
    It’s important to start by understanding exactly what elements comprise your organisation’s most important IT assets. Then consider the worst thing that could happen to them and use that as the basis for response planning. This approach can also help to focus available resources in the places they will have the most impact.
  • Conduct vendor checks:
    Before deploying a new application or tool, take time to assess the complexity of the product being considered. Also check the support forums of the vendor to determine whether other users have struck problems and how quickly the vendor responds to issues.

    Some large applications may contain code that is relatively old and is not being regularly checked for vulnerabilities, and this type of software should be avoided. It’s also important to establish an open dialogue with chosen software vendors and gain a clear understanding of their strategies when it comes to ensuring effective security.

  • Deploy network segmentation and Zero Trust:
    These strategies can be an effective way to prevent criminals from entering an IT infrastructure or limit what they can do if they succeed. Network segmentation restricts access to certain parts of an infrastructure while Zero Trust ensures that only authorised parties can gain access in the first place.
  • Beware of Remote Monitoring and Management (RMM):
    If your organisation has an external technology partner that gains entry into your infrastructure using RRM tools, be aware that this can be a risk. Should that organisation’s RRM tools become compromised, it could result in cybercriminals gaining direct access to your network.
  • Undertake constant monitoring:
    As is the case with all cybersecurity strategies, it’s important to understand what normal traffic on the network looks like and be able to spot abnormal activity. Continual monitoring can alert security teams to unusual activity which could be a sign of an active supply chain attack.
  • Ensure senior management understands the risks:
    Supply-chain risks tend to be less well understood than other areas of IT security. For this reason, it is important for the risks to be explained in business terms so that required steps can be taken to reduce the likelihood an organisation will fall victim.

By following these steps, an organisation can minimise the likelihood it will fall victim to a supply-chain attack, but also be prepared to react if one occurs. The attack threat is not going to disappear any time soon, so the time for action is today.

Michael Bovalino
Michael Bovalino is the ANZ Country Manager at LogRhythm