3 Types Of Supply Chain Attacks – Explained
Physical Vs Software Vs Digital Supply Chain Vulnerabilities
The concept of a Supply Chain, which has spanned the history of business, has entered the digital era. The consequence is that this vital component of product and service delivery has become the target of cybercriminals and threat actors. Below we discuss physical, software, and digital supply chains, and how they can all be exploited and attacked.
The Analog/Physical Supply Chain
In the Analog, or Physical, Supply Chain has a long history in the business operations space. It involved the series of raw materials and processes that are incorporated to create a final, physical product that is delivered to a point of purchase. Often those materials and processes are done by a supplier or vendor and then assembled or finished by the final retailer.
While the Physical Supply Chain has its own cybersecurity challenges, which could lead to disruption of businesses and their operations, the focus of this blog is to draw a distinction between the Software Supply Chain and the Digital Supply Chain, and their inherent vulnerabilities, that could lead to a cyber-attack.
The Software Supply Chain
Modern software is now built using similar principles of the Physical Supply Chain as a template. Software is now assembled from readymade components from a variety of suppliers: proprietary code, open source components, and third-party APIs. No single developer can build a modern application on their own, and software reuse (the Software Supply Chain) is now a standard practice.
This reuse of code simplifies and accelerates application development, but it also creates some very serious security problems – for example, a single compromised off-the-shelf component can leave countless organizations that use the application vulnerable to attack.
The concept of software supply chain attacks have been around for some time, but due to recent events, many CISOs are only now becoming aware of the gravity of the threat, especially to enterprise applications.
Recent incidents that have gained national attention include: SolarWinds, Mimecast, ASUS, etc, and the victims of these attacks include governments and global businesses. In these incidents attackers managed to inject a malicious segment of code into the trusted and signed build of the application.
In order to prevent these types of attacks, security organizations have to be able answer the question of what code they’re dependent on for every piece of software in their business, be it commercial, open source, free, firmware, cloud or mobile, and they have to implement processes ensure this software is up to date and patched to the latest versions.
The Digital Supply Chain
The Digital Supply Chain is the result of the migration of applications and services being offered online. The rise of internet connectivity is at the heart of the Digital Supply Chain and has enabled a plethora of disruptive business models.
However, developers of applications and services that are offered via the internet have taken the same approach to software development as on-premise software developers. Building online software applications via code reuse has exploded for web-based applications, and even introduced new third-party components into the software architecture. If the re-used code is hosted on a cloud infrastructure, the possible vulnerabilities expand to include the configurations and security of the cloud as well as the software code itself. On top of that, the building blocks of internet communications, such as DNS and PKI/TLS, also contain potential vulnerabilities.
Digital Supply Chain Attacks
A Digital Supply Chain Attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.
In the case of a web application or service, all of the third-party code hits the user’s browser without security oversight by the enterprise as it is delivered from third-party servers. A compromise of any of these third-parties would potentially give attackers the ability to capture all of the information visible or accessible via the browser. A common example is the Magecart exploits where a group of threat actors were able to install credit card skimming software in commonly used third-party software components.
Another complication is the fact that the enterprise does not always have a direct business relationship with the provider of the code or infrastructure – this dramatically limits their oversight and influence on the security of these ‘Nth’-party vendors. Threat actors know that it is easier to find a vulnerability somewhere deep within the digital supply chain, and exploit it versus attacking the enterprise head-on.
The result is that Digital Supply Chains are now the fastest growing attack surface for most enterprises, and by some estimates, 50-60% of all cyber attacks are now being perpetrated via these third-parties.