Cisco
Sponsor Content
What You Need to Know about Supply Chain Attacks
Let’s say that you’re confident in your security posture. You have endpoint protection in place, firewalls defending the perimeter and phishing filters on incoming email. You’ve leveraged tools to check for anomalies in your network traffic, rolled out an SSO solution and implemented processes to securely connect to the network remotely.
These defenses make it harder for bad actors to compromise your organization. Not only that, but a strong security posture is more likely to push all but the most motivated bad actors to move on to other, less secure targets. It’s at this crossroad–between motivation and less secure targets–where supply chain attacks sit.
Bad actors will always look for weak points to attack. It may be that your weakest point is not within your own organization, but within one of your suppliers. You trust their products and services, relying on them to conduct business. Unfortunately, if their security posture isn’t as mature as yours, attackers can exploit that trust and use it in attacks.
This is what a supply chain attack is. In these attacks, bad actors compromise a secondary organization that supplies software or services to a primary, target organization. Their goal is to compromise the primary target when they use the software or service of the secondary target. In short, they piggyback on the secondary target to get their malicious code into the primary target.
How the Attack Works
Although there are several ways to attack a supply chain, there is a general pattern seen in many attacks. First, the bad actors gather what information they can find about the external products and services used by the primary target. The attackers assess the suppliers of those products and services and then choose a secondary target, based on what they discover. This secondary target now becomes the fulcrum of the attack.
Next, the bad actors attempt to compromise the secondary target. The ways they go about doing so will vary, often choosing the path of least resistance. They could try anything from spear phishing to exploiting vulnerabilities at the network edge. The choice will largely depend on the secondary target itself—where the attackers perform reconnaissance to determine the approach most likely to lead to a successful breach.
Once in, the attackers move laterally. Often, their objective is to compromise the secondary target’s software build system, where the source code for their software is stored, updated and compiled. One of the easiest ways to achieve this is by compromising a developer’s machine, or their credentials, gaining the required access. With access to the build system, the attackers can surreptitiously insert malicious code, like a backdoor or RAT, into the software in question. The secondary target, unaware of the presence of malicious code, compiles the latest updates, signs the binary and then releases it.
At this point, the attackers wait for the primary organization to download and install the compromised update. Once this occurs, the malware phones home and attackers are in, now having access into the primary organization they intended to compromise.
Notable Examples
There are several supply chain attacks that have made headlines. One of the most notable happened last year, when bad actors compromised software updates to SolarWind’s Orion IT management software. The attackers managed to stay hidden for months, during which multiple U.S. government agencies and corporations were compromised.
But this attack was far from the first to use a supply chain as a vector. In 2017, the wiper malware NotPetya is believed to have begun its spread by leveraging
