Three Types of Supply Chain Attacks Explained
In this article
Physical vs Software vs Digital Supply Chain Vulnerabilities
The concept of a supply chain has been around since the 1920s. Fast-forward to today, the term “supply chain” has been co-opted to describe the digital products and services on which modern organizations rely: the digital supply chain.
Today’s digital supply chains are massive, dynamic networks of web-based services, applications and assets, enabled by vast networks of partners, vendors, or third-party services. Digital transformation has brought many benefits to businesses and consumers alike. Product and service delivery is faster and more efficient than at any point in history. Unfortunately, these new digital business models create a unique opportunity for cybercriminals. Let’s discuss how physical, software, and digital supply chains can be exploited and attacked.
The Physical Supply Chain
The physical supply chain has a long history in the business operations space. Delivering goods to market requires the orchestration of various suppliers, vendors, and retailers. While the physical supply chain has its own cybersecurity challenges that could generate disruptions, the focus here will be to explore the inherent vulnerabilities of software and digital supply chains.
The Software Supply Chain
Modern software is built using similar principles to the physical supply chain. Software is assembled using readymade components from a variety of suppliers for things like proprietary code, open source components, and third-party APIs. No single developer can build a modern application on their own and software reuse is now a standard practice.
Plug-and-play code can accelerate application development, but it also introduces serious security problems. For example, a single compromised off-the-shelf component can leave countless organizations that use the application vulnerable to attack. Software supply chain attacks have been around for some time, but due to recent attacks on prominent enterprise application providers, many CISOs are only now becoming aware of the gravity of the threat. Recent incidents that have gained national attention include SolarWinds, Mimecast, ASUS, the list goes on. Of course, the customers of these companies are secondary victims to these attacks. For every software supply chain there is a chain of potential victims as well.
In the incidents mentioned above, attackers managed to inject a malicious segment of code into the trusted and signed build of these applications. To prevent supply chain attacks, security organizations have to be aware of every code dependency within every application used by their business, be it commercial, open source, free, firmware, cloud or mobile. On top of that, they must also implement processes to ensure all software is up to date and patched to the latest versions.
The Digital Supply Chain – Infrastructure Dependencies
The ‘digital supply chain’ is the result of the online migration of applications and services. Internet connectivity is at the heart of the digital supply chain and has enabled a plethora of disruptive business models. Problems were introduced when developers of web-based applications and services began to incorporate development methods typically used for software deployed on-premises. Code reuse and reliance on third-party components have become commonplace in web-based application development, seemingly without much thought given to the implications.
For example, if vulnerable code is reused in an application that is hosted on a cloud infrastructure, the possible vulnerabilities expand to the configurations and security of the cloud as well. Additionally, the building blocks of internet communications, such as DNS and PKI/TLS, will also contain potential vulnerabilities. When a user accesses your website or web app, more than 70% of the code that executes on their browser via JavaScript is third-party code. These third parties could include vendors you have a contractual relationship, or even vendors your third parties have relationships with (fourth parties, etc). Google AdWords, Google Analytics, Facebook, advertising companies, marketing companies, and myriad others are also frequently used to add code to a web property. The vulnerabilities of your vendors and your vendor’s vendors (and even their vendors) become your vulnerabilities, and most of the time you aren’t even aware they exist. Yikes.
Digital Supply Chain Attacks
A digital supply chain attack, also called a web supply chain, value-chain or third-party attack, occurs when someone infiltrates your system using the trusted access extended to your partners or providers. In the case of a web application or service, the third-party code hits the user’s browser without security oversight by the enterprise as it is delivered from third-party servers. A compromise of any of these third parties would potentially give attackers the ability to capture all of the information visible or accessible via the browser. A common example is the Magecart exploit where a group of threat actors installed credit card skimming software in commonly used third-party software components.
To further complicate things, enterprises don’t always have a direct business relationship with the provider of the code or infrastructure, which dramatically limits their oversight and influence on the security of these ‘Nth’-party vendors. Threat actors know that it is easier to find and exploit a vulnerability somewhere deep within the digital supply chain versus attacking the enterprise head-on. As a result, digital supply chains are now the fastest-growing attack surface for most enterprises, and by some estimates, 50% to 60% of all cyberattacks are being perpetrated via third parties.
To better understand how a digital supply chain attack works, watch this short presentation on the 2024 Polyfill.io attack.