The applications we rely on every day are not monolithic. They’re a complex interplay of software from a wide range of sources. If a threat is introduced anywhere within that software supply chain, it can wreak havoc on systems further down the line.
The SolarWinds hack is the best-known supply chain attack. Malicious code was added to the company’s Orion software, and developers did not detect it during validation checks. When SolarWinds pushed out an update, the malware infected more than 30,000 customers, leading to a series of data breaches. Authorities suspect the attack, which affected major corporations, state and federal agencies, and governments worldwide, was committed by a Russia-backed hacking group.
The goal of the SolarWinds hack was global cyber espionage, but other supply chain attacks have more garden-variety objectives — stealing sensitive information, exfiltrating data and introducing ransomware.
According to the Verizon Data Breach Investigations Report, supply chain attacks represented about 15 percent of all security breaches in 2023. That’s a 68 percent increase over the number reported in 2022.
The Root Cause of Supply Chain Attacks
The rise of supply chain attacks parallels the increase in third-party and open-source code in applications. Developers are under pressure to release new software as quickly as possible and rely on third-party software to boost productivity. According to a new report from ESG, 40 percent of organizations say that third-party software comprises more than half of their code.
The cloud also makes it easier for developers to push out new software versions. More than half of developers release new code into production once a week or more frequently. Security teams must test all this code, including third-party and open-source components. Given the volume, it’s easy to miss vulnerabilities and misconfigurations.
Hackers use other techniques to infiltrate software supply chains as well. More than a third (37 percent) of organizations reported the theft of secrets such as passwords, tokens or certificates from their source code repositories. Another 32 percent reported stolen credentials. Hackers can use this information to compromise software.
Steps Organizations Should Take
It’s not feasible to expect developers to stop using third-party code. Organizations that develop software must make it a priority to implement more stringent scanning and testing procedures. They should also produce a software bill of materials (SBOM) listing all third-party and open-source code, protect developer credentials and other secrets, and develop a detailed incident response plan to rapidly mitigate threats.
All organizations should conduct regular risk assessments to identify threats and vulnerabilities across the IT environment. They should then use this information to fine-tune their cybersecurity systems and strategy to close any detected gaps. An integrated security platform enables organizations to implement a layered security approach for better protection against threats.
The zero-trust security model can protect against system takeovers and unauthorized access. In this approach, users and devices are denied access to systems until they are verified and authenticated. This reduces the risk that compromised software can infiltrate the network.
Constant Vigilance Is Key
The SolarWinds hack was particularly devastating because it went undetected for almost eight months. Organizations should continuously monitor their systems for signs of compromise or unusual behavior. By minimizing the “dwell time” hackers spend inside systems, organizations can greatly reduce the impact of an attack.
Finally, organizations should have robust processes for implementing software updates and patches. Many attacks exploit known vulnerabilities for which a patch is available but hasn’t been installed.
The Verteks security team can help you reduce the risk of supply chain attacks. Through our partnerships with leading vendors, we deliver advanced security tools that protect your systems from threats. Our comprehensive managed services feature monitoring and proactive maintenance to optimize the performance and security of your systems. Contact one of our experts to schedule a confidential consultation.