Protect Against Supply Chain Attacks

  • July 28, 2021
US based remote management and monitoring company SolarWinds suffered a very sophisticated cyber-attack that raised a lot of questions about security. While media think this was the work of foreign intelligence services, as of this writing, we don't know who is truly responsible. Nevertheless, one thing is clear: this was not a sloppy attack carried out by some script kiddies. It was a complicated, thought out and carefully executed attack that was probably planned over the course of a year or more.  

What happened? 

To quickly recap, attackers managed to inject discrete malicious code as a backdoor into a routine update of Orion, the infrastructure management and monitoring software by SolarWinds. Because of where and when the injection happened, it didn't raise any red flags. The malicious code was then distributed to customers all over the world – including quite a few US government agencies.   

From here, attackers were able to access systems via the backdoor they created. Compromised files were digitally signed which suggests that the attackers had access to SolarWind's development environments and/or its pipelines, which is typical in cases of supply chain attack. 

What is a supply chain attack? 

A supply chain attack is an emerging threat where attackers target the weakest link in your supply chain – be it your development environment, build processes, pipelines and tools you use to do your work, or the contractors you're working with. For example, you may remember the 2013 Target data breach in which the credit card data of approximately 40 million customers was leaked, costing the company millions of dollars.  

It all started when the credentials belonging to an air conditioning systems vendor working as a Target contractor were (allegedly) stolen. Ironically, this event happened six months after Target started to install its state-of-the-art, $1.6 million cyber security system. While Target thought it was secure, it overlooked the fact that suppliers can be a weak link. I think now it's clear why it's called a supply chain attack; your security is as strong as the weakest link in your supply chain.  

Strengthening your weakest link 

Is there a way to prevent supply chain attacks? While you may not be able to prevent every attack – especially when we're talking about the massive scale of enterprises – it's absolutely possible to reduce risk and the possible damage of an attack by taking some precautions. Here is what you can do to help minimize your supply chain ‘attack surface’: 
  • Limit the use of third-party tools and software 
    While it sounds simple, this may be one of the most important preventative measures you can take to reduce the risk of a supply chain attack. Certainly, there are tools that you can't do your job without, but there are others that are not really required. They are also usually less used and therefore updates less often, and hence prone to abuse. Prepare an inventory of tools you use, discard the unnecessary ones, and keep track of the remaining ones, ensuring they are updated and patched regularly.  

  • Asses/evaluate the risk of third parties 
    The risks carried by third parties are usually hard to notice and assessing them can be very difficult. Yet, knowing the risks will help you greatly understand possible damages and reduce your attack surface. For assistance, consider working with a partner who specializes in third party risk assessments, and/or work with established risk-management frameworks like ISO or NIST. 
  • Monitor attacks toward your suppliers 
    Your suppliers can be the victim of an attack and it may spread to you. Be aware of what's happening within your supply chain so you can take action before it's too late. 
  • Establish a robust onboarding/deboarding process 
    One of the most common mistakes organizations make is to forget to deboard contractors or give them excessive system access when onboarding. Understand least privileged access concepts and apply them. Have these processes monitored and updated frequently.  
  • Understand the shared responsibility model 
    The security of your systems is a shared responsibility between you and your providers. Understand your responsibilities and make sure your supply chain is also aware of their responsibilities.  
  • Understand the Zero Trust concept and apply it 
    As the name suggests, Zero Trust is a concept based on the principle that nothing can be trusted. All users, devices and applications inside your organization or third party, must be authenticated, verified and continuously evaluated before being granted access. The concept alone won't help you much if you don't have a proper security posture beforehand, but it will help you to be more aware of possible threats.  

  • Pay your technical debt 
    If you have a legacy code base, it's quite possible that you have technical debt. If you don't pay your debt in time it will accumulate interest, making it even more difficult to implement changes that can be crucial for your security. 
Developers, operators, security and other teams all have to work closely together to ensure the security of systems throughout the supply chain and they have to get it right all day every day. Conversely attackers only have to get it right once in order to be successful. While the cards may seem to favor the attacker, there are steps you can take to help restack the deck in your favor. At the end of the day, having your supply chain evaluated and more visible, building a trusted relationship with your suppliers, and being prepared for an attack can help you tremendously in your efforts to mitigate supply chain attacks.  

Looking for hands-on help to accelerate your cloud security? Learn more and reach out to our team today. 

Subscribe to our blog

Cahit Onur Özkaynak

Cahit Onur is a Senior DevOps Engineer at NTT DATA and is an AWS certified DevOps Engineer. He also has AWS certifications in security and advanced networking and is an AWS certified developer, solutions architect and SysOps administrator.

Related Blog Posts