Publish date: 10.11.22

A supply chain attack refers to when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. Because the outside party has been granted the rights to use and manipulate areas of your network, applications, or sensitive data, the attacker can either bypass the third party’s defences or program a loophole into a solution offered by a vendor to infiltrate your system.

Previous Blog: #1 Attack Surfaces

In December 202, there was widespread reporting on a vulnerability discovered in Log4J, a widely implemented Java-based event-logging utility. This was the first time that the general public became aware of digital supply chain risk. The compromise of SolarWinds’ Orion product was another supply-chain attack that affected a huge number of public- and private-sector organisations.
From the perspective of an attacker, supply chain attacks are efficient, and highly profitable. The idea is that if you can compromise a bit of code that is commonly used by developers as a building block for their own apps and other digital products such as open-source libraries or utilities, you can gain access to a wide variety of target networks and cause mass implications.

Client-side attacks are a specific type of supply chain threat that is particularly difficult to combat. It results from the very common practice of developing web apps that call external, third-party scripts, libraries, or other software components as they are run — meaning, after they have been downloaded into a client browser. If these external components have been compromised, the resulting attack takes place entirely within the user’s system. On the server side, there is no indication of compromise, making detection challenging.

Technical Solutions

According to Gartner’s predictions, by 2025, 45% of organisations worldwide will have experienced digital supply chain attacks, compared to 15% in 2021. This makes it imperative for every organisation that participates in these supply chains to implement measures to mitigate risks. Unfortunately, that is not so easy.

From a purely technical standpoint, it is possible to reduce risk through the use of an advanced web application and API protection platform such as Barracuda Cloud Application Protection. When integrated into the development process, these solutions can monitor your apps to prevent the use of third-party components that are known to be compromised, based on frequently updated threat intelligence data. They can also automate complex Content Security Policy (CSP) and Subresource Integrity (SRI) configuration tasks to reduce errors and increase protection on the client side.
In the long run, however, technical solutions alone will not be sufficient to effectively combat supply chain attacks. The ultimate goal is to significantly reduce the chances of a successful attack for all bad actors, to the point where the balance of effort to payoff is such that they are no longer motivated to pursue them.

Evolving Business Practises

The U.S. National Institute of Standards and Technology (NIST) has recently updated its publication “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”. Intended for an enterprise audience, it provides a long list of recommendations for how to manage software supply chain risk. Effective cybersecurity controls and practices such as advanced access security, automated incident response and frequent security audits are fundamental. Just as important, however, are recommendations that amount to a significant enhancement to procurement practices. Basically, security considerations must be built into every contract and agreement between suppliers and their customers, so that a high degree of confidence can extend all the way up the supply chain. This also requires developing a dependable system for rating the reliability and security of potential business partners.

At the more granular level of app development teams, awareness of the potential risks has to be built into every process. As Gartner’s press release puts it:
“Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations.”

The end of siloed security

As we’ll see repeatedly as we go through Gartner’s seven key cybersecurity trends, the highest-level takeaway is that security can never again be conceived as a matter of simply identifying potential attack vectors and applying individual point security solutions to each of them.
Going forward, every business unit must build security and resilience into all its processes, and all employees must be aware of the security and resilience implications of their roles.