What is a Supply Chain Attack?
Supply chain attacks can damage organizations, individual departments, or entire industries by targeting and attacking insecure elements of the software supply chain.
A software supply chain consists of:
- Elements of the software development lifecycle (SDLC) process, including build systems, development, and testing environments
- Open source or third-party software used as components in enterprise software
- Open source platforms used directly by enterprises – such as WordPress or Magento
- Vendors providing professional services, consulting, or development services
- Partners who store or process data on behalf of the enterprise
- Cloud services (including IaaS, PaaS, and SaaS)
- Past suppliers of the enterprise who still hold company data or access to IT systems
Most organizations have limited visibility over their software supply chain. Any third party that is not well secured, and provides software or services to large organizations, is a risk for a supply chain attack.
Most commonly, attackers look for the weakest links in a supply chain – for example, they target small vendors with no cybersecurity controls or open source components with a small community or lax security measures.
Most supply chain attacks are caused by adding backdoors to legitimate and certified software or compromising systems used by third-party providers. These attacks are difficult to detect with existing cybersecurity defenses.
Supply Chain Attack Example
Here is an example of a sophisticated supply chain attack:
- An attacker discovers large organizations using an open-source component built by a certain group of developers
- The attacker identifies a developer who is not actively working on the project, and compromises their GitHub account
- Using the compromised GitHub account, the attacker commits innocent-looking code to the project, which in fact contains a backdoor
- The backdoor is packaged into the next release
- When one of the target organizations updates the open-source component to the new, compromised version, they are owned by the attacker
This example shows how attackers can take advantage of the lax security measures of some open source projects to penetrate a large, well-secured organization.
Supply Chain Cybersecurity Best Practices
Here are some best practices that can help protect your organization from supply chain threats.
Map Out the Threat Landscape
The first step is to fully map out the software supply chain. In a large organization, it can be composed of a large number of software vendors, open-source projects, IT, and cloud services.
Automated tools like software composition analysis (SCA) can be used to discover which software dependencies are hiding inside an organization’s software projects, and scan them for security and licensing issues. But this is not enough – you must perform a complete inventory of all third-party tools and services used in your software projects.
Policies and Governance
Make sure your supply chain vendors have structured, validated, and certified security policies and procedures. You can verify this through formal certification, such as a HIPAA Business Partner Agreement or a PCI audit. Vendors must have internal governance ensuring that security systems and procedures are in place.
Contracts between the company and its suppliers must clearly state the standards and requirements for access and use of data so that liability can be accurately assigned in case of violations. Agreements should require suppliers to notify the organization if they are breached. There must also be clear provisions for mitigating risk when the relationship with a supplier ends.
Control Information Privileges
It is common for companies to make data available to third parties, but this must be done with due consideration. The more people who have access to data, the harder it becomes to control and mitigate threats. When starting to address supply chain security, it is important to conduct an audit and determine what is the current situation—who has access and what they are doing with the data—and use this information to limit data access.
This is especially important for third-party vendors, who are often targeted by hackers because their security controls are typically less robust than those of the enterprise. When choosing a vendor, consider its cybersecurity framework, perform due diligence, and accordingly, adjust what type of data they can be exposed to.
One approach to sharing data with vendors is a “one-way feed”—in which data required for a specific vendor is shared with them, and only with them, precisely when they need it. The enterprise can use data masking to reduce the sensitivity of the data and ensure that the vendor disposes of data after it is no longer needed.
Reduce the Risk from Developer Endpoints
Many supply chain attacks focus on compromising developer workstations or development environments. A developer workstation, which has permission to commit code to the CI/CD pipeline, is a “jackpot” for attackers. This is how the infamous SolarWinds attack breached the company’s build pipeline and was able to deploy malicious artifacts directly into its product.
You should comprehensively protect any endpoint – workstation, server, or cloud virtual machine – that is part of your organization’s build process. This can be done by deploying endpoint protection platforms, including endpoint detection and response (EDR) technology, which can detect anomalous behavior on endpoints and facilitate immediate response by security teams.
Protecting Against Supply Chain Attacks with Imperva
Imperva’s Runtime Application Self Protection (RASP) uses a lightweight security plug-in to analyze activity within the application and block unwanted actions, such as third-party libraries establishing a network connection to an external site for command and control (C&C).
Imperva RASP protects applications, runtime, servers, open-source dependencies, and third-party libraries. It deploys in minutes by easily snapping into an application, without requiring any code changes, and requires no ongoing signature updates.
Imperva also offers Client-Side Protection, which prevents online fraud from supply chain attacks like form jacking, digital skimming, and Magecart. It clearly delineates activity from JavaScript across your website, identifies JavaScript vulnerabilities, and prevents unwanted behavior, such as compromised code stealing and transmitting your customers’ sensitive data.
Beyond supply chain attacks, Imperva provides multi-layered protection to make sure websites and applications are available, easily accessible, and safe. The Imperva Web Application and API Protection unifies RASP and Client-Side Protection with five more best-of-breed application security solutions on a single platform:
- DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
- CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
- WAF—permit legitimate traffic and prevent attacks, safeguarding applications at the edge or inside your network.
- Bot management—analyze your bot traffic to pinpoint anomalies, identify bad bot behavior, and validate questionable behavior via challenge mechanisms that do not impact user traffic.
- API security—protect APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits.
- Attack analytics—identify and respond to security incidents confidently with ML-powered intelligence across all your layers of defense.