Supply-chain attacks are not just limited to software and have caused a variety of problems ranging from large corporate breaches to serious malware infections. Yet, they are still misunderstood and underestimated by many.
The recent EternalPetya outbreak reminded us of how vulnerable we can be to this insidious threat. By compromising a popular accounting software company and pushing malicious code to all its customers via a program update, threat actors were quickly able get a foothold into thousands of internal networks. If it had not been for the noisy nature of the final payload, they most likely would have maintained an undetected presence for much longer.
To use a popular metaphor, a chain is only as strong as its weakest link, but supply-chain attacks are even more pernicious in that they can affect many organizations at once, from just a single upstream entry point. Another interesting aspect is that IT professionals have historically invested more resources into defending their assets from threats such as phishing emails or drive-by downloads than truly evaluated the existing surface of attack from trusted applications that don't seem to be directly exposed to the ‘outside'.
A contributing factor to supply-chain attacks can be attributed to the mindset and general lack of security awareness from a significant portion of software developers. Anyone publishing code is a target of interest, but especially those that have a large user base. An attacker can compromise their production machine directly or get the credentials to access the update delivery infrastructure itself. A saving grace can be the use of digital signatures such that the client machines will refuse any unsigned binaries, although this isn't enough when we know software can be backdoored at the source and still appear completely legitimate.
The supply-chain threat via software updates should not discourage or be an excuse for not applying patches. The fact of the matter is that we have become more and more reliant on outside resources on which we have little control over. This lack of control creates a profound trust issue that still must be addressed, otherwise we know what happens when systems are left vulnerable.
The same way we can't guarantee that a Windows update won't create BSODs, we can't guarantee that a third-party plugin won't be compromised either. For enterprises, it has always been wise to roll out updates in so-called ‘staging environments', to assess whether any changes will introduce stability or compatibility issues, before applying those updates to production. Code and log review post changes are an important part of this effort to identify potential issues.
To defend against the stealthy injection of malicious code, especially in those types of attacks, one must rely on proactive and behavioral-based solutions that will flag anomalies. Threat actors may decide to lay low and gather intelligence or be aggressive right away with malware that is destructive in nature. These kinds of activities can be spotted by intrusion detection/prevention systems and regular reviews of internal logs.
At the end of the day, there is no silver bullet, and when prevention fails, early detection and containment can make a huge difference between a temporary disruption or severe losses that could put a company out of business.
Unfortunately, supply-chain attacks are here to stay given their recent and proven success. This is why it is now more important than ever to recognize them as a significant threat vector and to start developing countermeasures.