In regards to cyber-security, we speak about software supply chain strikes where we visit malicious code injections to a provider of third party code for the purpose of bringing damage to an entity farther down the electronic distribution chain system. These were perfectly illustrated by the Mage cart strikes on British Airways and Ticketmaster last year.
In software development, a supply chain attack is typically performed by inserting malicious code into a code dependency or third-party support integration.
Integrating external scripts and utilizing code dependencies is now standard practice when developing software. Some of the very widely-used parts of code come from reputable third-party suppliers such as Google, businesses that we should not expect attackers to be able to compromise. However, large companies such as these frequently use third-party scripts that come from small businesses or individual programmers whose own safety systems may leave a whole lot to be desired.
Most third-party code providers do not have enterprise-grade safety systems, and this topical code has the exact permissions as the code which companies develop in-house. Attackers have clearly identified this weakest link in the software supply chain – being able to breach high-profile companies without ever having to go close to their servers or code. Witness the major strikes that took place last year, including the Mage cart attacks on British Airways and Ticketmaster. The holy grail of cyber attacks is to now aim dependencies or scripts that are created by third-parties and used by thousands of businesses – something that we finally have come to know as supply chain strikes.
Frequent attack aims
What exactly are a few of the common attack goals for distribution chain hackers, then? Well, looking at recent supply chain attacks we see that attackers certainly need to obtain unauthorized access to data – credit card info and account qualifications. They may also attempt to reduce the integrity of the general system (making it error ) so that users end up not trusting that the information or data system; the end user may also wind up doing unintended things. Attackers might also seek to reduce the availability of the system or data/resources i.e. make it inaccessible when it is actually needed from the consumer. This manner, they could violate the confidentiality or availability of different resources that trust that the data asset being attacked.
When compared to typical cyber attacks, supply chain strikes provide two major advantages to attackers.
Firstly, one supply chain attack can target multiple companies at once (since multiple businesses use the same code dependencies and external scripts); consequently, the possible return of investment of the assault is greater. Secondly, and unlike ordinary cyber attacks, supply chain strikes can remain unnoticed by perimeter defenses, as they are often inserted by an embedded change to a component of the system which is reliable by default; then, an approved delivery mechanism (such as a software upgrade ) provides the distribution chain attack with no detection by system defenses.
There are numerous high-level cyber resiliency techniques for mitigating cyber attacks. These include:
Flexible Response — Enhance the organization’s capability to react in a timely and proper way to adverse conditions, anxieties, or strikes, thereby maximizing the capability to keep mission operations, restrict consequences, and steer clear of destabilization.
Analytic Tracking — Gather, fuse, and analyze information on a continuous basis and in a coordinated manner to determine possible vulnerabilities, undesirable conditions, anxieties, or strikes, and harm.
Coordinated Defense — Make sure failure of one defensive barrier doesn’t introduce crucial assets to hazard vulnerability. Require hazard events to conquer several defenses.
Deception — Mislead, confuse, or conceal crucial assets in the adversary.
Diversity — Use heterogeneity to minimize common mode failures, especially attacks exploiting common vulnerabilities.
Redundancy — Give numerous protected examples of crucial sources.
Substantiated Integrity — Detect attempts by an adversary to provide compromised information, software, or hardware, in Addition to successful modification or manufacture.
Unpredictability — Create changes intentionally or erratic.
It’s very important that security professionals and IT managers know that mitigating supply chain strikes needs a security-in-depth strategy. There has to be aware that investing tools on periphery defenses alone is not a suitable approach. There’s often a misconception that SAST (Static Application Security Testing) is a suitable approach to stop distribution chain attacks. Nonetheless, these attacks exploit weaknesses and introduce malicious logic to existing code. As this isn’t a vulnerability, it stays undetected by SAST.
Also read: How Supply Chain Tech Can Link Your Past To Your Future For Your Business
Taking into account that supply chain attacks often operate through changes that are shown on the client-side, investing in client-side security becomes a key measure of this process. From the current panorama of Application Security, there is no infallible way of being certain malicious markup or code isn’t injected into companies’ applications. The next best thing would be to acquire visibility about such injections and be able to respond in real-time. As we saw in past supply chain attacks, the magnitude of the assault is directly connected to how long companies take to discover it and take action – and some past supply chain attacks remained undetected for weeks.
It’s all about visibility and time. If businesses are able to detect supply chain attacks in real-time, they could react instantly and mitigate the attack before any serious damage occurs.
Leave a comment