Attackers find it hard to resist the lure of software supply chains: They can all-too quickly and easily access a wide breadth of sensitive information — and thus gain juicier payouts. 

In just one year alone — between 2000 and 2021 — software supply chain attacks grew by more than 300%. And, 62% of organizations admit that they have been impacted by such attacks. 

Experts warn that the onslaught isn’t going to slow down. In fact, according to data from Gartner, 45% of organizations around the world will have experienced a ransomware attack on their digital supply chains by 2025. 

“Nobody is safe,” said Zack Moore, security product manager with InterVision. “From small businesses to Fortune 100 companies to the highest levels of the U.S. government — everyone has been impacted by supply chain attacks in the last two years.” 

Examples aplenty

The SolarWinds attack and Log4j vulnerability are two of the most notorious examples of software supply chain attacks in recent memory. Both revealed how pervasive software supply chain attacks can be, and in both instances, the full scope of the ramifications is still yet to be seen. 

“SolarWinds became the poster child for digital supply chain risk,” said Michael Isbitski, director of cybersecurity strategy at Sysdig. 

Still, he said, Microsoft Exchange is another example that has been just as impacting, “but was quickly forgotten.” He pointed out that the FBI and Microsoft continue to track ransomware campaigns targeting vulnerable Exchange deployments. 

Another example is Kaseya, which was breached by ransomware agents in mid-2021. As a result, more than 2,000 of the IT management software provider’s customers received a compromised version of the product, and between 1,000 and 1,500 customers ultimately had their systems encrypted. 

“The immediate damages of an attack like this are immense,” said Moore. “Even more dangerous, however, are the long-term consequences. The total cost for recovery can be massive and take years.”

So why do software supply chain attacks keep happening?

The reason for the continued bombardment, said Moore, is increasing reliance on third-party code (including Log4j). 

This makes distributors and suppliers ever more vulnerable, and vulnerability is often equated with a higher payout, he explained. 

Also, “ransomware actors are increasingly thorough and use non-conventional methods to reach their targets,” said Moore. 

For example, using proper segmentation protocols, ransomware agents target IT management software systems and parent companies. Then, after breaching, they leverage this relationship to infiltrate the infrastructure of that organization’s subsidiaries and trusted partners.

“Supply chain attacks are unfortunately common right now in part because there are higher stakes,” said Moore. “Extended supply chain disruptions have placed the industry at a fragile crossroads.” 

Low cost, high reward

Supply chain attacks are low cost and can be minimal effort and have potential for high reward, said Crystal Morin, threat research engineer at Sysdig. And, tools and techniques are often readily shared online, as well as disclosed by security companies, who frequently post detailed findings. 

“The availability of tools and information can provide less-skilled attackers the opportunities to copycat advanced threat actors or learn quickly about advanced techniques,” said Morin. 

Also, ransomware attacks on the supply chain allow bad actors to cast a wide net, said Zack Newman, senior software engineer and researcher at Chainguard. Instead of spending resources attacking one organization, a breach of part of a supply chain can affect hundreds or thousands of downstream organizations. On the flip side, if an attacker is targeting a specific organization or government entity, the attack surface changes. 

“Rather than wait for that one organization to have a security issue, the attacker just has to find one security issue in any of their software supply chain dependencies,” said Newman. 

No single offensive/defensive tactic can protect all software supply chains

Recent attacks on the supply chain highlight the fact that no single tool provides complete defense, said Moore. If just one tool in an organization’s stack is compromised, the consequences can be severe. 

“After all, any protection framework built by intelligent people can be breached by other intelligent people,” he said. 

In-depth defense is necessary, he said; this should have layered security policy, edge protection, endpoint protection, multifactor authentication (MFA) and user training. Robust recovery capabilities, including properly stored backups — and ideally, uptime experts ready to mobilize after an attack — are also a must-have. 

Without knowledgeable people correctly managing and running them, layered technologies lose their value, said Moore. Or, if leaders don’t implement the correct framework for how those people and technologies interact, they leave gaps for attackers to exploit. 

“Finding the correct combination of people, processes, and technology can be challenging from an availability and cost standpoint, but it’s critical nonetheless,” he said. 

Holistic, comprehensive visibility

Commercial software is usually on security teams’ radar, but open-source is often overlooked, Morin pointed out. Organizations must stay on top of all software they consume and repurpose, including open-source and third-party software. 

Sometimes engineering teams more too quickly, she said, or security is disconnected from design and delivery of applications using open-source software. 

But, as was shown with issues in dependencies like OpenSSL, Apache Struts, and Apache Log4j, exploitable vulnerabilities quickly propagate throughout environments, applications, infrastructure and devices. 

“Traditional vulnerability management approaches don’t work,” said Morin. “Organizations have little to no control over the security of their suppliers outside of contractual obligations, but these aren’t proactive controls.” 

Security tooling exists to analyze applications and infrastructure for these vulnerable packages pre- and post-delivery, she said, but organizations have to ensure you’ve deployed it. 

But, “the other security best practices continue to apply,” she said. 

Expanded security focus

Morin advised: Regularly update and improve detections. Always patch where — and as quickly — as possible. Ask vendors, partners and suppliers what they do to protect themselves, their customers and sensitive data. 

“Stay on top of them too,” she said. “If you see issues that could impact them in your regular security efforts, bug them about it. If you’ve done your due diligence, but one of your suppliers hasn’t, it’ll sting that much more if they get compromised or leak your data.”

Also, risk concerns extend beyond just traditional application binaries, said Isbitski. Container images and infrastructure-as-code are targeted with many varieties of malicious code, not just ransomware. 

“We need to expand our security focus to include vulnerable dependencies that applications and infrastructure are built upon,” said Isbitski, “not just the software we install on desktops and servers.”

Ultimately, said RKVST chief product and technology officer Jon Geater, businesses are beginning to gain greater appreciation for what becomes possible “when they implement integrity, transparency and trust in a standard, automated way.”

Still, he emphasized, it’s not always just about supply chain attacks. 

“Actually, most of the problems come from mistakes or oversights originating in the supply chain, which then open the target to traditional cyberattacks,” said Geater. 

It’s a subtle difference, but an important one, he noted. “I believe that the bulk of discoveries arising from improvements in supply chain visibility next year will highlight that most threats arise from mistake, not malice.” 

Don’t just get caught up on ransomware

And, while ransomware concern is front and center as part of endpoint security approaches, it is only one potential attack technique, said Isbitski. 

There are many other threats that organizations need to prepare for, he said — including newer techniques such as cryptojacking, identity-based attacks and secrets harvesting. 

“Attackers use what’s most effective and pivot within distributed environments to steal data, compromise systems and take over accounts,” said Isbitski. “If attackers have a means to deploy malicious code or ransomware, they will use it.”

Common techniques necessary

Indeed, Newman acknowledged, there is so much variety in terms of what constitutes a supply chain attack, that it’s difficult for organizations to understand what the attack surface may be and how to protect against attacks. 

For example, at the highest level, a traditional vulnerability in the OpenSSL library is a supply chain vulnerability. An OSS maintainer getting compromised, or going rogue for political reasons, is a supply chain vulnerability. And, an OSS package repository hack or an organization’s build system hack are supply chain attacks. 

“We need to bring common techniques to bear to protect against and mitigate for each and every type of attack along the supply chain,” said Newman. “They all need to be fixed, but starting where the attacks are tractable can yield some success to chip away.”

In proactively adopting strong policies and best practices for their security posture, organizations might look to the checklist of standards under the Supply Chain Levels for Software Artifacts Framework (SLSA), Newman suggested. Organizations should also enforce strong security policies across their developers’ software development lifecycle. 

Encouraging software supply chain security research

Still, Newman emphasized, there is much to be optimistic about; the industry is making progress.

“Researchers have been thinking about solving software supply chain security for a long time,” said Newman. This goes back to the 1980s. 

For instance, he pointed to emerging technologies from the community such as The Update Framework (TUF) or the in-toto framework.

The industry’s emphasis on software bills of materials (SBOMs) is also a positive sign, he said, but more needs to be done to make them effective and useful. For example, SBOMs need to be created at build-time versus after the fact, as “this type of data will be immensely valuable in helping prevent attack spread and impact.”

Also, he pointed out, Chainguard co-created and now maintains one dataset of malicious compromises of the software supply chain. This effort revealed nine major categories of attacks and hundreds or thousands of known compromises.

Ultimately, researchers and organizations alike “are looking at ways to solve these issues once and for all,” said Newman, “versus taking the common band-aid approaches we see today in security.”