Software supply chain attacks have been increasingly bedeviling the IT space.
Recent statistics bear out the dangers of these attacks. According to a study by Israel-based Argon security:
- Supply chain attacks grew by more than 300 percent in 2021 over 2020, and a similar increase is expected to be seen in 2022.
- Attackers focused most heavily on open-source vulnerabilities and exploiting the supply chain process and supplier trust to distribute malware.
- 3 in 5 companies experienced supply chain attacks in 2021, a number that is expected to increase in 2022.
Vendors must be carefully vetted
A state-of-supply chain report released last month by Sonatype shows a massive 633 percent year-over-year increase in attacks in 2022.
The Sonatype report warns:
“Over the years, the depth and breadth of the attacks have become more sophisticated as typified in the targeting, package hijacking, brandjacking, typosquatting, and even in the fileless malware being distributed as a part of these attacks.”
Experts tell SmarterMSP that there are apparent reasons why hackers like supply chain attacks.
“Attackers find supply chain breaches lucrative because when every day or common software is compromised, the attackers could, in theory, gain access to all the enterprises that use that software,” says Phillip Murphy, a cybersecurity consultant in San Francisco.
He adds, “For a hacker, if a supply chain attack is successful, it’s like hitting the jackpot on the slots. It gives them a lot of `all-under-one-roof’ access.”
Murphy described the year-over-year increases in attacks as “alarming.”
“MSPs need to take this seriously; everyone does.” He warns.
Murphy advises that all companies should carefully vet their vendors and only use tested and reliable companies.
“Most MSPs, I have found, do an excellent job of vetting vendors,” Murphy states. “So that is another reason companies, especially ones with a thin or non-existent IT staff, should lean on MSPs; they bring the knowledge and expertise to ward off supply chain attacks.”
Onboarding and offboarding can create vulnerabilities
The concern about supply chain attacks has not gone unnoticed by the government. The growing supply chain attacks prompted CISA to update its guidance with a new bulletin last month that addresses basics like:
Account Security: Best practices such as enabling multi-factor authentication, creating a process to revoke credentials of departing employees, creating unique user credentials, separating user and privileged accounts, and requiring passwords that meet specific minimum standards.
“Lack of thorough offboarding is a big security problem; even some MSPs miss this. Everyone is so excited to onboard a new employee, but when one leaves, it’s like tossing them overboard with no thought,” according to Murphy.
Workflows are critical
CISA’s report also calls for every company to have a workflow – Supply Chain Risk Management (SCRM) – that puts a process in place for dealing with software vendors.
“SCRM is crucial for businesses to implement, depending on the vertical companies deal with so many different software packages that without a dedicated process, it’s too easy for something to fall through the cracks. Hackers count on that,” Murphy says.
Threats from lack of having an SCRM, according to CISA, include:
- Malicious software that disables, negates, or hides from security agents or monitoring tools in the user environment.
- Appropriate logs not being collected, analyzed, or correlated; and partial/incomplete continuous monitoring and security audits.
CISA lists several mitigations for those threats, including:
- Regular red team hunting and security exercises.
- Implement risk-based management approaches for specific software products to identify logging and event monitoring.
- Implementing a threat model based on the particular product.
“The CISA report is the most comprehensive supply chain security document the government has made publicly available, many MSPs are already following best practices and doing a great job, but the report is worth a read even as a refresher,” Murphy recommends.
Even the FBI is getting in on the public warnings, teaming up with CISA to point out well-known supply chain attacks in the past year, like Log4J.
“Log4J was one of the more destructive supply chain attacks over the past year, and the FBI is saying that businesses have to assume attackers are lurking in your network,” Murphy says. “Even if things are running smoothly, you can’t let down your guard is what the FBI is warning about.”
Photo: Ton Snoei / Shutterstock