As information about the SolarWinds attack continues to come to light, a new focus is being placed on the software supply chain and the cybersecurity risks it poses. The frequency and popularity of software supply chain attacks (also known as third party attacks), like SolarWinds, will continue to increase in tandem with the growing adoption of SaaS.
This begs the question: what can we do to prevent a software supply chain attack as potentially devastating as SolarWinds from happening?
Defining supply chain attacks
Before we can begin to answer this question, we need to first understand the broader supply chain and why it’s such an attractive target for bad actors.
A supply chain attack is a cyberattack that targets its victims by focusing on a weak link in an organization’s supply chain, rather than the individual organization itself. There are two types of supply chain attacks: hardware and software.
Attacks on the hardware supply chain are rare, but damaging
A hardware supply chain attack happens when a physical component of a device is tampered with in some way. These types of attacks are relatively rare. One notable example is a cyberattack perpetrated by the Chinese government in 2015. This attack made use of a tiny microchip, no larger than a grain of rice, that was inserted during the manufacturing process into the severs sold by Elemental Technologies (acquired by Amazon). Elemental’s customers included federal agencies, like the DoD and CIA, as well as commercial enterprises, like Apple.
After an investigation, it was determined that SuperMicro had supplied components to Elemental for the servers, and it was in those components that the malicious tiny chips were installed at factories based in China. The tiny chip enabled the attackers to perform reconnaissance on Elemental's customers, the list of whom mirror the SolarWinds attack. In a follow up report on the attack, it was revealed that a Pentagon security team discovered that SuperMicro servers operating on their classified network contained malicious instructions to copy data about the network and send that information to the Chinese government.
Focusing on the hardware supply chain has left the software supply chain vulnerable
To date, a lot of focus has been placed on preventing and mitigating attacks on the hardware supply chain, and for good reason. A hardware supply chain attack is incredibly complex to investigate and expensive to resolve, because hardware cannot be patched or fixed remotely. And in this case, was only discovered during Apple's due diligence process for Elemental Technologies, prior to acquiring them in 2015. In the event of an attack on hardware, recalls must be issued and physical replacements must be provided, putting a severe cost burden on the companies. And this doesn’t even cover the cost incurred due to the damaged brand reputation such an attack could create. SuperMicro was slated to supply Apple with over 30,000 servers, a deal which was dissolved not long after the attack was discovered.
As a result of the immense difficulty in detection, the prevention of hardware supply chain attacks became a priority for both the Trump and Biden administrations—stealing the limelight when it comes to supply chain attacks. Most recently, President Biden ordered a supply chain review in the name of national security with the goal of preventing similar espionage cyberattacks and signed an executive order earmarking $37 billion to address a global chip supply shortage.
However, it is exactly this sharp focus and noise surrounding the hardware supply chain that leaves the software supply chain an extremely vulnerable target.
A software supply chain attack happens when an attacker is able to infiltrate your system via a third party software supplier with access to your systems and data. While SolarWinds might be the most recent example, it’s far from the first or the last—which makes the continued focus on securing the hardware supply chain, all the more concerning.
Software supply chain attacks have been in the news as early as 2013, when Target was the target of a massive data breach that impacted over 60 million of its customers and leaked the credit card data of over 40 million. After an investigation, Target confirmed that the breach was traced back to network credentials stolen from a third party vendor. In 2014, the Heartbleed bug was a buffer overflow on Apache and Nginx web servers that impacted almost two-thirds of all the servers connected to the internet. The bug existed in OpenSSL, which is an open source software library mostly used by internet servers.
SolarWinds puts new focus on software supply chain security
The SolarWinds attack, described by Microsoft President, Brad Smith, as “the largest and most sophisticated” software supply chain attack ever, has finally started to shift some of the focus to securing software supply chains, as well as hardware.
The software supply chain is an extremely attractive target for attackers as they are highly leveraged attacks. In the case of SolarWinds, the attackers were able to mount one attack against SolarWinds, albeit a sophisticated one, and then simply wait for each customer to download the corrupted software—18,000 customers in fact. In August 2020, a report said that software supply chain attacks have surged 430% in the last year alone.
As supply chain attacks go, software attacks are generally easier to execute than hardware. A hardware attack would require physically tampering with a device. In the case of SuperMicro, operatives for the Chinese government had to infiltrate the manufacturing process in order to install the chips on the motherboards—there’s a reason these attacks are rare, while the software supply chain attacks only continue to grow.
One reason for the growth of software supply chain attacks is the increasing reliance on SaaS. Enterprises are growing more and more dependent on 3rd party vendors and unfortunately, these vendors lack a global set of tools and security best practices. This means that different software vendors could be following different security requirements, which vary based on the country it’s created or sold in.
Just like a hardware supply chain attack, a software attack is also difficult to detect. When the malicious code is delivered through an update process, like in the SolarWinds attack, it enables attackers to hide malware in the signed and trusted update, infiltrating otherwise well-secured organizations. A software supply chain attack that exploits a trusted channel in this way would also be extremely difficult to detect by traditional intrusion detection systems, like virus scans or anomaly detection. This is because tools like scans work by detecting signatures in known malware, so if the software supply chain is infected with malware that is hidden in the software update process, as was the case with SolarWinds, the malicious code would have been signed and trusted, thus bypassing the virus scanning tools altogether.
All of this paints a rather bleak picture for the software supply chain. These attacks are incredibly difficult to detect, even with sophisticated intrusion detection, and our growing reliance on SaaS is expanding the attack surface every day.
Can anything be done to prevent—or at the very least mitigate—software supply chain attacks?
Limiting the impact of attacks on the software supply chain requires defense-in-depth
To protect against software supply chain attacks of this nature we can do two things. First, we can stop an attacker’s ability to initiate this type of attack by doing everything from social engineering to practicing state-of-the-art security hygiene. Second, we can limit the scope of damage of future attacks by securing the target endpoint devices or systems.
The victims of the SolarWinds attack have countless embedded systems connected to the same network, including those that control the electric grid or operate nuclear power plants. These endpoint systems need to be the next line of defense, not sitting ducks.
A true defense-in-depth strategy includes cybersecurity on multiple levels, including the network-level, as well as the device-level. Securing only your network with firewalls and intrusion detection systems is wildly insufficient, because once attackers find a way around your network defenses—which they will—any and all unsecured devices are ripe for the picking.
Dover’s CoreGuardⓇ solution can provide an important line of defense to downstream embedded systems. Working as an oversight system, CoreGuard watches the host processor of an embedded system, allowing it only to do what it was intended to do and nothing more. CoreGuard prevents the exploitation of software vulnerabilities and immunizes embedded systems against entire classes of network-based attacks, including zero-days. This means, if an attacker tried to take over an industrial control system running the electric grid via a buffer overflow, CoreGuard’s Heap micropolicy would stop it in its tracks.