Though not the first of its kind, the recently overwhelming success of the SolarWinds breach has proven how rewarding a supply chain attack can be, setting the stage for adversaries worldwide. The most valuable targets will be those that provide maximum access to systems and data across a wide array of organizations.
Open Source
Its almost impossible to find any organization today that doesn't use open source software in some capacity. Almost every commercial product, including every distribution of Linux, every mobile device, and even Microsoft Windows, is either built on or built with some open source components, modules, or libraries.
Open source relies on contributions from the public, making it possible to introduce malicious code in a variety of ways that can end up with catastrophic results if left undetected.
Identity Providers
Incredibly obvious but overwhelmingly unprotected, identity providers make for an unmistakably rewarding target. A compromised IdP such as those used for federated access and SAML/SSO can allow an attacker to bypass other authentication mechanisms, including MFA and hardware cryptographic tokens that drive the FIDO U2F protocol.
Remote Access Systems
The Covid-19 pandemic has sent an entire generation of workforce home, leading to rapid growth and deployment of remote access systems. Malicious code in VPN, VDI and other remote access solutions would provide attackers with the ability to eavesdrop on communications and to access internal networks. When injected directly in hardware/firmware, the attack becomes even more difficult to detect and remediate. Additionally, attacks on video conferencing and collaboration tools can provide easy means for government or corporate espionage.
Cloud Service Providers
The cloud may already come with its own special set of vulnerabilities, and volumes have already been written about cloud security. Still, it would be remiss not mention in the context of supply chain attacks. CSPs provide their own OS images, PKI infrastructure, authentication systems, and internal networks all of which are often taken for granted to be secure and reliable. This makes cloud providers a high value target for any adversary wishing to propagate a widespread attack.
Mitigation Tips
Supply chain attacks are particularly difficult to prevent and detect. By definition, the systems are under external control and always appear to be legitimate.
- Proper supply chain risk management requires appropriate due diligence and thoroughly vetting partners. Remember that the supply chain extends to each supplier's own suppliers and so on.
- Maintain a continuous monitoring and cyber intelligence program that can identify and respond to cyber threats and vulnerabilities impacting supply chain vendors.
- As always, approach cybersecurity with multiple layers and a defense-in-depth architecture. This is the only viable way to thwart the many different attack vectors that are introduced in the supply chain.