If you were a hacker, how would you set about wreaking the most havoc possible?
Mass phishing? Targeting critical infrastructure? Perhaps. Or maybe you’d choose attacking a software supply chain: if thousands of companies bought software from a single vendor, then a hit on that vendor attacks all of its customers simultaneously.
This is, of course, the story of the SolarWinds hack of 2020. Attackers deployed malicious code into the company’s Orion IT monitoring and management software to attack thousands of its customer enterprises and government agencies worldwide. It made for arguably the biggest cyberattack in history.
Its success may be down to trust: too many businesses trust their vendors have security covered, so don’t protect against potential attack. An ISACA survey shows more than half of respondents don’t perform vulnerability scanning or penetration testing on their providers, and 39 percent don’t have an incident response plan set up with suppliers in case of a cyberattack. Also, a Gartner survey finds 60 percent of executives admit their supply chains are designed for cost-efficiency, not resiliency.
It would make sense if companies weren’t being attacked. But new BlackBerry research found four in five IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months.
It proves we can’t afford to be so relaxed. Security must go far beyond vendor trust. Here’s how:
Why supply chain attacks are so fatal
Software supply chain attacks are among the most destructive strategies used by cybercriminals today.
Six in ten (59%) companies that have suffered a supply chain attack reported significant operational disruption, according to BlackBerry research; 58 percent reported data loss, and 52 percent reported reputational impact. Nine in ten organizations (90%) took up to a month to recover. Time is money – so being hit by a software supply chain attack is a costly experience no matter how you look at it.
Why do these attacks cause so much destruction? It’s because much of the software created and sold today is based on open-source code, which can easily be compromised due to its public availability. Vendors should, of course, check it – and research shows that IT teams believe they do. Many are confident that their supply chain partners have policies in place of at least comparable strength to their own.
But amid a chronic cybersecurity skills gap in the US and abroad, can a buyer guarantee this due diligence has been done? And can they spend time and resources checking each piece of code they purchase? Perhaps not. It’s no wonder software supply chain attacks are so successful.
Securing a software supply chain against attacks takes knowing what elements in your system have the potential to be attacked. More than three-quarters (77%) of those BlackBerry surveyed said that, in the last 12 months, they discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards. That’s even when these companies were already rigorously using data-encryption, Identity Access Management (IAM), and Secure Privileged Access Management (PAM) frameworks. As a result, malicious lines of code can sit in blind spots for years, ready to be exploited when the attacker chooses.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) recently issued a recommended practices guide for customers on securing the software supply chain. These conversations are the preface to an active cybersecurity stance that helps businesses protect themselves, separate to their partners, vendors, and suppliers. No company is an island – but it’s certainly a useful attitude to have to prevent software supply chain attacks.
What can be done to prevent software supply chain attacks?
Awareness is the start, but action is the key to stopping software supply chain attacks, and preventing the knock-on reputational, cost, and time damages your staff and customers will feel.
Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks – whether direct attacks upon a business, or those coming through the software supply chain. An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and analyzing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organizations need – 24/7, 365 days a year. However, new data shows that more than three-in-four IT and cyber decision-makers currently report a lack of holistic visibility into their security posture. Change needs to take place: in the current, heightened threat landscape, a prevention-first approach to all attacks, regardless of their origin, is vital.
In an industry struggling with a cyber skills shortage, the message to double down defenses may sound like an impossible task. But, in the event of a cyberattack, technology like XDR – and particularly when it comes as a managed service – can significantly speed up response and remediation, meaning security teams can focus on critical roles such as activating Critical Event Management systems.
Indeed, BlackBerry found that 63 percent of IT leaders would like a consolidated event management system for contacting internal security stakeholders and external partners – a critical element in reducing the impact of a potentially devastating supply chain attack. However, less than one in five (19%) have this kind of communications system in place. Equally, cyber teams need to work closely with outsourced Incident Response teams if attacks strike. Closer, quicker collaboration tends to secure a far better result.
Finally, advocating for support of new legislation to prevent open-source software from attack is certainly a significant action. Nearly three-quarters (72%) of respondents in BlackBerry’s survey said they wanted greater governmental oversight of open-source software, and 71 percent would welcome tools to improve inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability. But what’s clear is that this is only a fraction of the answer for individual businesses: protecting themselves should be strategy number one.
Trust in yourself – but don’t shy away from support
The threat of cyberattacks through the software supply chain remains imminent. As such, businesses must be planning their prevention and response strategies now.
It’s true that businesses should put their trust in themselves to keep their software safe from hacks – but there’s also no need to become overburdened. Solutions based on the AI technology, backed by professional support on call 24×7 can re-establish confidence in a secure software supply chain.
After all, who would you rather be? One of thousands of companies all hacked at once, or the company that stands its ground with a prevention-first approach in the face of highly sophisticated attacks?