Recent high profile attacks have compromised the IT supply chain; targeting ubiquitous pieces of software to attack companies using said software. This creates a widespread opportunity for hackers, between the exploit’s creation, detection and remediation (patching) of such IT supply chain exploits.
In this post, we separate the IT or software supply chain from the traditional supply chain - as both are targeted separately, and there are different means to mitigate such risks. We recap an example of IT supply chain attacks, Solarwinds Solarigate, and how we expect additional consequences of the attack to surface in 2021 and others like it to be uncovered; Finally, we describe why securing your IT supply chain is critical, listing specific steps you can take to secure your organization from such attacks.
If you were searching for traditional supply chain attacks, check out our white paper “Manufacturing, Cybersecurity and the New Normal.” Otherwise, read on.
Traditional supply chain vs IT/software supply chain
News media and other cybersecurity experts have labeled attacks on software infrastructure (like solarwinds) “supply chain attacks.” In order to avoid confounding this concept with traditional attacks on associated businesses that make up the supply chain (for manufacturers, for example), we called them “IT supply chain attacks.” IT supply chain attacks target components found within numerous environments, be it software, code used across multiple pieces of software, firmware, or even hardware. Supply chain attacks, on the other hand, are compromises of environments of companies that supply your business, and may have direct or indirect connections to your own environment, which can be used as stepping stones to compromise your business.
The paramount example of an IT supply chain attack is Solarwinds Solarigate. It has been covered in depth elsewhere, but the notable headlines are that: this single attack may have compromised as many as 18,000 organizations; it went undetected for several months; the resulting consequences impacted numerous high-profile organizations from government to enterprise security companies that were using Solarwinds in their environments. Read more on the Solarwinds compromise here.
Why securing your IT supply chain is crucial
IT environments have long consisted of a variety of platforms, software and systems from a range of vendors. The external IT pieces provided by third-party suppliers have grown more interconnected and vulnerable to attack than ever before. IT now depends more and more on software as a service (SaaS) rather than homegrown software.
Software now tends to be composed of a patchwork of different readymade componentry and APIs, both closed and open source. Average enterprise software today contains 203 different third-party code dependencies.
The inclusion of such externally derived elements opens organizations to risk. These suppliers of the building blocks of the modern IT environment offer potential threat avenues of exposure to hackers, opening their products to compromises like SolarWinds Orion.
Given the prevalence of the software being targeted in these attacks, it’s more about securing your environment from supply chain attacks, rather than securing the supply chain itself. As attacks against these building blocks increasingly become a key part of threat actors’ playbook, taking proper steps to secure the enterprise’s IT supply chain is crucial to maintaining an effective cybersecurity program. Note, this doesn’t mean “reacting to every headline-inducing supply chain attack” (read our blog “Are You Responding to Script Lines, or Headlines?” for more there) but instead taking proactive measures to reduce the risk of them compromising your organization.
Ultimately, IT leaders need to be aware of these indirect risks to their organizations. This awareness is crucial to security operations, as environments now include dozens if not hundreds of other software. We anticipate that IT supply chain based attacks (like that on Solarwinds) will continue to increase throughout 2021 and beyond. To expect to prevent these attacks entirely may be ambitious, but certainly detecting them early and responding to them to minimize operational impact will be critical.
Even now, convinced of the importance of securing the IT supply chain, technology leaders may still feel like their hands are tied: they can’t implement security measures on behalf of providers within their environment, nor can they assume a level of security from those providers that sufficiently limits the risk of an attack like Solarwinds Solarigate. To learn more about the action available to mitigate this risk, read our white paper “Six Steps to Secure Your IT Supply Chain” where we offer concrete ways to address the elements within your control to reduce both the likelihood of suffering an IT supply chain-based attack, and the operational impact from one.