Understanding the difference between software supply chain attacks and vulnerabilities

Indeed, cyber attackers are using the software supply chain as an initial intrusion vector across many different business sectors. The 2022 M-Trends report from intrusion specialist Mandiant shows supply chain compromise has overtaken phishing as the most used initial intrusion vector.

However, it’s important to recognise that not all software supply chain security issues are the same. IT security teams need to understand the differences and the steps that need to be taken to ensure effective protection of resources.

Attacks versus vulnerabilities

An example of a software supply chain is when a cyber criminal compromises a software provider and uses that software provider’s privileged access to then compromise their customers.

A software supply chain vulnerability, on the other hand, is an accidental security flaw in a piece of software that is incorporated into other applications, leaving them vulnerable. One example is the Log4Shell vulnerability, which was not an intentional attack, but it had an impact on thousands of organisations.

As well as exploiting such vulnerabilities, attackers have many other ways of introducing malicious code into trusted open-source packages. Dependency confusion, typosquatting, and simply adding malicious code and issuing a pull request are all methods by which attackers can abuse the open source software supply chain.

Working together

Although there is clearly a difference between supply chain attacks and vulnerabilities, it doesn’t mean they can’t be used together to mount a successful attack.

VIEW ALL

One example is the high-profile SUNBURST attack. In this instance, cyber criminals introduced their own malicious code into the SolarWinds Orion product. This code was then distributed through SolarWinds’ own update delivery channels to large numbers of customers. Another example is the Kaseya VSA attack in which the REvil ransomware group made use of an accidental vulnerability in the VSA software. This created an opening for attackers to compromise customers and distribute ransomware through the VSA software, effectively making the supply chain the attack vector.

Winning the supply chain battle

There are a number of steps that IT security teams can take to tackle the threats posed by supply chain attacks and vulnerabilities.

They include:

Constantly patch software:
In the past, security incident response and software patching have been regarded as different activities when it comes to speed and urgency. Indeed, the ExtraHop 2022 Cyber Confidence Index – Asia-Pacific found that only 31 per cent of teams are able to enact mitigations or apply a patch (where available) in under a day, with 42 per cent taking one-to-three-days, 17 per cent needing a week, and 6 per cent requiring a month or more.

However, faster software patching in response to the disclosure of a widespread vulnerability is becoming much more necessary. Take time to review your organisation’s approach to patching and ensure that all new patches are deployed as swiftly as possible.

Create and maintain a complete IT asset registry:
Any effective IT security strategy needs to be based on a comprehensive registry of all IT assets. This can help to guide the security team’s efforts in both protection and response to a cyber attack.

This need was highlighted when the Log4Shell issue was first raised. Security teams needed to rapidly determine which applications and devices in their environment were vulnerable and required patching. Without an up-to-date registry, this would be an extremely difficult task.

Use AI/ML-powered detection and response tools:
Once an organisation has in place effective intrusion protection measures, the next important step is to focus on response capabilities in case an attacker gains entry.

It is recommended that organisations develop a baseline of what constitutes “normal” activity within their infrastructure. Artificial intelligence and machine learning tools can then be used to constantly monitor for activity that occurs outside this baseline and could potentially be malicious. The tools can then alert the security team to review and act accordingly.

Supply-chain vulnerabilities and attacks are likely to continue to be of very serious concern for organisations of all sizes for a considerable period of time. By understanding the issues they create and the measures that must be taken to reduce associated risks, IT teams can be as well placed as possible to either prevent them from happening or swiftly counter them should they occur.

Rohan Langdon is the ANZ country manager at ExtraHop.