Supply chain attacks have long been recognised as one of the most effective ways for hackers to gain access to their targets. Traditionally, these attacks involve compromising a partner or supplier in the target’s ecosystem in order to gain access to the target’s network.
Today, however, cyber attacks targeting software supply chains are proving even more effective. Concerningly, cybersecurity teams have even less recourse to prevent them.
The traditional supply chain cyber attack
This occurred in 2013 when hackers gained access to the computer network of US retailer Target. The breach resulted in the theft of financial and personal information belonging to as many as 110 million Target customers. This information was then removed from Target’s network to a server in Eastern Europe.
The breach occurred when Target granted network access to a third-party HVAC company in Pennsylvania. The company, according to insiders, did not appear to follow broadly accepted information security practices. This allowed attackers to gain a foothold in Target’s network. Despite multiple alerts from anti-intrusion software, Target did not respond adequately. The attackers progressed from less sensitive to more critical parts of Target’s network. This escalation indicates that the company failed to isolate its most sensitive data.
The shape of this attack is one that became familiar to cyber security professionals in the subsequent decade. Network breaches affecting third party suppliers and partners could easily escalate into major intrusions by hackers into an organisation’s system. Cyber security practices have tightened as a result. By and large, zero trust policies and other measures have cut down on the severity of third party risk.
However, the greater concern today is an attack targeting the software supply chain.
Software supply chains are uniquely vulnerable
Rather than using a third party network in the supply chain to gain access, a software supply chain attack is embedded directly into the digital tools and applications. By doing so, hackers can affect all the users of a particular application or tool. This means that a successful attach could potentially compromise thousands of users and millions of individuals.
In 2021, 84% of security leaders said they believe software supply chain attacks could become one of the biggest cyber threats within the next three years.
This problem is being exacerbated, according to a report by Crowdstrike, by the fact that modern software is “not written from scratch,” but built piecemeal from “many off-the-shelf components, such as third-party APIs, open source code and proprietary code from software vendors.”
In 2020, the average piece of software had 203 dependencies. If a single dependency is compromised in an application, then every organisation using that app is compromised. Crowdstrike’s report notes that, if this occurs, “the number of victims can grow exponentially.” They also note that, because pieces of software are often reused throughout the enterprise, a compromised piece of software can remain dangerous beyond the original software’s lifecycle.
Most concerningly, many organisations could be considered underprepared to mitigate the effects of a software supply chain cyber attack. Crowdstrike found that, in 2021, 59% of organisations that suffered their first software supply chain attack did not have a response strategy.
- Digital Procurement
- Risk & Resilience