Granted, there are plenty of companies that still fail pretty hard at meeting that bar. But, as companies continue to improve their security posture, cybercriminals find innovative ways to adapt. A recent report from CrowdStrike suggests that cybercriminals are increasingly circumventing defenses and finding weak links to exploit via supply chain attacks.
Some of the key findings from the report include:
- Two-thirds of the surveyed organizations experienced a software supply chain attack in the past 12 months. At the same time, 71 percent believe their organization does not always hold external suppliers to the same security standards.
- The vast majority (87 percent) of those that suffered a software supply chain attack had either a full strategy in place or some level of response pre-planned at the time of their attack.
- Only 37 percent of respondents in the US, UK and Singapore said their organization has vetted all suppliers, new or existing in the past 12 months and only a quarter believe with certainty their organization will increase its supply chain resilience in the future.
- 90 percent of respondents confirmed they incurred a financial cost as a result of experiencing a software supply chain attack. The average cost of an attack was over $1.1 million dollars.
The Appeal of Supply Chain Attacks
As security solutions continue to get better at identifying and stopping known exploits and malware, the logical response of the attacker is to hijack trusted applications. Supply chain attacks can cause massive damage and quickly spread globally as we saw with the NotPetya attack.
“Many companies trust that the applications they use have built-in security, but some software applications are developed by small vendors that aren’t necessarily using the security development lifecycle (SDLC) processes—prioritizing speed to market over security, ultimately making vulnerability remediation difficult, explained Dan Larson, VP of Product Marketing at CrowdStrike. “If adversaries can get good applications to do bad things then they can bypass most of today’s security technology.”
Risk of Supply Chain Attacks in DevOps and Container Environments
One of the driving goals of DevOps is speed—making organizations more streamlined and agile so they can develop and deploy applications faster, typically via containers in a cloud environment. As mentioned above, the push for speed itself can lead to sacrifices in security, but DevOps and containerized apps also rely heavily on the open source code to accelerate development.
Attackers recognize this trend as well, which is why we are seeing more attacks that focus on hijacking trusted applications. Traditional security tools and security best practices are focused on identifying and stopping unwanted applications, so it’s relatively easy to slip malicious code into the code of an application that organizations already trust and use.
Larson cautioned, “For example, PyPI, the Python package index was targeted by an adversary who uploaded libraries targeting Python developers who incorrectly typed the name of a legitimate library (also known as “typosquatting”). In this case, the library code was benign, so no malicious outcomes occurred, but it highlights the risk of supply chain attacks in open source as well.”
Protecting Against Supply Chain Attacks
Most companies have a hard enough time keeping up with their own network and data security, and maintaining compliance with all of the various security frameworks out there—<href=”#gdpr”>GDPR, HIPAA, PCI-DSS, etc.. So, what can organizations do to defend against supply chain attacks?
Larson offered this advice: “According to our survey, 71 percent of respondents believe their organization does not always hold external suppliers to the same security standards as they hold themselves. This indicates that the weak link in the software supply chain might begin with a lack of supplier security. Companies can invest in next-generation technologies that look at behavioral anomalies and can detect when a legitimate application is acting abnormally in real time. On a proactive basis, companies can assess their readiness to withstand supply chain attacks with tabletop exercises and pen testing.”
Regardless of how you choose to address the rise in supply chain attacks, the first step is simply recognizing that they exist and that they’re a growing threat. It’s important to understand that even if you have all of the best security tools and practices in place, clever cybercriminals can still find cracks in your armor by exploiting tools and services you rely on. It’s up to you to implement sufficient due diligence to ensure that the code and tools you use meet the same standard for security that you expect inside your own network.