There is no single universally agreed definition of what a supply chain attack is. Broadly speaking, it has traditionally been referred to the process of physically tampering with hardware-based systems in a supply chain to install malware that potentially goes undetected.
In this digital age, cybercriminals have turned their attention to the software supply chain which is the software provided by suppliers to your organisation. These tend to be trusted applications provided by third parties. What cybercriminals have come to realise is that these third parties may have lower security thresholds compared to their customers’.
The net effect is if a cybercriminal were to be targeting a specific company, but find that its security is difficult to penetrate, they would quickly look upstream and see if they could break into the software supply chain and plant code. This could give them a backdoor into the actual company they are targeting.
“Is this really happening?”
According to a survey commissioned by CrowdStrike, not only is it happening, the number of such attempts are increasing. A survey was conducted with 1,300 IT professionals from across several countries, including Singapore. It is surprising to note that two-thirds of the respondents confirmed that they had experienced a software supply chain attack. 80% believe that this type of attack is going to become one of the biggest threats in the next few years.
The job of IT and security professionals is truly becoming daunting. We are experiencing a digital revolution where people are now more and more digitally connected across platforms. This increases the attack surface for cybercriminals to locate and target. As we digitally connect to more people, devices and systems, both from outside and inside our own organisations such as the supply chain. The potential for cybercriminals to find new undiscovered vulnerabilities, grows.
By highlighting the severity of this problem, we can see that extra mitigation is required. One of the potential solutions is to implement a more stringent corporate policy specifically for third party software installations. An example of how this can be achieved is giving the IT and security team more power and transparency to assess the security capabilities of suppliers’ systems.
In the case of software supply chain, the challenge is further complicated by the fact these systems and applications are not “under our own control”.
Those responsible for security, need to ensure the executives who set corporate policies are educated to understand these challenges.
In addition to corporate policies, organisations need to invest in cybersecurity software that monitors, discovers and secures the potential breaches that emanate from third-party software in the supply chain
Companies like CrowdStrike are pioneering solutions that use behavioural analysis to identify the very complex “signs” of this kind of attack – stopping the threat based on behaviour pattern rather than looking for a specific threat signature. They combine this with practical services to assess supply chain attack readiness, helping companies implement the best practices to mitigate this growing threat.
Software supply chain attacks are an important example of why traditional approaches to security today need to evolve. Not just IT professionals, but non-IT executive leaders would also need to be updated on this new wave of risks.
A well-informed executive team, that understands the seriousness of the changing attack landscape, is vital. Professionals who are responsible for security can’t provide the protection needed if they do not have the executive support to meet the ever changing threat.