In recent years, many advancements have been made in cyber security to circumnavigate and expand the attack surface by using groundbreaking technologies like artificial investigation and machine learning. However, technology is not the only catalyst that's outperforming attack vectors. Over the past decade, it has been observed that the supply chain sector is picking up the pace to enter the world of cyber security that could be used as a threat vector for end users. You read it right, supply chain!
Attackers have elevated this game to a level where one can only imagine and ask themselves, is this even possible? The adversaries have started to target every layer of the OSI layers and capture the supply chain element of every product. So the very feature that serves the purpose is rendered dysfunctional, which is disseminating their malicious code everywhere within the network of providers. Supply chain attacks have started to create a sense of concern for security teams and experts over the past few years, primarily due to the nature and magnitude of the attack. According to a report released by ENISA - threat vectors for supply chain attacks increased by 24% in 2021, and it is expected to grow four times faster than ever before. This normalcy has escalated system downtime, monetary losses, and by default, gruesome reputational damage. One would wonder how supply chains can add value to a flock of cyber threats on earth? Well, this is a simple guess. Manufacture products loaded with malware, circuits with hidden malicious settings, software products or updates with Trojan viruses, and many more. These supply chain issues come in multiple facets, and these are only a few. However, let's discuss a few more aspects of supply chain-oriented cyberattacks to look out for.
Modification During Manufacture
This is the most prevalent attack pattern wherein the adversary modifies the product or technology during the manufacturing stage to attack at any point in the supply chain lifecycle. However, the buck doesn't stop here. Once the attacker has captured its footprint on a product during its manufacturing stage, the attacker can easily modify the software, firmware, or for that matter, any hardware design too. Although the base product may be from the primary manufacturer, the direct manufacturers jointly develop certain hardware parts or software features with other third-party manufacturers. This nature of business just got an extra edge for the attacker over the complete supply chain lifecycle. But, wait a minute, what? Does this mean that no matter which product I buy, if even one component is malicious in there, I have no control over it? Well, yes. You read that right! This nullifies your capital expenditure (CAPEX) return of interest (ROI) to a negative denominator.
This attack pattern is further classified into several other low-level attack patterns such as:
Development Alteration: In this type of attack pattern, the adversary modifies the product or technology during its development phase to accomplish a negative functioning at a later stage of the attack. These modifications usually include malicious code insertion, BIOS alteration, and even malicious code implanted during chip programming. For instance, imagine an attacker modifying a mobile chip during its developing stage, which is deployed by millions of mobile products after its worldwide distribution across the globe. As a result, the attacker can exploit three essential elements for every organization and an end-user - authorization, availability, and integrity.
Design Alteration: In this type of attack pattern, the adversary's motive is to modify the product or technology design even before it reaches the development stage to achieve a negative impact later when the design is deployed for production use. In addition, this attack vector can further build its momentum by altering its system performance, general design changes, and causing unexpected errors randomly, resulting in an exponential increase in product vulnerabilities. Although such attacks require insider information of design documents, it is not the only source because it can either be spoofed via the internet or use traditional mediums like infecting internal systems with removable devices loaded with malware.
Excavation: is defined as an event that unearths intrinsic details of someone's confidential characteristics or property intending to study it due to its high market value. The same possibility of Excavation juxtaposed with cyber security is defined as an adversary who probes and digs in information from the target in a way that is designed to solicit information that can be used and leveraged for malicious intent at a later stage. This type of attack pattern uncovers another critical element missing from the above attack patterns - Confidentiality. In this type of attack pattern, the attackers begin to explore the target via regular interactions for the sole purpose of gathering confidential information from the target or by sending bogus data over a communication channel and hoping to receive fruitful information from the target in return, unearthing helpful information from the target. Once the adversary receives useful confidential information, the attacker can understand the target system's security measures and identify potential vulnerabilities. For instance, several sophisticated proxy fuzzing tools are available in the market that can be leveraged to gain a target application's response structure by sending bogus requests and monitoring the application responses to gauge its robustness. These requests continue to trigger until the target application responds with confidential information hoping it will trust the bogus request as a legitimate one and let out private information.
Hardware Integrity Attack: In this type of attack, the adversary exploits the potential weaknesses of a system maintenance process, modifies its product, technology, or firmware during its maintenance phase, and later leverages its malicious intent to attack the products after the product is deployed. This attack pattern is classified into two child patterns: Physically Hacking Hardware and Malicious Hardware Update.
Detection and Mitigation: There are several factors that every organization contributes to supply chain risks, such as an increase in joint ventures for producing raw materials, products, and technologies, complacency in detecting and addressing cyber threats, inability to monitor sophisticated supply chain cyberattacks, and other regulatory complications that come uninvited with supply chain production measures. However, unless companies address these critical vulnerabilities with a sense of urgency, supply chain cyberattacks will continue to rise by the day. Therefore, there are a few measures that organizations can prepare themselves with to face an uncertain cyber event.
Some Important steps to follow:
Detect sensitive data from all suppliers and internal products.
Know-how and where data is stored.
Encrypt all data stored within the company infrastructure.
Regular testing of all software patches at all stages of development.
Secure all perimeters at all times.
Every company is born with a different risk tolerance matrix and nature of their business. This norm demands a customized set of framework and controls to be followed and applied within all business areas within the organization. A standard security framework called Cybersecurity Supply Chain Risk Management - NIST CSF (CSRC-NIST CSF) that can be tailored as per the organizational structure is beneficial to safeguard enterprises from supply chain risks. It is time companies act now before it's too late to control the apocalypse.