Guarding Against Software Supply Chain Breaches
How much do you trust your software? If you have a notion that most tech that exist out there are fully breach-proof and impenetrable, sorry to burst your bubble but your personal data is always vulnerable and at probable risk, no matter how improbable the security measures might have you believe.
Why do we say that though?
Let us walk through a narrative about one such instance that occurred recently with a scalable infrastructure monitoring and management platform designed specifically to simplify IT administration.
If you aren’t aware of the Orion platform breach, you are in for a ride. Solarwind, the creator of Orion is essentially a company that offers IT infrastructure management software. So, back in December 2020, it was discovered that the update mechanism had a sophisticated threat that compromised the update mechanism. The attackers injected malicious code known as Sunburst that served as a backdoor and allowed remote control of the server once this update was installed. Being proactive toward detection rationale, meant that they used multiple techniques to stay under the radar and evade detection while engaging in a series of complex activities like reconnaissance, lateral movement, and data exfiltration. The breach occurred in March 2020, but due to the stealth techniques used, but it was not discovered until December 2020. After the event, it’s been estimated around 18,000 customers had installed the trojanized updates and this allowed the attackers to gain control of lots of government and private networks.
Upon contemplating that story, the critical nature of securing the entire software supply chain is evident.
Fundamentals of Supply Chain Attacks
During the initial phases of software application development, computer scientists did not have an option but to write their code from scratch. During the 80s and 90s, the software development was not approachable and feasible for anyone and everyone interested in the field to enter, as the bar for entry was quite high. The development process was a task for scientists who understood logic, electronics, and math more so than anything else.
Over the course of time, in the development process, developers didn’t have to rewrite the code for common functionalities. With pre-written code accessible and integrable as components into different projects, libraries of code and set frameworks took over. This exponentially reduced the time it took for deployment of new applications and the software development process was redefined going forward.
Evolution of Supply Chains in Software
With new development process optimizations in the domain, this parallelly set the stage for security challenges that only become evident in the coming decades. Because of the convenience of reusable code, developers began to reliably utilize this and build on top of existing frameworks and packages. Attackers began to realize that instead of targeting a specific application, they could instead target these widely used components to affect a large array of systems simultaneously that make use of this at any level.
As much as this is true for software components, it works the same way for hardware components as well. Essentially, reliance on multiple individual building blocks linearly increases the attack vectors associated with the application. From hardware components manufactured in different parts of the world to open-source software-maintained communities everywhere, the attack membrane expands. All the attackers need to do is, just find the weakest link in the intricate supply chain to launch a full-fledged attack.
Another direct consequence of a complex network of supply chains is vulnerability detection. For instance, a compromised update from a trusted vendor would typically bypass the standard security checks. This makes identifying and isolating a threat challenging and unique.
Chain of Causation
This section aims to understand how the breach traverses through the supply chain fabric.
Infiltration
The primary step for an attacker is to find a point of infiltration. In supply chain breaches, this is usually achieved by manipulating the code in third-party software components that the application is built out of. Sometimes, the entire software development lifecycle can be compromised. Even server-based attacks are a thing. In this, the server that is used to host the SaaS is trojanized thereby taking full-fledged access to the entire application thereby compromising all the secure features.
Exploitation
Once an attacker gains access, the purpose of the exploit is performed. Be it, stealing data, corrupting the targeted system making specific features disfunctional, or even gaining access to other parts of the victim’s network through lateral movement. By using various mediums of exploitation, things like credential harvesting, source code theft, intellectual property theft, or other forms of cyber espionage are committed.
Propagation
By tainting the code libraries or components being used in a software build, trojanizing software update binaries, or compromising a SaaS server, the software is distributed downstream to the users.
Aftermath
If everything goes as planned, the impact of a successful supply chain attack is far-reaching and long-lasting. The scale of damages and the security implications are very vast. Such attacks have the potential to incur financial losses in the magnitude of ten and sometimes up to hundreds of millions of dollars.
The market size of supply chain management including the cost of dealing with supply chain breaches, was valued at approximately USD 25.7 billion in 2023. It’s estimated that this figure will reach USD 78.5 billion by 2033.
Moreover, as per Gartner Research, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. This represents a three-fold increase from 2021. There’s also a 26% increase in the number of supply chain breaches between 2022 and 2023.
Generic Attack Modes and Vectors
Understanding generic attack modes and vectors is essential for identifying how threats exploit vulnerabilities across systems, networks, or applications.
Supply Chain Poisoning
This mode stems from a deliberate methodical compromise of critical dependencies on the software supply chain. The exploit strategy is based on the premise that most of the enterprise application code bases, a staggering percentage of 87% to 95%, depend on open-source components.
Infiltration via Build Environment
Build environments are foundational for software creation and deployment. However, hackers can exploit inherent framework traits like weak permissions or unpatched systems and alter configuration files, inject malicious scripts, or use compromised accounts to gain access. The very processes used to build secure applications are used by attackers to manipulate the entire software development system. Build pipelines and are targeted to gain access to run and execute tainted code. Once inside, attackers can manipulate the build process to include malicious code that often goes undetected.
Dependency Confusion
A security vulnerability discovery introduced a new process for the worse. When a white hat researcher Alex Birsan used a unique approach to get his targets to automatically install his code, many copycat actors started deploying the same means. To create chaos, the hacker first determines the internal code configuration and lists out the dependencies. Then, an essential component is picked and a hacked version under the same name is uploaded to the common repositories used by devs.
Supply Chains Work on Trust
Organizations must trust their vendors and the products they deliver. That's just how it is.
Did you know that the Boeing 737 Max crash occurred due to a faulty sensor whose data was integrated into the flight control system?
Because of one faulty sensor, specifically, the Angle of Attack (AOA) sensor, wrong data was perpetuated across all other systems that depended on this data for their functioning. The result was a catastrophic failure. Albeit not on purpose, this flaw victimized hundreds of lives.
Even though the European Union Aviation Safety Agency (EASA) concurred with Boeing on this matter priorly, the incident couldn't be avoided.
Just like how the failure of one sensor input malfunctioned the biggest passenger jet, a single breach in the software supply chain comprises an entire ecosystem of interconnected systems and services. When a trusted component is corrupted be it through a compromised update, a backdoor in a widely used library, or a malicious insider, the integrity of every system relying on that component is at risk of exploitation.
And the ripple of consequences? from loss of sensitive data, and financial theft, to even endangering national security when government systems are affected.
The threat is real.
The Bottomline
When the government procedures set in place aren't enough for optimal security assurances, we are dealing with threats that require companies to constantly stay on high alert. With most companies' the primary focus being on growth, revenue, and product development, code security aspects might take the back seat. However, upon contemplating the specific issues and processes that bad actors are targeting, it's evident that code audits from a cybersecurity point of view cannot be something that's optional. In fact, these measures have to be integrated into the software development lifecycle. Of course, expecting a new developer who does not possess experience with age-old industry standard protocols and frameworks set in place is like letting a kid who reads a blog on Boeing 737 Max engine reconfiguration developments to pilot a fully occupied flight. It's just unrealistic!
That's where we come in. While you build and scale your enterprise's software and engage in product development and feature iterations, Lineaje will stay vigilant, assess and review, suggest, and provide real-time information from a cybersecurity standpoint. We want all the code to be free from vulnerabilities and that's our mission. While elaborating on the consequences of using a specific package dependency to stakeholders might be useless for meaningful and rapid security optimization, we offer a full-fledged collaborative solution that encompasses every approach that's right for secure codebase creation and maintenance.