The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough.
Recent supply chain attacks in its analysis include those through SolarWinds Orion software, CDN provider Mimecast, developer tool Codecov, and enterprise IT management firm Kaseya.
ENISA focuses on Advanced Persistent Threat (APT) supply chain attacks and notes that while the code, exploits and malware was not considered “advanced”, the planning, staging, and execution were complex tasks. It notes 11 of the supply chain attacks were conducted by known APT groups.
“These distinctions are crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defences are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them,” ENISA notes in the report.
SEE: Network security policy (TechRepublic Premium)
The agency expects supply chain attacks to get a lot worse: “This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently,” it said.
ENISA’s analysis found that attackers focused on the suppliers’ code in about 66% of reported incidents. The same proportion of vendors were not aware of the attack before it was disclosed.
“This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated,” ENISA said, although this is something easier said than done.
As the Linux Foundation highlighted in the wake of the SolarWinds disclosure, even reviewing source code – for both open source and unaudited proprietary software – probably wouldn’t have prevented that attack.
ENISA is calling for coordinated action at an EU level and has outlined nine recommendations that customers and vendors should take.
Recommendations for customers include:
- identifying and documenting suppliers and service providers;
- defining risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;
- monitoring of supply chain risks and threats;
- managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
- classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.
ENISA recommends suppliers:
- ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
- implement a product development, maintenance and support process that is consistent with commonly accepted product development processes;
- monitor security vulnerabilities reported by internal and external sources, including third-party components;
- maintain an inventory of assets that includes patch-relevant information.
The SolarWinds attack for example rattled Microsoft whose president Brad Smith said it was the “largest and most sophisticated attack the world has ever seen” and that it probably took 1,000 engineers to pull off. Alleged Russian intelligence hackers compromised SolarWinds’ software build system for Orion to plant a backdoor that was distributed as a software to several US cybersecurity firms and multiple federal agencies.
SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring
The US Department of Justice (DoJ) revealed last week that 27 districts’ Microsoft Office 365 email systems were compromised for at least six months beginning in May 2020.
The rise of state-sponsored supply chain attacks and criminal ransomware attacks that combine supply chain attacks, such as the Kaseya incident, has shifted the focus of discussions between the US and Russia.
US president Joe Biden last week said a major cyberattack would be the likely cause of the US entering a “real shooting war” with another superpower.