Trusting third-parties in order to quickly add infrastructure and/or expertise to your business has become a common and, in many cases, essential business practice. These trust relationships are usually built upon agreements that both parties will do their part in a responsible manner. While that may be the case, businesses in different verticals often have varying risk models and budgets for protecting themselves from attacks, and, as the adage goes, the chain is only as strong as the weakest link.
Earlier this year, the cybersecurity company CrowdStrike surveyed 1,300 senior IT decision makers and security professionals in the United States, Canada, United Kingdom, Mexico, Australia, Germany, Japan, and Singapore about their experience with supply chain attacks.
The results were astounding—and frightening.
Sixty-six percent of the respondents reported that they had suffered a software supply chain attack, with nearly half of those attacks occurring since July 2017. Of those, 90% incurred a financial cost as a result of their supply chain attack, 32% reported downtime, 34% said their operations had been disrupted, 28% said their attack had undermined customer trust, and 23% said they had lost customers to rivals. What’s especially disturbing is that 87% reported that they had either a full strategy in place, or some level of response pre-planned, at the time of their attack.
Even more astounding was this: Despite those numbers, the fact that the breached companies suffered an average financial damage of $1.1 million and that nearly 80% of the respondents said they believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next 3 years—despite all that—only 1/3 of the respondents identified supply chain security as a top area of concern, and only 25% believed with certainty that their organizations will increase supply chain resilience in the future.
Supply chain vulnerabilities: It’s more than just third-party vendors
Supply chain attacks, also called value-chain or third-party attacks, are indirect, leveraging one-way third-party trust relationships to compromise a target somewhere downstream in the supply chain from their original attack. They are commonly associated with a ransomware or malware assault made possible by an infiltration of third-party networks that have access to the target company’s system and data. While that’s still accurate, today’s supply chain attacks have become even more sophisticated.
Over the years, supply chain attacks have evolved to include the intentional corruption of coding in third-party software applications, as well as the insertion of compromised motherboards in computer hardware that’s been intercepted before shipping.
Threat actors gain access to and compromise the code that will be served to the customers of these third-party organizations via various techniques, i.e. phishing, brute-force attacks, etc., ultimately delivering it to the intended targets via a software/plugin installation and/or update mechanism. Successfully pulling off this type of attack gains the threat actor the widest dissemination of their attack code, and, thus, a greater harvest of stolen data.
Several recent—and significant—supply chain attacks, attributed to the Magecart threat group, have involved the insertion of malicious code to perform digital credit card-skimming on Ecommerce sites. Due to the silent, and often automatic, nature of the way third-party code libraries are delivered or updated on many ecommerce sites, site owners and consumers are often unaware when third-party code has been changed. Magecart threat actors take advantage of this reality by delivering their malicious code either through a classic supply chain attack as described above or, as seen in the Ticketmaster, British Airways, and a growing list of other targeted attacks, they take advantage of web site or app vulnerabilities to inject their code into an ecommerce site, replacing legitimate third-party code scripts in a way that is site or target specific and very difficult to detect.
Band wagon attacks and the holiday season
Supply chain attacks aren’t new, but they are the latest wave of attack campaigns supporting the notion that a “band wagon” effect exists. As witnessed in the 2017 rise in ransomware attacks and 2018 cryptomining outbreaks, initial reports of successful attacks quickly led to a sharp spike in other occurrences as lower-level threat actors copied the successful techniques being reported and shared in underground forums, and began unleashing them on their own targets. Based on this observed trend, we believe the recent rush of reports covering Magecart attacks could trigger another outbreak of similar supply chain attacks.
Granted, the TTPs used in the Magecart supply chain attacks would be difficult to automate in-mass as was observed with the aforementioned ransomware and crypto-mining spikes. What is more likely is that published code from Magecart attacks will be blindly injected into vulnerable websites using automated tools with the intent to successfully collect credit card data.
Based on what we saw in the ransomware and cryptocurrency spikes, most of the attack attempts will fail for a variety of reasons. However, that is why these low-level attackers use automation. They count on the sheer volume of systems that they will scan, so that even if they only have a 1% success rate across 100,000 systems, that still means 1,000 successes for them and a healthy harvest of credit card data. That accounts for capability and intent, but as attacks go threat actors also look for the right opportunity—which is presented by the upcoming holiday season.
Marketing campaigns will be driving consumers to Ecommerce sites this holiday season, meaning a higher than usual amount of credit card data being passed and processed. So, for example, if a threat actor were to launch an attack like this in February and, using the previous success rate, get 1,000 successful exploitations, they might harvest 10,000 sets of credit card data depending on how long they are able to harvest before being detected. During the holiday season, attackers might get 10 times as much. Of course these numbers are notional, but the bottom line is, the more credit card data being transacted online the more that can be stolen, and the holiday season is peak time.
So what’s a company to do?
The following are recommendations for techniques ranked “good,” “better,” and “best” for protecting your organization from supply chain attacks. However, wherever possible, it’s best to use these recommendations in combination with one another for a layered defense.
Keep your payment page simple. Loading third-party scripts along with your payment processing page increases your risk of third-party compromise. Many third-party content providers are not focused on security. Threat actors are known to choose the softer target, and they will not hesitate to circumvent your security by compromising a third party you are trusting on your payment processing page.
Use subresource integrity for embedded scripts. On its own, it won’t protect you from all forms of third-party code injection attacks, but as a practice it raises your level of security and makes you a harder target.
As a backup measure and step to mitigate similar attacks, a content security policy (CSP) header can be employed. This additional header for web content tells the browser that is accessing your site where resources are authorized to downloaded from. While this won’t stop the download of scripts from compromised, trusted third-parties, it does help mitigate other HTML injection attacks where the content source has been changed to an untrusted download source.
Outsource your payment processing to a third-party payment processor. While this involves trusting a third-party, all third-parties are not equal. Of course, do your homework before selecting one, but, in general, payment processors that perform this service have well implemented security practices. While there will be additional costs involved with using an external payment processor, it also can relieve you of many stringent PCI requirements that have costs of their own to maintain.
Additionally, be sure to hold your software and website vendors to the same security standards that your company adheres to itself. Admittedly, the myriad dependencies built into today’s software applications can make this a daunting challenge. However, the coding that resides within programs and portals is, perhaps, the biggest vulnerability in the supply chain paradigm.
In the aforementioned Crowdstrike survey, only 37% of respondents in the United States, United Kingdom, and Singapore said their organizations had vetted all new or existing suppliers within the past 12 months, and 71% said their organizations do not always hold external suppliers to the same security standards.
The solution? Don’t make security an afterthought
As companies continue to improve their security posture, cybercriminals find innovative ways to adapt—but there are things you can do to stay one step ahead. For starters:
- Secure all possible network entry points: Regularly patch-and-disable or restrict the use of third-party plugins or other components that hackers can compromise to gain a foothold into your applications or website.
- Employ in-depth security mechanisms, such as robust authentication and encryption frameworks, to help protect against brute-force attacks and lessen data exposure.
- Examine and continually monitor the coding of third-party applications in your system—particularly those used to process payments.
- Be vigilant about examining the coding associated with any changes to your website design, content, hyperlinks, or user interactions.
- Conduct regular tests to proactively identify vulnerabilities or misconfigurations.
- Continuously monitor applications and your website for red flags, such as unauthorized access or modifications and abnormal network activities.
With all this in place, it’s still important to understand that, even if you have all of the best cybersecurity tools and practices in place, clever cybercriminals can find ways to exploit the tools and services you rely on. What it comes down to is never taking anything for granted and redefining “suspicion” as a valuable security tool. It’s up to you to ensure that the code and tools your suppliers use meet the same standard for security that you expect inside your own network.
As the holiday season approaches—with its tremendous spike in online activity and purchases—there’s never been a better time to put supply chain security measures in place to protect your company and your customers from the evil elves lurking in the shadows.