We let our guard down around those that we trust. If a friend knocks on your door late at night, you’re far more likely to open it and let them in than you are a total stranger. Software is much the same. If there’s a software package that you rely on on a regular basis, made by a trusted developer, you’re far more likely to download and install updates than you may be to download and install a totally new app from a dev you’ve never heard of before.
Cyber attackers know this. Because no-one would ever voluntarily download and install malware or some other piece of software explicitly designed to cause them harm, attackers have to find ways of tricking unsuspecting users into proverbially inviting them into their home. One of the ways they do this is through what is known as a software supply chain attack.
A supply chain attack may work like this: Attackers seek out vulnerabilities, ranging for unsecure network protocols to poorly protected server infrastructure on the part of developers. They then hack them by exploiting these vulnerabilities. In some cases, they will then proceed to alter source code to, for instance, hide malware in the update and build processes of a particular tool. This tainted code is then distributed to customers of the trusted vendors in question as software updates, appearing to be wholly legitimate with the necessary certificates and software signing. When users run the updates, the malicious code — which is trusted by their systems — then runs and affects all the users of said applications.
While there may be variations in the execution, the overall attack operates on the same premise: to target those downstream by first poisoning an upstream vendor. For those without the proper protection, such as zero trust SASE, the results can be devastating.
The rise of supply chain attacks
Supply chain attacks are particularly malicious because they take advantage of the trust we put in certain developers, who have earned it over a long period of time by providing high quality products. In the case of poisoned app updates, they also subvert the way that app updates usually work. Software updates are typically pushed out to protect against threats; this approach uses them to help spread threats.
Supply chain exploits are on the rise. Some reports peg up to half of all cyber attacks as being ones that target supply chains. There have been big recent examples of malware-oriented supply chain attacks.
Notable incidents involve SolarWinds, Kaseya, and Microsoft Exchange Server. In the first of these, SolarWinds, a U.S. company that provides network monitoring systems for big American government agencies and companies, was hacked by a nation state believed to be Russia. The hackers inserted malicious code into software used by thousands of SolarWinds customers, with those who installed it then unknowingly creating a backdoor to their own IT systems.
The Kaseya attack, meanwhile, targeted a zero-day vulnerability in the US software company and used this for a wide-scale cyber attack on the supply chain.
In the Microsoft attack, four zero-day exploits were similarly discovered by hackers in Microsoft Exchange Servers. Chaining these together allowed hackers to gain access to user passwords and emails, upgrade their privileges to administrator level, and to access devices that were connected on the same network. The attacks exposed thousands of potential victims to attacks due to the large number of people who relied on these companies.
Zero trust is here to help
Zero trust can help secure these relationships. Zero trust architecture was developed by the National Institute of Standards and Technology (NIST) as a way of rethinking cyber security and the ways that it is practiced. As its name implies, zero trust assumes that all users and network activity — both external and internal — is a threat to security.
There’s no such thing as a security defense that will defend against any and all supply chain attacks. But zero trust architecture can be extremely effective when it comes to limiting the potential effects and impact of a supply chain attack. So long as zero trust is implemented throughout an organization — whether that’s an organization that develops software or one of the vendors that use it — this can be extremely valuable as a defense system.
Implementing zero trust can be done at scale using SASE. Zero trust is one part of SASE, an abbreviation of Secure Access Service Edge. SASE is designed to restrict access to all edges — including mobile users, cloud resources, and sites — in adherence to zero trust methodologies. It bundles zero trust network access alongside next-generation firewall (NGFW), and assorted other security services — plus network services like bandwidth aggregation, SD-WAN, and WAN optimization.
Enterprises that employ SASE architecture get the benefits of zero trust network access in a way that’s both easily manageable and impressively scalable. Spotting and preventing supply chain attacks is just one of the many advantages users can expect to receive.