Log4Shell or Solarwinds are typical examples of attacks on companies through their software supply chain. It is characteristic that cybercriminals do not gain direct access to the target company, but attack via a back door. A comment from Trend Micro.
If you look back at some recent attacks (esp. Solarwinds or Log4Shell), you will notice that they are playing more and more "over gangs". This means that the attackers no longer attack target companies directly, but via their (software) supply chain. Whether victims are attacked via compromised Solarwinds updates or gaps in Log4Shell - in both cases the software supply chain is also the chain of infection.
Supply chain infections
This means that the issue of supply chain integrity is becoming more and more explosive. This primarily means: Do I know all the suppliers/service providers in my supply chain? And not only the direct, but also the transient dependencies! Is the entire supply chain documented in such a way that, in the event of a gap in the libraries used, you can say directly whether your own software is affected? Be it because you use the library directly yourself or one of the transient dependencies.
The "integrity of the supply chain" quickly moves into focus, especially during security incidents. In such cases, efforts are made to limit the damage as quickly as possible. Depending on the environment, there are also various technical solutions for this: (Virtual) patches, updates of software dependencies, SLAs with service providers and much more. Unfortunately, as is so often the case when the acute pain is gone, interest in it quickly wanes once the worst is over.
Manage supply chain efficiently
It should be clear to everyone that the integrity of the supply chain is not something that should always be quickly addressed with a technical "band-aid". Rather, it is about establishing appropriate processes (and also technical procedures) that help you to efficiently manage the integrity of your own supply chain. This usually results in a smaller attack surface and at least a better database that reduces manual investigation in the event of a security incident.
Unfortunately, establishing processes to maintain the integrity of one's software supply chain is often tedious. Especially since it is not only about technical protection aspects, but there is also a human and administrative component. In addition, compared to technical IT security, knowledge and specialist staff are scarce.
Tips from the US Department of Commerce
The new version of the NIST Special Publication SP800-161r1 (“Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”). This contains a comprehensive introduction to the background, contributors and implementation of secure software supply chains. The procedures and example scenarios documented in it provide excellent insight into the implementation, but also into the advantages of secure software supply chains.
This makes the NIST publication a very valuable resource for anyone looking to improve the integrity of their software supply chain. And that should be important to everyone! Experience shows that attackers focus on attack models that work. And that evidence is definitely there for supply chain attacks. Therefore, one should now deal with the protection and documentation of the supply chain - because the next time it is too late for that. In other words, one is so busy with the defense that processes don't play a role anyway. And so the dilemma starts all over again.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.