Supply Chain Attack

Supply chain attacks exploit trust relationships between organizations and their suppliers, often compromising many victims through a single point of entry.

Why it matters

• A single compromised dependency can affect thousands of organizations.
• Traditional perimeter security doesn't protect against trusted suppliers.
• Modern software relies on hundreds of third-party components.
• Supply chain attacks have caused some of the largest breaches in history.

Notable examples

• SolarWinds (2020): Malicious code inserted into software updates affected 18,000+ organizations including U.S. government agencies.
• Codecov (2021): Compromised bash uploader exposed secrets from thousands of CI/CD pipelines.
• Kaseya (2021): Ransomware delivered through MSP management software.
• Log4Shell (2021): Critical vulnerability in ubiquitous logging library.
• 3CX (2023): Desktop app compromised to deliver malware.

Attack vectors

• Software dependencies: Malicious packages in npm, PyPI, Maven.
• Build systems: Compromising CI/CD pipelines or build infrastructure.
• Code repositories: Injecting malicious commits or hijacking maintainer accounts.
• Hardware: Compromised firmware or implants in devices.
• Service providers: Attacking managed service providers (MSPs) or cloud vendors.

Defense strategies

• Software Composition Analysis (SCA): Scan dependencies for known vulnerabilities.
• SBOM (Software Bill of Materials): Inventory all components in your software.
• Vendor risk management: Assess security posture of suppliers.
• Code signing: Verify authenticity and integrity of software.
• Subresource Integrity (SRI): Verify third-party scripts haven't been modified.
• Zero trust: Don't implicitly trust any component, even from "trusted" sources.
• Monitoring: Detect anomalous behavior from trusted software.