NEW

2024 True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Supply Chain Attacks: Definition, Examples, and History

Risk Factors

Likelihood

Complexity

Business Impact

What is a Supply Chain Attack?

A supply chain attack is a way to compromise an organization by manipulating a software or hardware product being used by the target organization, but which is produced and maintained by a trusted third party.

A threat actor could inject malicious code into an open-source library, add a chip into a device, or even create a fake version of an application and have it shipped to millions of unsuspecting users—all through trusted channels.

Indeed, attacks involving open-source software have risen 650% year on year, making it the most dominant type of software supply chain attack. This is not surprising considering the fact that 97% (n=2,409) of commercial applications contain open-source code, with 88% of them containing at least one known open-source vulnerability.

In 2021, the average supply chain attack cost large enterprises more than $2 million and small businesses $210,000.

The potent combination of a large blast radius, wide attack surface, and the lack of a reliable deterrent makes supply chain attacks one of the most advanced threats faced by organizations today, on par with zero-day attacks and advanced persistent threats (APT).

Types of Supply Chain Attacks

Hardware Supply Chain Attack

Adversaries may alter hardware or firmware components in products such as servers and network infrastructure to gain backdoor access. Because this type of attack leverages hardware, it is almost impossible to detect in the early stages.


Software Dependencies and Development Tools

An attacker infiltrates open-source software or development tools used by multiple organizations. This type of attack adds additional complexity for mitigators as the malicious code is introduced far upstream of them. Should a vulnerability be discovered and exploited, an end user, whether it's an enterprise or an individual, relies on both the device manufacturer and the original open-source supplier to release patches for vulnerable software.


Software Supply Chain

An attacker manipulates software prior to deployment to gain system access in a target environment. This is the most well-documented method of supply chain compromise in the MITRE ATT&CK framework, and can be mitigated by monitoring for vulnerabilities, applying patches when available, and monitoring asset and user behavior inside the environment for suspicious signals even before a vulnerability has been disclosed.

Protection Against Supply Chain Attacks

With supply chain attacks, it's all about minimizing risk. So, go in with the assumption that your systems will be breached and develop your defenses accordingly to prevent, mitigate—and recover—from an attack.

The challenge in preventing a supply chain attack is that applications and services often require significant access and communication privileges to function, so blocking them may not be an option. Still, some steps can be taken to improve your security posture.

First, identify your most critical business processes and the systems on which they depend on. Your goal here is to ensure business continuity should a vendor or system get compromised. Eliminate vendors with weak security practices and reassign system access based on the principle of least privilege.

Second, if your organization develops software, minimize your dependencies on untrusted tools or libraries as much as possible. Adopt DevSecOps practices to integrate security into the development and design process from day one.

Third, use a network detection and response (NDR) tool to monitor your network for suspicious activity. While an application might be able to sneak past perimeter defenses, its core activities, such as communicating with a command and control (C2) server, will always stand out. A powerful NDR tool should be able to detect these patterns with ease using advanced technologies such as behavioral analytics as well as packet-level forensics and decryption.

History of Supply Chain Attacks

In 1984, computer science pioneer and co-inventor of Unix Ken Thompson declared, "No amount of source-level verification or scrutiny will protect you from using untrusted code," after demonstrating that compilers could be used to create legitimate malware.

Little did he know that it would be more than 30 years before this flavor of supply chain attack (software dependency) would dominate the cyberthreat landscape.

Like many other techniques, supply chain attacks saw little development in the '90s and '00s, only to flourish in the '10s alongside the proliferation of the internet. It was only in 2012 that the National Institute of Standards and Technology (NIST) released guidance on supply chain risk management, and 2015 when the European Union Agency for Network and Information Security (ENISA) published its own overview of ICT supply chain risks in August 2015.

Things really took off in 2017 with a 200% jump year-over-year in supply chain attacks, followed by another 300% increase in 2021 over the year before.

Notably, attacks against open source software saw the most growth in 2021, with a massive 650% rise year-on-year over other supply chain attack types. They're spreading faster, too. For example, it took only 34 days since the publication of the researcher's post on Dependency Confusion before more than 10,000 copycat packages were detected in the wild.

Supply chain attacks show no sign of slowing down. The increasing reliance on third-party libraries coupled with the collaborative nature of open source projects makes supply chain attacks an irresistible target for threat actors who want an easy way into some of the most guarded networks in the world.