In 2018, supply chain attacks became a common occurrence in headlines covering some of the biggest data breaches to date.
Just recently, we saw major enterprises such as British Airways, Ticketmaster, and Newegg breached by the hacker group, Magecart (opens in new tab). These skimming attacks exploited the use of third-party tools on companies’ websites and enabled hackers to harvest details of over 420,000 credit cards.
- Average cost of cyberattack now exceeds $1.6 million
- Cyberattacks draining telecoms’ resources
- What most companies forget when fighting off cyberattacks
Common supply chain attack objectives
Firstly, where confidentiality is violated and a 3rd party gains unauthorized access to information. Secondly, whereby an attacker seeks to negatively affect integrity; by causing the system to malfunction which effectively makes the end user mistrust the information and the information system (this can also be if you cause the end user to do unintended things e.g. friendly fire). Thirdly, to reduce availability and you thereby make the system and information / resource unavailable when it is needed. Finally, where resources are used for illegitimate purposes. In this scenario, resources are being used for potentially harmful reasons and violating the confidentiality, integrity or availability of other resources that trust the information asset being attacked by the adversary.
Unlike typical cyber attacks, supply chain attacks provide two major advantages to attackers. First, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies); as such, the potential return of investment of the attack is higher. Second, and unlike common cyber attacks, supply chain attacks can remain undetected by perimeter defences, as they are often initiated by an embedded change to a component of the system which is trusted by default; then, an approved delivery mechanism such as a software update delivers the supply chain attack without arising any suspicion by network defenders.
It may seem surprising that big companies are relying on third-party tools for their own applications. However, using third-party code has become the status quo in today’s fast-paced, highly competitive digital landscape. Current statistics highlight that two-thirds of the average web application’s code come from third parties. While this bodes well for development teams to bring to market highly advanced apps in record time, it poses a major security challenge for companies.
Third-party tool providers lack enterprise-grade security
Yet, third-party code has the same permissions as all the code that companies develop in-house. This is the reason behind supply chain attacks: going after the weakest link in the software development chain to breach high profile targets. In the eyes of the attackers, individually breaching 1,000 high-profile companies is far less interesting than breaching a small company (or even an independent developer) and hacking their code - immediately infecting thousands of big companies with one single attack.
Enterprises must do better to prevent supply chain attacks. For decades, companies have directed security budgets into protecting the periphery and backend of their web assets. However, compromised third-party code remains undetected by perimeter defences and can easily go live with no detection. Attacks such as Magecart, malicious crypto miners or credential-stealing browser extensions are able to breach end-users by hijacking the client-side of applications. And yet client-side security has long been an afterthought, so most companies do not detect any breaches until several months later.
Entrusting third-party providers to meet the required security standards is not the answer either. If we go through every supply chain attack to date, we see that the magnitude of these data breaches ties in with the time that companies took to detect them. Breached companies had zero visibility over what was going on in the client-side of their own applications.
With supply chain attacks displaying signs of increasing in frequency and magnitude, it’s time for enterprises to focus on in-depth security. There must be a focus on auditing third-party code and employing real-time monitoring of the webpage. By gaining complete client-side visibility, enterprises are able to immediately detect malicious client-side injections such as Magecart. As a result, they can completely mitigate supply chain attacks, ensuring that the users’ data remains untouched.
We recently celebrated Data Protection Day. However, we should always be spreading awareness regarding the importance of ensuring that users have full rights to their personal data protection and privacy. Also, as end-users, we should always be aware of the best practices that allow us to keep our data safe. As companies, it is our duty to employ effective measures to prevent hackers from using our web assets as a vehicle to steal the users’ personal information.
Pedro Fortuna, CTO and Founder at Jscrambler (opens in new tab)
- Protect your systems from the latest cyber threats with the best antivirus