The supply chain attack that is becoming a problem today refers mainly to the method of embedding malware and backdoor in the product itself, update programs, patch modules, etc., in light of the vulnerability of the software product supply chain. A legitimate software developer will not deliberately insert those features to the products they offer the public, but someone who one way or another gained access to the supply chain may do it secretly, with the original authors unaware that malicious code piggybacked on their products.
Attackers infiltrate the software vendor’s network and secretly embed malicious code in the source code placed in the target software product development environment. When a user runs software that has been released without being aware that the code has been tampered with, malware is infected and malware is downloaded through the embedded backdoor. Users are made to trust the “sheep in wolf’s clothing”. What makes this technique malicious is that it takes advantage of user psychology and cleverly bypasses existing security measures. Users generally have little doubt as to where they usually develop software products.
As a traditional means of targeted attacks, “direct” intrusion methods via email attachments have long been used. However, in recent years the defensive measures have also evolved, so more elaborate “indirect” measures have come to be used. For example, “water fountain attack” where a legitimate site is altered to automatically infect a user’s terminal accessed there is a typical example, but supply chain attacks also similarly alter the legitimate software. And cleverly intrude into the process of download and installation.
So what specific measures should we take? One thing is certain, with current security technology, it is extremely difficult to prevent 100% of intrusions by supply chain attacks. After all, because it is mixed in a module that has been officially signed by a legitimate publisher, the existing intrusion countermeasures cannot easily detect threats. Therefore, it is important to prepare a mechanism that can detect suspicious movements as soon as possible, even if it has been allowed to invade. For example, if it is possible to quickly detect an attempt to download the malware itself through the back door, shut down its communication, or remove the malicious software that is the cause, even if it is permitted to invade by a supply chain attack, it is practically effective.
Damage can be stopped if not prevented, by whom? By the end-users themselves, in a huge enterprise, the employees themselves are the frontliners. Companies have a cost when it comes to enabling employees to understand the complications of running a networked computer system. Some companies choose to depend on the capabilities of their employees, their default awareness about cybersecurity, however, this is attracting trouble. Supply-chain attacks is very difficult to mitigate, given as the supplier’s performance is beyond the capacity of the company to measure until it is already too late.
For those part of the system that is more opaque, an ethical hacking process needs to be implemented. Penetration testing is not cheap, but definitely cheaper than becoming a victim of malware attack, phishing expeditions and data breaches.