Everyone thinks they understand malware. Malware is the malicious code that hackers and phishers get onto your system that corrupts, encrypts, destroys, or otherwise incapacitates your data, your systems, or your business, right?
Right. That hasn’t changed, though the kinds of things the code is being asked to do are growing more and more diverse. What is changing is the way that threat actors are getting their malware into your systems.
Traditionally, malware attacks have been exactly that – attacks sent directly from the threat actors to your systems, aimed at infiltrating them through some act of permission, from a hastily clicked web link to an inserted USB drive. So far, so standard.
Supply chain attacks are bigger, more random, and much more effective than standard malware attacks. They don’t attack your systems in particular . They infect some element much further up the supply chain – hardware, software, the coding on a popular app you buy or download. Something which neither you as the user nor the good faith supplier has any reason to pre-suppose is infected.
Then, when the infected elements are used – when the app is downloaded, the hardware plugged in, the software installed – the malware is spread into every system that uses the infected element of the supply chain.
Think about this. If someone wanted to poison your morning OJ, they’d have to con their way into your house (system) at just the right time, distract you (make you click a link, for instance), add the poison to your glass or the carton (transfer the malware from the link to your system), and leave before you got suspicious. That’s a standard malware attack.
If someone didn’t care about you particularly , but wanted to poison a lot of OJ, they could contaminate a whole batch at the processing plant (higher up the supply chain). It would still be contaminated in supermarket chiller cabinets (without the supermarket knowing), it would still be contaminated in your refrigerator (without you knowing), and when you poured it down your throat, it would do its job and kill you – just as the rest of the batch was killing lots of other people around the neighborhood.
That’s the real-world analog of a supply chain attack.
Thankfully, no-one’s trying to poison your OJ. But stealing cryptocurrency, stealing passwords, stealing credit card details, using the same technique, where poison equals malicious code – that’s the supply chain attacker’s big pay day.
There are different ways supply chain attacks can be implemented.
Supply chain attacks are particularly easy to affect on third-party or open source code and apps. And they’re evolving, increasingly going further up the chain, and attacking the open source elements that feed the global supply chain. The more that’s infected, the bigger the threat actor’s pay day can become.
So, what can you do? How do you make sure you’re not using some perfectly innocent looking software or hardware that’s corrupted with the intention to rob you or your customers blind?
Just as, with Covid, the emergence of a new health threat demanded a new level of vigilance, so, with supply chain attacks, there are necessary “new normals” to adopt to beat supply chain attacks.