{"id":20411,"date":"2021-12-23T18:39:53","date_gmt":"2021-12-23T18:39:53","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20411"},"modified":"2021-12-23T18:42:34","modified_gmt":"2021-12-23T18:42:34","slug":"supply-chain-attacks-will-peak-in-2022","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/applications\/supply-chain-attacks-will-peak-in-2022\/","title":{"rendered":"SolarWinds-Like Supply Chain Attacks will Peak in 2022, Apiiro Security Chief Predicts"},"content":{"rendered":"

Cyberthreats against software supply chains moved to the forefront of cybersecurity concerns a year ago when revelations of the attack on software maker SolarWinds<\/a> emerged.<\/p>\n

Now one security researcher \u2013 Moshe Zioni, vice president of security research for application risk management startup Apiiro<\/a> \u2013 is predicting that supply chain attacks will likely peak in 2022 as organizations leverage new products that will help them better detect these attacks.<\/p>\n

Vendors like Apiiro have been working to protect enterprises against supply chain attacks that have been on the upswing for several years, with bad actors lured by the success of these campaigns and the money that could be made, Zioni told eSecurity Planet<\/em>.<\/p>\n

\"Apiiro
Moshe Zioni, Apiiro VP of Security Research<\/figcaption><\/figure>\n

Now more products are coming to market that make it easier for enterprises to detect such attacks and protect themselves against them, Zioni said.<\/p>\n

\u201cOur ways of data mining and positioning the data security lifecycle against supply chain attacks have gained some ground over the past couple of years, more than before,\u201d he said. \u201cSupply chain attacks are something that have been on the rise for a few years now. This is more than a cat-and-mouse game. It’s been a detection game for us for the better part of 10 years-plus for the application security realm.\u201d<\/p>\n

Supply Chain Attacks an Ongoing Threat<\/strong><\/h2>\n

Going into 2022, threat groups will continue to target the supply chains<\/a> of enterprises, which give them new avenues into greater numbers of potential victims. However, improved defenses are beginning to shift the advantage to end customers.<\/p>\n

\u201cAt some point we’re going to see a peak,\u201d Zioni said. \u201cThen through some detections and preventions [offerings from vendors] like a Apiiro, you will see much more detection and we will bring the upper hand back to the developers and enterprises.\u201d<\/p>\n

That would be good news for enterprises, which have been on edge since details of the SolarWinds attack, perpetrated by the Russia-linked cyberthreat group Nobelium, broke late in 2020. The hackers inserted malicious code into updates of SolarWinds\u2019 Orion IT monitoring software, putting at risk thousands of customers that had downloaded the updates (though the actual number of businesses hacked through the Sunburst malware was fewer than 100).<\/p>\n

Also read: <\/em>Best Backup Solutions for Ransomware Protection<\/em><\/a><\/p>\n

2021 a Tough Year in the Supply Chain<\/strong><\/h2>\n

Throughout 2021, there were myriad other supply chain attacks<\/a>, including one in which another Russia-based threat group, REvil, leveraged a vulnerability in software company Kaseya\u2019s remote monitoring and management (RMM) software to launch a ransomware attack<\/a> that impacted thousands of its customers.<\/p>\n

Both incidents were part of a larger global push by cybercriminals targeting weaknesses in supply chains. Cybersecurity company BlueVoyant found in a report<\/a> released in October that 97 percent of respondents to a survey said their companies had been negatively impacted by a cybersecurity breach in their supply chains and 93 percent said they had been affected by a direct cybersecurity breach due to weaknesses in their supply chain.<\/p>\n

In addition, 91 percent said that their budgets for third-party cyber-risk management would increase in 2021. In a statement, Adam Bixler, global head of third-party cyber risk management at BlueVoyant, said that \u201ceven though we are seeing rising awareness around the issue, breaches and the resulting negative impact are still staggeringly high, while the prevalence of continuous monitoring remains concerningly low.\u201d<\/p>\n

Third-party cyber-risk must become a priority at companies, Bixler said.<\/p>\n

With more tools coming to market that add security layers to DevOps and application environments, organizations will have the tools to make it a priority, Zioni said. That will be important given the rapid changes happening in those areas that are helping to fuel the increase in supply chain-based attacks, he said.<\/p>\n

Further reading: <\/em>Best Third-Party Risk Management (TPRM) Tools for 2022<\/em><\/a><\/p>\n

Agile Development, Standards Help Fuel Attacks<\/strong><\/h2>\n

Factors adding to supply chain risk include the increasingly agile mindset of developers and the expanding use of cloud-native applications. A major focus of DevOps is on speed \u2013 think of continuous integration\/continuous deployment (CI\/CD) \u2013 and enterprises are wary of putting in place security measures that slow down the process. The agile process also means being more reliant on third parties, Zioni said. However, that doesn\u2019t mean that everything is inherently less secure.<\/p>\n

\u201cBecause of this distributed way of trusting and to use third parties, you actually have a much more robustness in terms of data protection, in terms of compliance and in terms of what kinds of capabilities those kinds of options offer for DevSecOps and for developers and application security managers,\u201d he said. \u201cBut on the other hand, it also means that this is a new complexity that security practitioners have been dealing with for the past few years. Those are the things that actually made the shift in terms of how enterprises can protect the lifecycle.\u201d<\/p>\n

There also is greater standardization and regulation that must be met by enterprises, and cybersecurity vendors also need to catch up to those in order to detect and prevent supply chain attacks.<\/p>\n

Further reading: <\/em>How to Comply with GDPR, PIPL and CCPA<\/em><\/a><\/p>\n

Bad Actors Have Early Advantage<\/strong><\/h2>\n

The combination of the sophistication of attackers and the work enterprises need to do to put in the necessary controls to prevent the attacks means that the scales are tipped in the direction of the bad actors still, at least for the moment.<\/p>\n

\u201c<\/strong>Statistically speaking, attackers will have some kind of upper hand,\u201d Zioni said. \u201cIt doesn’t mean that they will succeed every time, but this is statistically speaking. It will still be the case until the gap is bridged as soon as possible by enterprises. That means that after this peak, it will plateau and the upper hand will be back to the enterprises’ hands.\u201d<\/p>\n

Once this happens, there will be fewer supply chain attacks in the coming years, he said, adding that he was reluctant to say when this will happen. However, he is sure it will.<\/p>\n

New Supply Chain Security Tools on the Way<\/strong><\/h2>\n

Vendors are launching more products that offer greater capabilities to detect cyberthreats \u2013 including supply chain threats \u2013 and touch on areas like inventory and asset discovery, CI\/CD security, continuous compliance and code risk assessments. All of those are part of Apiiro\u2019s platform as well, Zioni said.<\/p>\n

The company launched in 2019 and Zioni signed on in September after almost four years as director of threat research at Akamai Technologies. Apiiro\u2019s Code Risk Platform is designed to offer a range of capabilities in a single place, creating less complexity and greater integration. He said the goal is to be a one-stop shop for enabling organizations to control and manage their products. There is both development and infrastructure profiling.<\/p>\n

\"Apiiro
The Apiiro CICD security platform<\/figcaption><\/figure>\n

In February, in the wake of the SolarWinds attack and with $35 million in funding raised in October 2020, Apiiro unveiled two offerings designed to detect and block such attacks. One is to defend against build-time code injection, which was central to what the SolarWinds attackers did. Another product is aimed at detecting abnormal behavior in developer identities, helping organizations identify compromised accounts and insider threats.<\/p>\n

In addition, the company in November rolled out its Dependency Combobulator, an open-source toolkit that is designed to detect and prevent dependency confusion attacks, a growing threat in supply chain attacks. With dependency confusion attacks, cybercriminals deliver malicious components into the open-source ecosystem by tricking end users, developers and automation systems into installing a malicious dependency package that has the same name of the privately-used packages they normally leverage.<\/p>\n

Further reading: <\/em>Top Code Debugging and Code Security Tools<\/em><\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n