Research from ESET of a supply chain attack in Vietnam in which digital certificates were compromised set off continued discussions in the industry about the nature of recent supply chain attacks, and how security teams can most effectively prepare and respond.
Almost all security researchers agree that more of them will happen – especially attacks on the software development lifecycle – and that security teams need to sharpen their strategies.
In its broadest sense, supply chain or third-party attacks stem from risks involving a business partner, vendor, or supplier with which an organization maintains a business relationship. Supply chain risks can vary greatly – from outsourced managed security services being hit with ransomware and the bad threat actors using the connectivity between the managed services company and their clients to infect additional organizations, to a trusted software provider getting attacked and passing along infected code into multiple organizations, like the SolarWinds case.
“As technology advances and the world gets increasingly interconnected, these supply chain attacks will grow and become more effective, highlighting a critical vulnerability in all third-party relationships: the exploitation of trust,” said Austin Berglas, global head of professional services at BlueVoyant.
Michael Yoshpe, a threat researcher at Hunters, said that while these attacks necessarily involve a third party, they are most likely an attack on a software or hardware supplier that’s installed on a company’s assets, including endpoints, servers and cloud infrastructure.
“Not all third parties should be considered a potential threat for supply chain attacks,” Yoshpe said. “For example, a third-party that you only share data with and has no access to your assets, almost certainly cannot be considered a threat regarding supply chain attacks. The biggest threats come from those that supply software and hardware components to the company, most likely IT related such as programs, server racks and others.”
Gary Kinghorn, marketing director at Tempered Networks, agrees with this view, adding that “supply chain” really describes the modification of a software product downstream after it’s released before it reaches the end user or during installation. In today’s Vietnam example, the attackers used digital signatures to make a modified installer app appear legitimate, but malware was subsequently introduced. In SolarWinds, they modified patch release updates and dynamically linked .dll files that were subsequently added to the main software platform.
Chad Anderson, senior security researchers at DomainTools, goes one step further, adding that these software supply chain attacks focus on the software production lifecycle as opposed to attacking the organization directly. He said they are often effective because elements along the supply chain are less secure during the software development cycle and allow attackers much easier entry earlier in the production pipeline.
“We’ve seen in previous attacks that this can be direct vendors, but that similarly motivated attackers will attack tertiary vendors to slowly move their way into a target if necessary to achieve their goals,” Anderson said. “Assume that any well funded and highly motivated attacker will look for any hold when working against a target. In the case of the SolarWinds attack, we see a motivated attacker inserting themselves into the development cycle of the Orion agent that many companies rely on.”
Rick Moy, vice president of worldwide sales and marketing at Tempered Networks, adds that based on these attacks to the software lifecycle, companies need to improve software lifecycle processes. This includes better source code control and verification, implementing least-privilege principles and vetting of third-party party software libraries. Moy said security pros will find a lot of advice about holding providers to higher security standards, but that’s difficult because most of these processes end up being too basic to catch motivated adversaries.
“Most importantly, security teams should implement greater safeguards for worst case scenarios to contain the potential impact,” Moy said. “This is where identity access control, zero trust and micro-segmentation strategies can be most helpful.”
Yoshpe of Hunters put together a five-step program for security teams looking to protect their organizations against supply chain attacks. Here are five elements of a protection program:
- A security data lake. These supply chain incidents have shown the significance of retaining security log data for a long period of time. The SolarWinds incident started as early as March 2020, about nine months before it was initially discovered. Maintaining a security data lake which stores security, network and relevant application logs with adequate retention will prove vital in an organization’s ability to uncover and investigate such events.
- Visibility. Ingesting security logs won’t do everything: security teams need to ensure that the organization’s current security controls are deployed on all hosts in the network to ensure proper coverage. Proper visibility will not only allow for swift detection, but also assist in discerning what actions took place on the host, what traffic traversed the network devices, and what applications users accessed and from where. Ensure that all relevant controls are deployed hermetically and that all relevant IT and security infrastructure forwards logs as expected.
- Asset management. Creating an organized and updated inventory of relevant assets, both hardware and software (programs, virtual machines, software versions) can help security teams quickly determine whether a specific breaches are relevant to the organization. Visibility dashboards that summarize such information, and get automatically updated and alert on unexpected changes, are a real asset for any security team.
- Proactive threat hunting. Companies need a proactive approach to anomaly detection. Conducting proactive threat hunting over security logs, using efficient data analysis tools and anomaly detection techniques, must become an essential part of any security strategy. Security teams also need tools to automate the hunting process so they invest time on hunting and not on tedious supplementary or repetitive tasks. For example, having an automated IOC sweep mechanism can save a lot of time, instead of manually querying the data each and every time.
- Connecting security telemetry. The hybrid IT environments within organizations and the disperse solutions also lead to siloed detection. Without interconnecting data sources, single-sensor security solutions will most likely miss advanced threats, especially those that move laterally in the corporate network. Interconnecting and correlating security telemetry with XDR solutions can help the organization eliminate blind spots and detect faster across the entire stack with accurate findings.