Research from ESET of a supply chain attack in Vietnam in which digital certificates were compromised set off continued discussions in the industry about the nature of recent supply chain attacks, and how security teams can most effectively prepare and respond.
Almost all security researchers agree that more of them will happen – especially attacks on the software development lifecycle – and that security teams need to sharpen their strategies.
In its broadest sense, supply chain or third-party attacks stem from risks involving a business partner, vendor, or supplier with which an organization maintains a business relationship. Supply chain risks can vary greatly – from outsourced managed security services being hit with ransomware and the bad threat actors using the connectivity between the managed services company and their clients to infect additional organizations, to a trusted software provider getting attacked and passing along infected code into multiple organizations, like the SolarWinds case.
“As technology advances and the world gets increasingly interconnected, these supply chain attacks will grow and become more effective, highlighting a critical vulnerability in all third-party relationships: the exploitation of trust,” said Austin Berglas, global head of professional services at BlueVoyant.
Michael Yoshpe, a threat researcher at Hunters, said that while these attacks necessarily involve a third party, they are most likely an attack on a software or hardware supplier that’s installed on a company’s assets, including endpoints, servers and cloud infrastructure.
“Not all third parties should be considered a potential threat for supply chain attacks,” Yoshpe said. “For example, a third-party that you only share data with and has no access to your assets, almost certainly cannot be considered a threat regarding supply chain attacks. The biggest threats come from those that supply software and hardware components to the company, most likely IT related such as programs, server racks and others.”
Gary Kinghorn, marketing director at Tempered Networks, agrees with this view, adding that “supply chain” really describes the modification of a software product downstream after it’s released before it reaches the end user or during installation. In today’s Vietnam example, the attackers used digital signatures to make a modified installer app appear legitimate, but malware was subsequently introduced. In SolarWinds, they modified patch release updates and dynamically linked .dll files that were subsequently added to the main software platform.
Chad Anderson, senior security researchers at DomainTools, goes one step further, adding that these software supply chain attacks focus on the software production lifecycle as opposed to attacking the organization directly. He said they are often effective because elements along the supply chain are less secure during the software development cycle and allow attackers much easier entry earlier in the production pipeline.
“We’ve seen in previous attacks that this can be direct vendors, but that similarly motivated attackers will attack tertiary vendors to slowly move their way into a target if necessary to achieve their goals,” Anderson said. “Assume that any well funded and highly motivated attacker will look for any hold when working against a target. In the case of the SolarWinds attack, we see a motivated attacker inserting themselves into the development cycle of the Orion agent that many companies rely on.”
Rick Moy, vice president of worldwide sales and marketing at Tempered Networks, adds that based on these attacks to the software lifecycle, companies need to improve software lifecycle processes. This includes better source code control and verification, implementing least-privilege principles and vetting of third-party party software libraries. Moy said security pros will find a lot of advice about holding providers to higher security standards, but that’s difficult because most of these processes end up being too basic to catch motivated adversaries.
“Most importantly, security teams should implement greater safeguards for worst case scenarios to contain the potential impact,” Moy said. “This is where identity access control, zero trust and micro-segmentation strategies can be most helpful.”
Yoshpe of Hunters put together a five-step program for security teams looking to protect their organizations against supply chain attacks. Here are five elements of a protection program: