Even as companies contend with ongoing and costly disruptions to their supply chains, they must also guard against attackers who are increasingly targeting their supply chain partners, including those in the cloud service provider ecosystem.

Supply chain attacks occur when a threat actor leverages a trusted third-party vendor's software or services to compromise downstream clients of that vendor. The most well-known example of this is the recent SolarWinds compromise. In this case, a group of threat actors known as APT29 (AKA NOBELIUM) breached the SolarWinds build environment, then injected malicious code into an update of the widely-used Orion software, which was pushed to approximately 18,000 customers, including Mandiant, which publicly-disclosed the attack. Recently Mandiant disclosed APT29s shift to targeting cloud environments and vendors.

Supply chain attacks are often the hardest type of compromises to detect. Companies usually trust vendor activity and give little consideration when monitoring environments for threat activity. Detecting these types of attacks becomes further compounded because most vendor supply chain intrusions are at the hands of more advanced, often nation-state threat actors. The bad news: they are only on the rise.

Remote work and the shift to the cloud

The ongoing pandemic and major digital transformation initiatives have accelerated migration of workflows to cloud platforms. A Nutanix survey found that 36% of respondents operate in not just one, but multiple clouds and expect that number will grow to 64% within three years.

As organizations shift to the cloud, attackers have and will follow. In fact, Microsoft recently published research indicating that the same threat actor responsible for the SolarWinds supply chain compromise has been actively targeting privileged accounts of cloud service providers to move laterally in cloud environments. Once within the environment NOBELIUM leverages the trust relationships established between the service provider and its customers to gain access to targeted systems.

Detection and response capabilities for public cloud environments has lagged behind the accelerated cloud adoption rate. SOCs already suffering alert fatigue from their on-premises monitoring solutions, are not prepared for the scale of data associated with monitoring cloud activity. Coupled with a general lack of familiarity with cloud attacks, cloud workflows, and immature tooling, analysts are left in a compromising position.

To detect vendor supply chain attacks in the cloud, organizations must first profile the vendors in their environment, asking the following questions:

  • What vendors operate in the cloud environment?
  • What visibility is available related to vendor access and activity?
  • What privileges do these vendors have?
  • What is the typical access chain for the identity?
  • What is the baseline activity for the identity?

Once the company establishes a baseline on access and activity for vendor identities operating in an environment, they must monitor for deviations on that baseline. Most vendor identities will have predictable access and activity patterns which can make anomaly detection easier.

In a typical cloud access pattern, a vendor enters the environment through an external AWS account belonging to the vendor, assumes a role with a set of defined permissions that has been provisioned for them by a customer, and then scans or modifies services and infrastructure. This access will typically happen on a recurring basis every few hours. Understanding and baselining the expected behavioral profile for that vendor identity lets an organization monitor and set alerting around abnormalities in vendor access and activity. Organizations spend extensive time trying to secure traditional access pathways like username and password or long-lived secrets.

However, if a vendor gets compromised, the attacker’s ability to assume roles into an organization offers a powerful foothold since many of the vendor roles we monitor are significantly over-permissioned against what their services are actually executing in the environment. Baselining vendor activity lets security teams isolate the permissions the vendor actually needs to effectively operate and allows the team to reduce the blast radius of the role operating in the environment.

In CrowdStrike’s 2021 Global Security Attitude Survey, 84% of respondents said that supply chain attacks could become one of the largest cyber threats to their organizations in the near future. Supply chain attacks make it much more possible to compromise even the most hardened organizations. The advantages of cloud for organizations becomes an advantage for attackers as well. Only by implementing least privileged access, establishing baselines for vendor activity, and monitoring for anomalous behavior, can an organization prepare themselves for vendor supply chain attacks in the cloud.  

Ian Ahl, vice president of threat research and detection engineering, Permiso