The variety of cybersecurity threats is multiplying every year — ransomware, banking trojans, DDoS, crypto-mining, zero-day exploits, and malware-free attacks increase with regularity.
Yet one of the most alarming security threats is one that affects virtually every organization worldwide – vulnerabilities in the software supply chain.
Last year's NotPetya attack struck one year ago in late June. Originating as an attack by Russia to destabilize Ukraine, it spread, leading to massive disruption and monetary losses for organizations around the world. NotPetya, and similar attacks such as CCleaner and PyPi, continue to impact unprepared businesses today and have caused a surge in companies seeking to update their cyber defenses and bolster their cyber insurance.
Software supply chain attacks have grown in frequency over the last year because nearly every organization depends on third-party software for business operations and there is more software than most business leaders realize. Think about a few common examples: HR uses software to manage employee benefits, accounting uses finance software to keep maintain visibility into the movement of assets, employees use software for internal communication. Some software applications are developed by small vendors that aren't necessarily using the security development lifecycle (SDLC) process, prioritizing speed to market over security, adding to the layers of software in use in the organization. Ask any CISO if they have confidence in the visibility and control over what software applications are being downloaded and used by employees or business partners while on the corporate network and most will say the confidence levels are low.
Software supply chain attacks present such a challenge to security operations because the vulnerabilities in many of these software programs are difficult to detect. In addition, supply chain attacks are a threat with significant potential for acquiring large numbers of victims and are often tied to well-resourced adversaries. Supply chain attacks are often widespread, targeting the entire trusted organizations' customer base, and they are not only growing in frequency, but also in sophistication.
Adversaries will target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to mitigate stealthy propagation techniques that infect other systems across the network.
Unfortunately, there is no easy answer for defending against these types of attacks. Organizations need to understand what commercial and open source products they are using, and be aware of and prepared for potential attacks using legitimate software as a vector.
Cybersecurity threats should be evaluated based on the following motivations: nation-state espionage, ecrime and hacktivism. Within each of these categories, it's possible to outline a set of likely adversary types who execute cyberattacks with those motives in mind.
These attacks can be financially motivated, destructive or focused on stealing intellectual property to gain a geopolitical advantage. Being aware of the various types of threats and motivations is important to help understand modern attacks such as software supply chain attacks.
In addition, organizations must understand risk through the cybersecurity lens. Organizations often use the term “high-value asset” to define those systems, applications, and data sets that they view as worth more to the organization than other assets. Conversely, high-value targets are those the adversaries are looking to compromise. The differences are important when considering how best to prepare for inevitable cyberattacks.
As a baseline, below are actionable practices and tips that businesses should take into consideration as they shape their supply chain risk mitigation strategy:
Before limiting third party access to data, organizations must start by identifying all the suppliers, partners, customers and other third-party entities that business operations depend on. Then they must look deeper into what data, technology or critical infrastructure they have access to, and what they do with it.
Applying a “hygiene first” approach to security architecture will give you full visibility into your IT environment and help you address blind spots in your architecture. IT hygiene provides visibility into your environment while giving you the means to address security risks before they become issues. As the complexity of the technology stack continues to increase, security teams often struggle to identify; what applications are running on their organization's endpoints; whether or not these applications are authorized/necessary; and whether these applications contain dormant vulnerabilities and risks. Many leading approaches now advocate using cutting-edge end-point detection and prevention solutions, networking controls/segmentation, and improved controls around privileged credentials to prevent the propagation of an attack across the entire corporate network. When evaluating your environment's security, an effective IT hygiene solution should focus on three key areas:
- The “who”: Who is working on your network and what can they do? The theft of administrative privileges means attackers can silently infiltrate your network and elevate permissions for further access.
- The “what”: What applications are being run and what is the security risk? Unpatched applications and operating systems, particularly in BYOD business environments, can be leveraged by attackers. Often, users forget to update their applications consistently, which can create vulnerabilities in your architecture.
- The “where”: Where are the unprotected systems? A chain is only as strong as its weakest link. Having unprotected systems in your environment can create a backdoor for attackers, offering them unguarded access to your data.
The Cybersecurity Tool Stack
Every organization's cybersecurity tool stack is different, though when thwarting software supply chain threats one tool that should not be omitted is threat intelligence. Threat intelligence helps organizations identify, understand and mitigate a variety of threats. Most importantly, threat intelligence provides security teams with indicators of compromise (IoC) that organizations use to hunt for potential issues before they are issues.
The proliferation of third-party software in a typical organization isn't likely to slow down, and security assessment includes analyzing information about new attack methods, shifts in targeting behavior by threat actors, or political or economic events that are likely to inspire a shift in threat actor activity. This complex threat landscape means the best protection against the next destructive software supply chain attack is the ability to leverage solutions such as threat intelligence powered by machine learning to detect anomalies combined with a comprehensive understanding of assets and targets.