As the supply chain continues to evolve, so new and dangerous vulnerabilities emerge. To gain a clearer idea of what they are and how to safeguard against them, Neeraj Singh, WithSecure’s Research and Development Manager, offers his expert opinion on how we can keep ourselves – and each other – safe.
Neeraj, in your opinion, how has the supply chain developed and changed over the past decade?
The previous decade was more about introducing and implementing automation in the supply chain. Over the past few years, organizations become more reliant on software companies that provide management tools for different purposes, such as IT infrastructure, payment systems, web applications, cloud services, and data storage. As a result, organizations now put their trust in these providers to run and automate their operations.
How have these changes impacted security?
Most organizations have little to no visibility of their software supply chain. To run a smooth operation, companies often outsource some parts of their business which, in turn, provides third-party software with the authority to manage the infrastructure.
In some cases, this third-party software gains unrestricted access to stored data. Organizations themselves might have a strong security posture in place, but their dependency on outsourcing, the usage of third-party tools and software, and providing access to third-party software has become a weak link when it comes to security.
Sign up to receive unique and expert insights into the supply chain here
What vulnerabilities have arisen as a result of this new supply chain?
There have been many, so perhaps it would be easier to break them into three classifications.
- Software exploitation
The most famous examples involve the exploitation of MSP service-providing software. In the cases of SolarWinds and Kaseya we observed the software being exploited, resulting in the delivery of backdoor and ransomware. The exploitation of well-known software presents an opportunity for attackers to plant backdoors within organizations that would otherwise be hard to break into. - Stolen data, credentials and certificates
The MEDOC exploitation is an example of software being exploited via stolen credentials. The threat actor then manipulated the update server to become a command-and-control server and delivered the destructive NotPetya ransomware to the systems.Another example of a stolen credential-based attack was the contamination of system cleanup software CCcleaner. Stolen credentials were used to log into a TeamViewer remote desktop on a system, which was then used to move laterally and install custom malware.
- Web-based attacks
Another example is the web-based Megacart attack in 2018, which utilized customized JavaScript and digital card skimmers loaded from a compromised web server.An organization may operate with hundreds of trusted vendors and the vulnerabilities among these vendors may vary from software to websites. That means the impact may also vary, from malware to backdoors or from info-stealers to ransomware. Some of these breaches may even target specific countries or organizations; MEDOC was more popular in Ukraine, whereas the ShadowHammer case targeted specific MAC addresses.
Which of these should companies take most seriously?
Supply chain attacks have had a considerable impact in the past, and any attempted breach should be taken seriously. Once an attacker has managed to plant malware or a backdoor in systems with privileges, the sky is the limit.
How can companies tackle these vulnerabilities to ensure they are as safe as possible?
To begin with, vet your suppliers carefully and investigate their security postures. Then, discuss and implement defined best practices with these suppliers. Organizations should also regularly review the permissions and privileges they give to third-party vendors.
Also, one cannot be dependent on suppliers being safe, therefore it is best to have your own defense, such as Detection and Response, against attack.
Regular red-teaming exercises simulating supply chain attacks can also provide a good understanding of any current exposure and loopholes in protection. Simulated attacks can also be used to prepare a plan that can mitigate potential future attacks.
Are you part of the problem? Find out in this article
Looking forward, are we able to predict vulnerabilities and protect ourselves in advance?
Well, everything we have discussed above highlights that detection and prevention in the supply chain is a tough nut to crack. Predicting supply chain attacks requires an understanding of how software development or distribution pipelines can be compromised, or when victims are using a compromised piece of software.
Machine learning models can help to flag unusual behaviour from a trusted application, like connecting to an unusual or suspicious network connection, accessing a file which is not usually accessed, and an unusual process being spawned or an unusual DLL being loaded.
For proactive protection, always ensure that accounts provided to a third party or organization domain are given role-based access control and have only the necessary permissions and privileges assigned to them. Use a data integrity check when software and updates are installed, and ensure that new software or updates do not allow the execution of unauthorized software.
Also, for internal code development, the use of a Software Composition Analysis (SCA) tool is recommended, as it can detect malicious open-source packages and alert when vulnerable libraries are taken into use by developers. These suggestions are comprehensive but should not be considered a silver bullet against supply chain attacks.
Finally, how do you see the supply changing yet further over the coming years?
Supply chain attacks are here to stay. They will always represent potential attack vectors against organizations. With the Covid-19 pandemic, organizations are moving towards cloud-based solutions rather than on-prem solutions. This opens a window of opportunity for attackers, as more third-party vendors are included due to this new way of working.
Although hardware or IOT-based supply chain attacks are rare, I think that there might be a rise in such attacks because they are difficult to detect and mitigate. These attacks can be as destructive as software-based attacks, so it pays to be safe.
Find out what WithSecure’s Elements portfolio can do for your vulnerability management here: Elements Vulnerability Management.