Protecting your organization from growing attacks on the software supply chain | Daily News Byte


View all on-demand sessions from the Intelligent Security Summit here.

The lure of software supply chains is hard for attackers to resist: they can access a wide range of sensitive information all too quickly and easily — and reap the juiciest payouts.

In just one year — between 2000 and 2021 — attacks on the software supply chain increased by more than 300%. And 62% of organizations admit that they have been affected by such attacks.

Experts warn that the onslaught will not slow down. In fact, according to Gartner, 45% of organizations worldwide will experience a ransomware attack on their digital supply chains by 2025.

“No one is safe,” said Zack Moore, security product manager at InterVision. “From small businesses to Fortune 100 companies to the highest levels of the US government — everyone has been affected by supply chain attacks over the past two years.

An event

Intelligent Security Summit on Demand

Learn the critical role of AI and ML in cybersecurity and industry-specific studies. Watch sessions on demand today.

Look here

Plenty of examples

The SolarWinds attack and the Log4j vulnerability are two of the most notorious examples of software supply chain attacks in recent memory. Both have revealed how pervasive attacks on the software supply chain can be, and in both cases, the full extent of the consequences remains to be seen.

“SolarWinds has become the poster child for digital supply chain risk,” said Michael Isbitsky, director of cybersecurity strategy at Sisdig.

Still, he said, Microsoft Exchange is another example that was just as influential, “but quickly forgotten.” He noted that the FBI and Microsoft continue to monitor ransomware campaigns targeting vulnerable Exchange applications.

Another example is Kaseia, which was breached by ransomware agents in mid-2021. As a result, more than 2,000 customers of the IT management software vendor received a compromised version of the product, and between 1,000 and 1,500 customers ended up with encrypted systems.

“The immediate damage from an attack like this is enormous,” Moore said. “Even more dangerous, however, are the long-term consequences.” The total cost of recovery can be enormous and take years.”

So why do software supply chain attacks keep happening?

The reason for the continued bombardment, Moore said, is the increasing reliance on third-party code (including Log4j).

This makes distributors and suppliers increasingly vulnerable, and vulnerability is often equated with a higher payout, he explained.

Also, “ransomware actors are becoming more thorough and using unconventional methods to reach their targets,” Moore said.

For example, using appropriate segmentation protocols, ransomware agents target IT management software systems and parent companies. Then, after a breach, they use this relationship to infiltrate the infrastructure of that organization’s affiliates and trusted partners.

“Supply chain attacks are common right now, in part because the stakes are higher,” Moore said. “Widespread supply chain disruptions have placed the industry at a fragile crossroads.”

Low cost, high reward

Supply chain attacks are low cost and can be minimal effort and have the potential for high reward, said Crystal Morin, threat research engineer at Sisdig. And the tools and techniques are often easily shared online, as well as disclosed by security companies, which often publish detailed findings.

“The availability of tools and information can provide less skilled attackers with opportunities to copy advanced threat actors or quickly learn about advanced techniques,” Morin said.

Also, ransomware attacks on the supply chain allow bad actors to cast a wide net, said Zack Newman, senior software engineer and researcher at Chainguard. Instead of spending resources attacking a single organization, a breach in part of the supply chain can affect hundreds or thousands of downstream organizations. On the other hand, if an attacker targets a specific organization or government entity, the attack surface changes.

“Instead of waiting for that one organization to have a security problem, an attacker just has to find a single security problem in any of the dependencies in the software supply chain,” Newman said.

No single offensive/defensive tactic can protect all software supply chains

Recent supply chain attacks highlight the fact that no single tool provides a complete defense, Moore said. If just one tool in an organization’s group is compromised, the consequences can be severe.

“At the end of the day, any security framework built by intelligent people can be breached by other intelligent people,” he said.

Defense in depth is essential, he said; this should have a layered security policy, edge protection, endpoint protection, multi-factor authentication (MFA) and user training. Robust recovery capabilities, including properly stored backups—and ideally, uptime experts ready to mobilize after an attack—are also essential.

Without educated people to properly manage and manage them, layered technologies lose their value, Moore said. Or, if leaders don’t implement the right framework for how those people and technologies interact, they leave gaps that attackers can exploit.

“Finding the right mix of people, processes and technology can be challenging from an availability and cost standpoint, but it’s critical,” he said.

Holistic, comprehensive visibility

Commercial software is usually on the radar of security teams, but open source is often overlooked, Morin pointed out. Organizations need to stay on top of all the software they use and change, including open source and third-party software.

Sometimes engineering teams move too quickly, she said, or security is excluded from the design and delivery of applications using open source software.

But as demonstrated with problems in dependencies such as OpenSSL, Apache Struts, and Apache Log4j, exploitable vulnerabilities spread rapidly across environments, applications, infrastructure, and devices.

“Traditional approaches to vulnerability management don’t work,” Morin said. “Organizations have little or no control over the security of their suppliers outside of contractual obligations, but these are not proactive controls.”

Security tools exist to analyze applications and infrastructure for these vulnerable packages before and after delivery, she said, but organizations need to make sure you’ve deployed them.

But, “other security best practices continue to apply,” she said.

Expanded security focus

Morin advises: Update and improve detections regularly. Always patch where – and as quickly – as possible. Ask vendors, partners and suppliers what they are doing to protect themselves, their customers and sensitive data.

“Stay on them too,” she said. “If you see problems that could affect them in your regular security efforts, bother them about it.” If you’ve done your due diligence and one of your suppliers hasn’t, it’s going to hurt a lot more if they get compromised or leak your data.”

Also, risk concerns extend beyond just traditional binary applications, Isbitsky said. Container images and infrastructure-as-code target many variants of malicious code, not just ransomware.

“We need to broaden our security focus to include the vulnerable dependencies on which applications and infrastructure are built,” Isbitsky said, “not just the software we install on desktops and servers.

Ultimately, said RKVST director of product and technology Jon Geater, businesses are beginning to gain a greater appreciation for what becomes possible “when they implement integrity, transparency and trust in a standard, automated way.”

However, he stressed, it is not always just about the supply chain attacks.

“In fact, most of the problems come from errors or omissions that originate in the supply chain, which then open up the target for traditional cyber attacks,” Gitter said.

It’s a subtle difference, but an important one, he noted. “I believe that most of the discoveries that come out of improving supply chain visibility next year will highlight that most threats come from error, not malice.”

Don’t just tackle ransomware

And while concern about ransomware is front and center as part of an endpoint security approach, it’s only one potential attack technique, Isbitsky said.

There are many other threats that organizations need to prepare for, he said — including newer techniques such as cryptojacking, identity-based attacks and secret harvesting.

“Attackers use what’s most effective and turn within distributed environments to steal data, compromise systems and take over accounts,” Isbitsky said. “If attackers have the means to deploy malicious code or ransomware, they will use it.”

Common techniques are necessary

Indeed, Newman acknowledged, there is so much variety in what constitutes a supply chain attack that it is difficult for organizations to understand what the attack surface might be and how to protect against it.

For example, at the highest level, the traditional OpenSSL library vulnerability is a supply chain vulnerability. An OSS maintainer compromised or broken for political reasons is a supply chain vulnerability. And, hacking an OSS package repository or hacking an organization’s building system are attacks on the supply chain.

“We need to apply common techniques to protect and mitigate any type of attack along the supply chain,” Newman said. “They all need to be fixed, but starting where the attacks are tolerable may bring some success that will be removed.”

In proactively adopting strong policies and best practices for their security posture, organizations could look to the Supply Chain Level Standards for Software Artifacts Framework (SLSA) checklist, Newman suggested. Organizations should also implement strong security policies throughout the software development lifecycle of their developers.

Encouraging research on software supply chain security

Still, Newman stressed, there are many reasons for optimism; the industry is thriving.

“Researchers have been thinking about addressing software supply chain security for a long time,” Newman said. This goes back to the eighties.

For example, he pointed to new technologies from the community such as The Update Framework (TUF) or the in-toto framework.

The industry’s emphasis on software-based bills of materials (SBOM) is also a positive sign, he said, but more needs to be done to make them effective and useful. For example, SBOMs should be created at the time of construction versus after the fact, because “this type of data will be extremely valuable in preventing the spread and impact of an attack.”

Also, he pointed out, Chainguard co-created and now maintains a dataset on malicious compromises in the software supply chain. This effort uncovered nine major attack categories and hundreds or thousands of known compromises.

Ultimately, both researchers and organizations are “looking for ways to solve these issues once and for all,” Newman said, “as opposed to taking the usual band-aid approaches that we see in security today.”

VentureBeat’s mission is to be a digital town square for technical decision makers to gain knowledge about transformative enterprise technology and transactions. Discover our briefings.


Source link