David Sajoto, Vice President, Asia Pacific and Japan, ExtraHop.
A supply chain attack is a particular type of cyber attack that seeks to gain access to protected information or damage an organisation by targeting less-secure elements in the supply chain, such as third-party vendors or software. These attacks often lead to substantial losses and reputational damage for victims.
Human error, supply-chain dependence, logic flaws, or adversary innovation can all expose an entry point, even with world-class defences. However, what makes these particular types of attacks so damaging to organisations?
Characteristics of Supply Chain Attacks
Supply chain attacks have been used against organisations and government entities for many years. The SolarWinds SUNBURST backdoor Trojan attack is the latest in a series of highly-sophisticated attacks. While the origin and number of attackers involved are not yet known, their techniques involved several steps, utilised customised software and tools existing in the environment, and resulted in data exfiltration and other damage. A backdoor trojan also enabled them to conduct the attack for over nine months from a command and control infrastructure before being detected. However, the silver lining is that each step in a supply chain attack offers an opportunity to discover and stop intruders.
Successful, highly damaging supply chain attacks often have five common elements.
The first is meticulous preparation from attackers who spend long periods of time watching target organisations or put considerable effort into developing custom code. Another aspect of supply chain attacks is the use of “legitimate” entry, using stolen credentials or trojanised updates to trusted third-party software, to gain access. Once trusted IT assets are compromised, attackers can remotely command and control further instructions. Attackers also move laterally within systems and leverage PowerShell capabilities embedded in operating systems to stay inside an organisation’s network and IT infrastructure longer and increase their chances of success. It is also common for attackers to cover their tracks once they have achieved their goals of data exfiltration, disruption, or destruction by removing malicious software and digital footprints to evade discovery.
Security Efforts Today
Over the past 10 years, much has changed across the IT landscape, yet many basic security challenges remain. Cloud adoption has even outpaced optimistic predictions as organisations outsource their data centres to improve their focus on core business initiatives. As opportunities for businesses to innovate in the cloud continue to unfold, they create an equal number of new targets for attackers to pursue.
A wide variety of compute instances and virtual machines still dominate in the cloud, but probably not for long, as newer technologies, including containers and serverless compute, gain momentum. DevOps techniques enable accelerated development and deployment of cloud workloads, but often neglect security and expose potential attacker footholds. Widespread use of open source software has ushered in a new era of ease and cost reduction in cloud application development while increasing the risk of introducing vulnerabilities into cloud workloads. Cloud providers have chosen to share responsibility for security with their customers.
Gartner predicts that by the end of 2023, more than 50 percent of enterprises will have replaced older endpoint antivirus products with endpoint detection and response (EDR) solutions that supplement prevention with detect and response capabilities. What network defenders need is a sophisticated network detection and response (NDR) toolset that leverages machine learning and keeps pace with the latest attack techniques. Solutions that tap into the network to mirror packets as well as provide a covert vantage point and unassailable data source are within reach. Dissecting packets to extract metrics reveals a wealth of information, including all connected devices and device types within a data centre or cloud environment, lateral movements by attackers, new connections, abnormal user behaviour, data breaches, and ransomware attempts.
In the wake of the SolarWinds attack, where the extensive scope and dwell time increased the potential for damage significantly, organisations are realising how important it is to have months of logs and network activity readily available to determine how and when they were hacked. Having real-time access to this information via an intuitive tool helps security operations follow an attacker’s tracks, remediate vulnerabilities, and helps auditors determine the extent of damage to an organisation when an attack occurs.
The existence of less-secure elements such as third-party vendors or software can make an organisation vulnerable to threats. Targeted attacks are on the rise and organisations need to be aware that supply chain attacks are more than an infiltration into the network.
Enterprises would be wise to learn from this incident and prepare as if the next supply chain attack is only a matter of time. Any attack on the supply chain can potentially disrupt vital operations and damage relationships between the organisation, customers, and stakeholders. All the functional areas of an integrated, end-to-end supply chain — plan, source, make, deliver and customer service — are potential touchpoints where cyber threats could occur. To protect themselves from any substantial losses and reputational damage, businesses should start protecting their network from any potential attacks.