Think Your Supply Chain is Truly Secure? Think Again

Five years ago, when I would talk to groups about software supply chain attacks, my listeners’ eyes glazed over. Most had no idea what I was talking about.

They surely know about it now. In fact, Symantec’s latest ISTR report describes in detail how cyber criminals continue to ramp up their attacks on supply chains and trusted software. At the same time, the nature of the threat is also changing.

Malicious actors no longer need to develop and deploy deadly new software to penetrate an organization’s defenses. In fact, attackers have enjoyed great success by deploying a deception tactic that we refer to as “Living Off the Land” or (LotL)

The terms refer to the practice of using “normal” IT tools and processes to launch malicious attacks. It’s an ingenious approach. Rather than developing dedicated techniques and tools, attackers can instead camouflage their malicious activities by leveraging normal tools and processes.

New Opportunities for Attackers

We hear a lot nowadays about digital transformation. In practice, that just refers to the fact that more and more business processes are becoming digital, rather than dependent upon paper.

It also means that enterprises need more and more IT infrastructure and applications to support their increasingly digitized business processes. But as the IT landscape inside organizations becomes far more dynamic and agile, it also offers potential opportunities for malicious actors to exploit mistakes.

Supply Chain Attacks 

Attackers used to prefer to target “static” IT environments (servers, networks, endpoints) and human-managed processes for their deployment and maintenance. The normal process of an external vendor employee connecting from an external system was used as a camouflage and malicious hackers then found ways to exploit weak points in the IT supply chain - sometimes with great success. Attacking through vendors can be considered “IT Supply Chain Attack 1.0”.  

Their attention has since shifted to target the “Land” of automatic software updates, using legitimate software update mechanisms and distributing malicious payloads via them. Attacks distributed via malicious software updates can be considered part of “IT Supply Chain Attack 2.0”.  And they pack quite a punch; one of the unique features of this generation of supply chain attacks is that a compromised software update can be delivered to different locations, essentially serving as a force multiplier.

The most recent generation of supply chain attacks - I call them “IT Supply Chain Attack 3.0” - focus on the modern IT Applications supply chain. These supply chain processes are influenced by the Shift-Left IT mentality and by roles such as DevOps and Cloud Ops performing Continuous Integration and Continuous Delivery of the business applications. The multiplier impact of this 3rd generation of Supply Chain Attacks is even higher than it was with the previous generations. What’s more, the ability of attackers to camouflage their actions is enhanced as the compromise can now take place very far from the actual attack location.

Digital Transformation and its Discontents

Let’s set cyber security aside for a moment. The big changes taking place in the corporate IT world often get lumped together under the umbrella of “digital transformation.” In practice, that’s just a buzzword for the fact that more and more business processes are going digital rather than remaining dependent upon paper.

That, in turn, also means that any enterprise needs more and more IT infrastructure and applications to support these new processes. It also means that the IT landscape inside each organization is way more dynamic and agile than it used to be. And that offers a tremendous opportunity for malicious actors.

Here, let’s keep Sun Tzu’s dictum in mind: it’s pointless to attack your enemy where he's strong. You find a weak point and then you strike. And the fact of the matter is that while these latter-day developments may result in a more dynamic IT infrastructure, they have emerged so rapidly that security too often receives short shrift.

So, if you’re an attacker on the prowl, you know that corporate software development is very much based upon the huge availability of various pre-ready components. You also know that developers don’t want to reinvent the wheel and so will select these open sourced components to build their solutions. After using these, the developers will also look for ways to streamline automatic delivery of new version directly to the production.

Attackers thus don’t need to go after specific business applications; instead, they only need to target the same open source package, one that will get used by many different industries. Once they do, corporate users are going to unknowingly import malicious, compromised code into their environment.

Consider a popular code repository such as GitHub. Think of the implications if an attacker manages to insert malicious content. From that point, any time that someone updates versions of their business software, they’ll also unknowingly serve as a delivery channel for malicious actors. 

Never Trust, Always Verify

Traditionally, IT Security has focused on the “production environments” focusing on applications running on the system, the use and storage of data and the access privileges of the devices accessing all this information.

That’s no longer sufficient.

In these times, users may think that what they’re using is built on “trusted” components. But if they blindly trust in the integrity of their supply chain, trouble beckons.

There’s a basic principle we need to grasp: Securing the pipeline must be a part of everyone’s responsibility. Both IT security and corporate developers need to understand that they face a fundamental challenge when it comes to the integrity of the software delivery pipeline.

Effective IT security needs to regularly include an examination of the entire supply chain. That includes the components used for software and knowing where they are coming from and where software code is stored, developed and distributed. It also must involve an examination of how the software-defined infrastructure components are being created.

There are tools for each and every step of the supply chain offering dedicated solutions that can help. Organizations should use them to scan every update to a component to make sure that they’re not also importing malicious logic. These dedicated tools should be used in full collaboration with the traditional security stack in your production environment to secure your production process as much as possible.

Unfortunately, there are no shortcuts here. The cyber security world is akin to an endless arms race in which each side exerts itself to achieve a temporary, tactical gain over its rival. Cyber security is always about parallel advancements. Nothing about the situation is static. Malicious actors find new ways to attack and then the security industry develops a response. But when it comes to keeping your supply chain secure, the answer boils down to one thing: Persistence.