Today's digital supply chains are a continuously growing and dynamic ecosystem of web-based services, applications, and IT assets. These ecosystems are enabled by an extensive network of partners, vendors, and third-party services. Attention has recently focused on attacks on national software supply chains and software infrastructure. As a result, enterprises are increasingly concerned with their growing attack surfaces and their security hygiene.
To expand upon my previous article, 2 Attack Vectors are Forcing Changes in How to Secure Software, where I discussed two classes of threats and growing attack surfaces, I will add a third class of cybercrime: nation-state attacks. These attacks are not only dangerous and damaging to national security, they weaken a company's competitive advantage in a global economy.
One example of a nation-state attack, possibly the worst in technology history, is the SolarWinds attack, first reported by FireEye on December 13, 2020. It was a pervasive attack on national security, initiated by attackers invading SolarWinds' development environment in September 2019. The attack remained undiscovered for more than a year. During that year, SolarWinds had over 30,000 enterprise customers whose systems were potentially vulnerable to malicious code.
This attack involved sophisticated planning and a flawless implementation, with the attackers targeting the Orion infrastructure monitoring platform of SolarWinds. There was an orchestrated effort to understand the development team, practices, and build processes before inserting malicious code by replacing an existing tmp file. SolarWinds' customer base was exposed to this malicious code through a periodic software update.
After access, the perpetrators established servers on Amazon and GoDaddy to enable updates. "They cleaned the crime scene so thoroughly investigators can't prove definitively who was behind it," said Dina Temple-Raston in The Untold Story of the SolarWinds Hack.
Once activated, the attackers had a list of high-profile SolarWinds customers including FireEye, Microsoft, and the Department of Homeland Security. The victim's networks were targeted using the backdoor entry from SolarWinds. The malware, dormant for weeks, could not have been detected by static analysis or pen testing tools alone.
Protect Your Cyber Assets
Software supply chains are one of the highest risk areas causing an increase in nation state attacks. Companies are forced to rely on third party libraries which often do not incorporate strong software engineering practices. In the case of the SolarWinds attack, traditional techniques such as pen testing and static analysis would have been futile.
Based upon the nature of third-party libraries introduced, enterprises must use better code review practices along with advanced, real-time monitoring. Instead of using a predetermined set of outdated practices, a threat modeling phase can be used to identify and model threats based on the risks associated with supply chain, zero-trust principles. This approach will help identify secure engineering practices that are relevant to the current architecture.
Recommendations
Here are four recommendations to help prepare your organization to prepare for a future cyber attack:
- Know what you have: Conduct an audit of your organization's cyber assets, such as the state of your cloud workloads, code repos, devices, users, and vendors. Know what cyber assets you have and where they reside
- Visibility, context and knowledge: Determine the relationships between your cyber assets within your organization
- Executive leadership support: Bring your executives together to make security a boardroom conversation and a priority across your entire organization, not just the security team.
- Third party assets: Use advanced, real-time monitoring, especially as third party libraries are introduced into your organization
- Outdated practices: Stay current on using new technology such as a threat modeling phase can be used to identify and model threats based on the risks associated with supply chain, zero-trust principles.
This approach will help encourage secure engineering practices and identify gaps in your cyber asset attack surface security plan.
