Do you have trust issues? We don't care what your therapist says, in cybersecurity that's perfectly okay, as the idea that there is trusted third-party hardware and software is probably wishful thinking. Unfortunately, diligent, well-respected software and hardware suppliers can still be infiltrated by persistent adversaries.
The world became acutely aware of the severity and scope of supply chain attacks after SUNBURST was disclosed in December, 2020. While the attack largely targeted government institutions, it left an estimated 18,000 organizations vulnerable. Unfortunately, nine months after the SUNBURST was first reported, many organizations are still building their cybersecurity response strategy.
What Is a Supply Chain Attack?
A supply chain attack occurs when a bad actor trojanizes a legitimate product—that is, they insert malicious code or backdoors into trusted hardware or software products as means of entering undetected into an environment. Generally, supply chain attacks target three types of products:
Hardware Supply Chain: These occur when an adversary alters hardware or firmware components in products such as servers and network infrastructure to gain backdoor access. By leveraging hardware, the attacks become extremely hard to detect. Malicious additions such as implanted chips can easily be disguised as legitimate components, and any system intrusions are almost impossible for victims to identify in the early stages.
While these attacks reap rewards for attackers, hardware supply chain attacks are also extremely difficult to carry out. An attacker has to physically intercept and tamper with hardware, either during the production process or while a piece of hardware is in transit.
Software Dependencies and Development Tools: In this type of attack, an adversary infiltrates software dependencies, including open-source software and commercially licensed development tools. Because software dependencies can be widely used across many different vendors, an attacker has the potential to target a broad set of victims.
Supply chains are becoming increasingly complex, which gives an added advantage to software dependency attacks. A single manufactured device may encompass hardware components and software that can contain dependencies and the associated risk that goes far up the supply-chain ladder. Even when malicious code is discovered, an intended victim could potentially be exposed for a long period of time as patches and updates trickle down the supply chain, creating a longer attack window. The Ripple20 vulnerabilities offer a worst-case example of how complex, modern supply chains impact today's security.
Software Supply Chain: This is when an adversary manipulates software prior to deployment, usually with the goal of gaining system access or exfiltrating sensitive data. This method is a well-documented form of supply chain attack in the Mitre ATT&CK framework, with numerous examples of its use by advanced persistent threats, including nation-state adversaries and ransomware gangs.
In the case of SUNBURST, APT29 is thought to be responsible for adding malicious code into legitimate SolarWinds software. Once uploaded to servers via a software update, the malware was able to leverage administrative privileges to disable the host security processes and services before communicating back to an external malicious server or infrastructure for instructions, aka command-and-control beaconing.
Technology That Gives You the Advantage
NDR tools are becoming necessary for defending against advanced threats, but within the NDR market category, there is a range of available technology that has the potential to make or break a team's success. Behavior-based analytics may be standard among NDR solutions, but curated threat intelligence and packet-level forensics with strategic decryption are what create the context necessary for teams to investigate and respond to supply chain attacks fast. It's worth a closer look at the most important NDR features that make the detection and investigation of stealthy attacks more clear cut.
One of the most important factors in detecting any kind of unknown threat, and part of what defines NDR technology, is behavioral analytics. Machine-learning powered network detection and response establishes network baselines, allowing it to know what is normal, and parse out any unusual activity on the network.
While signature-based detection is helpful, when used on it's own, it can only detect known threats. This leaves organizations vulnerable to the new threats that are carrying out today's sophisticated supply chain attacks. In addition, the current generation of machine-learning powered, behavior-based detectors don't fire off false positives at the same rate as signature-based detections.
This is why we don't recommend an organization use signature-based IDS, but instead look toward a comprehensive NDR solution that combines rule-based and behavior-based detections. It allows organizations to reduce alert fatigue and get the benefits of superior perimeter detection capabilities while still being able to detect threats post compromise.
Curated Threat Intelligence
The ability to detect anomalous behavior is just the first step toward effective investigation and response. Once suspicious activity has been detected, an analyst must be able to determine the actual risk by investigating the anomaly, usually starting by looking at any communication records that may be associated with an event.
When integrated with an NDR solution, curated threat intelligence helps users get a comprehensive look at any devices or communications associated with a specific detection. This allows security analysts to clearly see what's at risk and drill down to any associated communications, making the investigation of suspicious URIs or hosts a simpler task. The relevant threat information provided helps network defenders make the decisions they need to protect their network before any major damage is done.
Packet-Level Forensics and Decryption
The benefits of both behavior analytics and threat intelligence have limitations without visibility into the east-west corridors of the network. The advancement of network encryption has in most respects increased the security of data in transit, but for network defenders, encryption also leaves dark corners for attackers to hide.
Supply chain attacks may benefit from encryption as a means to hide their actions via encrypted connections, as an attacker can encrypt and therefore obscure any data exfiltration, database queries, or C&C beaconing. By mirroring and decrypting traffic, defenders can safely gain the information they need to conduct forensics with accuracy. Rather than merely inferring what malicious activity may have occurred from observed patterns, a security analyst can clearly identify exactly what actions were taken down to the packet level.
You can see how NDR with behavior-based analytics, curated threat intelligence, and packet-level forensic capabilities performs against supply chain attacks in our online demo. The demo offers a full, unthrottled version of our NDR solution, ExtraHop Reveal(x), running on example data. Choose the SUNBURST scenario for a guided tour of how it can help your organization detect and respond to a real supply chain attack.