Do you have trust issues? We don't care what your therapist says, in cybersecurity that's perfectly okay, as the idea that there is trusted third-party hardware and software is probably wishful thinking. Unfortunately, diligent, well-respected software and hardware suppliers can still be infiltrated by persistent adversaries.
The world became acutely aware of the severity and scope of supply chain attacks after SUNBURST was disclosed in December, 2020. While the attack largely targeted government institutions, the attack left an estimated 18,000 organizations vulnerable. Unfortunately, nine months after the attack, many organizations are still building their cybersecurity response strategy.
The Quick Answer: Responding to Supply Chain Attacks
To help organizations understand how SUNBURST and other supply chain attacks work and how to form a response plan, Gartner® published Quick Answer: How to Respond to a Supply Chain Attack? In the report, Gartner defines a supply chain attack as "When goods, services or technology supplied by a vendor to a customer have been breached and compromised, which introduces a risk to the customer base."
A safe assumption is that no product or vendor should be completely trusted, but Gartner makes the case for why staying on the defensive, rather than shunning new technology is a smarter business strategy. According to Gartner, "Supply chain attacks are a reality, but organizations are often unprepared to respond to a cybersecurity event when it occurs. Security and risk management leaders should have an incident response plan prepared to deal with events where supply chain attacks may impact their organizations."
To help inform how organizations should respond to supply chain attacks, Gartner outlines a plan, which includes determining if an organization is affected, monitoring for indicators of compromise, and tracking any lateral movement.
The Quick Answer report also offers some tool recommendations. In it, Gartner names, EDR or endpoint detection and response and NDR, or network detection and response, as effective solutions that can help detect lateral movement and credential management anomalies. Gartner also notes the benefits of behavioral analytics, saying that "Also worth deploying are tools that incorporate user behavioral analytics to examine standard access behavior of users and servers. If such a tool is deployed, it will help reduce the spread of malware by limiting it to the systems the infected device can access." They also add that "any network security with threat intelligence or signatures could detect the [command-and-control] communication once the servers are known as bad."
Deeper Dive: What Is a Supply Chain Attack?
While Gartner offers a quick answer, we feel that this is important enough to dig in a little deeper to further breakdown the most common vehicles for supply chain attacks and offer our take for fast, effective response.
A supply chain attack occurs when a bad actor trojanizes a legitimate product—that is, they insert malicious code or backdoors into trusted hardware or software products as means of entering undetected into an environment. Generally, supply chain attacks target three types of products:
Hardware Supply Chain: These occur when an adversary alters hardware or firmware components in products such as servers and network infrastructure to gain backdoor access. By leveraging hardware, the attacks become extremely hard to detect. Malicious additions such as implanted chips can easily be disguised as legitimate components, and any system intrusions are almost impossible for victims to identify in the early stages.
While these attacks reap rewards for attackers, hardware supply chain attacks are also extremely difficult to carry out. An attacker has to physically intercept and tamper with hardware, either during the production process or while a piece of hardware is in transit.
Software Dependencies and Development Tools: In this type of attack, an adversary infiltrates software dependencies, including open-source software and commercially licensed development tools. Because software dependencies can be widely used across many different vendors, an attacker has the potential to target a broad set of victims.
Supply chains are becoming increasingly complex, which gives an added advantage to software dependency attacks. A single manufactured device may encompass hardware components and software that can contain dependencies and the associated risk that goes far up the supply-chain ladder. Even when malicious code is discovered, an intended victim could potentially be exposed for a long period of time as patches and updates trickle down the supply chain, creating a longer attack window. The Ripple20 vulnerabilities offer a worst-case example of how complex, modern supply chains impact today's security.
Software Supply Chain: This is when an adversary manipulates software prior to deployment, usually with the goal of gaining system access or exfiltrating sensitive data. This method is a well-documented form of supply chain attack in the Mitre ATT&CK framework, with numerous examples of its use by advanced persistent threats, including nation-state adversaries and ransomware gangs.
In the case of SUNBURST, APT29 is thought to be responsible for adding malicious code into legitimate SolarWinds software. Once uploaded to servers via a software update, the malware was able to leverage administrative privileges to disable the host security processes and services before communicating back to an external malicious server or infrastructure for instructions, aka command-and-control beaconing.
Technology That Gives You the Advantage
Among their recommendations for vendor risk management, the Gartner Quick Response lists behavior-based analytics as part of an NDR solution, while naming threat intelligence and signature-based detections separately from NDR. NDR tools are becoming necessary for defending against advanced threats, but within the NDR market category, there is a range of available technology that has the potential to make or break a team's success. It's worth a closer look at the most important NDR features that make the detection and investigation of stealthy attacks more clear cut.
One of the most important factors in detecting any kind of unknown threat, and part of what defines NDR technology, is behavioral analytics. Machine-learning powered network detection and response establishes network baselines, allowing it to know what is normal, and parse out any unusual activity on the network.
While signature-based detection is helpful, when used on it's own, it can only detect known threats. This leaves organizations vulnerable to the new threats that are carrying out today's sophisticated supply chain attacks. In addition, the current generation of machine-learning powered, behavior-based detectors don't fire off false positives at the same rate as signature-based detections.
This is why we don't recommend an organization use signature-based IDS, but instead look toward a comprehensive NDR solution that combines rule-based and behavior-based detections. It allows organizations to reduce alert fatigue and get the benefits of superior perimeter detection capabilities while still being able to detect threats post compromise.
Curated Threat Intelligence
The ability to detect anomalous behavior is just the first step toward effective investigation and response. Once suspicious activity has been detected, an analyst must be able to determine the actual risk by investigating the anomaly, usually starting by looking at any communication records that may be associated with an event.
When integrated with an NDR solution, curated threat intelligence helps users get a comprehensive look at any devices or communications associated with a specific detection. This allows security analysts to clearly see what's at risk and drill down to any associated communications, making the investigation of suspicious URIs or hosts a simpler task. The relevant threat information provided helps network defenders make the decisions they need to protect their network before any major damage is done.
Packet-Level Forensics and Decryption
The benefits of both behavior analytics and threat intelligence have limitations without visibility into the east-west corridors of the network. The advancement of network encryption has in most respects increased the security of data in transit, but for network defenders, encryption also leaves dark corners for attackers to hide.
Supply chain attacks may benefit from encryption as a means to hide their actions via encrypted connections, as an attacker can encrypt and therefore obscure any data exfiltration, database queries, or C&C beaconing. By mirroring and decrypting traffic, defenders can safely gain the information they need to conduct forensics with accuracy. Rather than merely inferring what malicious activity may have occurred from observed patterns, a security analyst can clearly identify exactly what actions were taken down to the packet level.
You can see how NDR with behavior-based analytics, curated threat intelligence, and packet-level forensic capabilities performs against supply chain attacks in our online demo. The demo offers a full, unthrottled version of our NDR solution, ExtraHop Reveal(x), running on example data. Choose the SUNBURST scenario for a guided tour of how it can help your organization detect and respond to a real supply chain attack.