What are supply chain attacks and why can they be so damaging? In this first installment of our blog series, we'll identify some common elements of a supply chain attack and how you can discover these attacks in the early stages.
What is a Supply Chain Attack?
A supply chain attack is a particular type of cyber attack that seeks to gain access to protected information or damage an organization by targeting less-secure elements in the supply chain, such as third-party vendors or software.
Supply chain attacks have been used against organizations and government entities for many years. From the high profile 2010 Stuxnet attack on Iranian nuclear centrifuge control systems to the latest 2020 SolarWinds SUNBURST backdoor trojan attack, these are highly sophisticated attacks that have caused substantial losses and/or setbacks for the victims, as well as reputational damage.
Successful, highly damaging supply chain attacks often have many of the following elements in common:
- Meticulous preparation: Attackers usually surveil target organizations for long periods while planning supply chain attacks or put considerable effort into developing custom code.
- 'Legitimate' entry: Attackers can use credentials stolen from a legitimate supplier or trojanized updates to trusted third-party software used within the organization's IT infrastructure to gain access. Stuxnet was so stealthy that there is still considerable debate around whether defenses were breached via an infected USB stick or installation of other equipment.
- Remote command and control: Once trusted IT assets are compromised, adversaries can take additional remote actions to carry out the attack. In the SolarWinds example, a backdoor trojan enabled nation state actors to provide additional directions from a command and control infrastructure to carry out the attack.
- Stealthy movement: By moving laterally and using tactics like leveraging PowerShell capabilities embedded into operating systems, attackers can 'live off the land' inside of an organization's network and IT infrastructure, increasing dwell time and their odds of success.
- Post-execution coverup: Once attackers have achieved their goals of data exfiltration, disruption, or destruction, they often attempt to remove malicious software and digital footprints, such as logs, to help evade or delay discovery and attribution.
Over the past 10 years, much has changed across the IT landscape, yet many basic security challenges stubbornly remain. Cloud adoption has outpaced even some optimistic predictions as organizations choose to outsource their data centers to improve focus on core business initiatives. As opportunities for businesses to innovate in the cloud continue to unfold, they create an equally large number of new targets for attackers to pursue.
A wide variety of compute instances and VMs still dominate in the cloud, but probably not for long, as newer technologies, including containers and serverless compute, gain momentum. DevOps techniques enable accelerated development and deployment of cloud workloads, but they often neglect security and expose potential attacker footholds.
Widespread use of open source software has ushered in a new era of ease and cost reduction in cloud application development while increasing the risk of introducing vulnerabilities (unintentional or otherwise) into cloud workloads. Wisely, cloud providers have chosen to 'share' responsibility for security in the cloud with their customers.
The SolarWinds Exploit
We don't yet fully know the origin and number of attackers involved in the SolarWinds exploit. But we do know their techniques were highly sophisticated, involved a number of steps, utilized both customized software and tools existing in the environment, and resulted in data exfiltration and other damage. Still, most troubling is the 9 months or more of dwell time the attackers enjoyed. However, there is a silver lining in this dark cloud. Each step in a supply chain attack offers an opportunity to discover and stop intruders.
Tools That Can't Be Detected
What defenders need is a sophisticated and stealthy security toolset that learns on the fly and keeps pace with the latest attack techniques. Fortunately for them, those solutions are within reach. Using tools that tap into the network to mirror packets gives defenders a covert vantage point and unassailable data source.
Dissecting packets to extract metrics reveals a wealth of information, including all connected devices and device types within a data center or cloud environment, attacker lateral movements, new connections, abnormal user behavior, data breach attempts, and ransomware. And that's just the beginning.
ExtraHop has been developing and fine-tuning cybersecurity tools that utilize machine learning and stealthy packet mirroring for years. Now, we're leading a new security category known as network detection and response (NDR).
In the wake of the SolarWinds attack, where the extensive scope and dwell time increased the potential for damage exponentially, organizations are relearning just how important it is to have months of logs and network activity readily available to determine how and when they were hacked. Having real-time access to this information via a tool with intuitive usability and workflows helps security operations follow an attacker's tracks to quickly remediate vulnerabilities, and help auditors forensically determine the extent of damage to an organization. ExtraHop Reveal(x) 360 provides immediate access to 90 days of in-depth network information, the ground source of truth in cloud threat detection and remediation.
You can also try Reveal(x) 360 for free. See how SaaS-based Reveal(x) 360 can defend against supply chain attacks, detect threats up to 95% faster, and slash your time to respond by up to 70% with a 15-day proof of value in your AWS environment.