What You Need to Know about Supply Chain Attacks
the update system of the Ukrainian tax software, M.E.Doc. This attack led to widespread compromises in the Ukraine, and across the globe, resulting in billions of dollars in damage.
Later that same year, bad actors managed to insert a backdoor into the popular PC maintenance tool CCleaner. The compromised versions were downloaded over 2.27 million times, though only a small number of these installs were targeted to receive a secondary payload.
Supply chain attacks can be traced back even further. While relatively infrequent, likely due to the high sophistication and development complexity, their potency makes them a viable option to motivated and well-funded attackers.
The Defense Dilemma
The toughest part about supply chain attacks is that the vector used to compromise the primary target is hidden within legitimate software. This makes supply chain attacks incredibly difficult to protect against, presenting a number of challenges.
First, supply chain attacks compromise software that your organization already uses and trusts. Inserting bad code into trusted software makes it notoriously difficult to identify the malicious activity.
Good security and software engineering practices within suppliers are indeed a way to combat supply chain attacks. However, audits of suppliers require no small investment of time and money, and don’t always scale across the number and variety of suppliers used by a given company.
Patching is a vital part of any security strategy. It is particularly ironic that in the case of so many supply chain attacks, the malicious functionality is distributed by abuse of the patching and update mechanism by bad actors.
This presents a Catch-22: An errant patch could result in a supply chain compromise, but not patching could lead to other security risks, such as exploitation via unpatched vulnerabilities.
Caught in the Act
Given the enormity of the task of detecting a supply chain attack before bad actors gain access, in most cases, another approach will be needed. The silver lining here is that, while gaining access can be looked at as the sign of a successful supply chain attack, it’s still only the beginning when it comes to bad actors’ ultimate goals.
The fact remains that the system through which attackers gain their initial access isn’t usually their ultimate destination. An attacker will still have to traverse a network, moving laterally to get to their goal. Also, if stealing information is their aim, they will still need to exfiltrate said data. And through it all, they will need to perform command and control activity to instruct the malicious software to do what they need it to do.
These are all great touchpoints to detect, block and remediate such an attack. Having policies in place to detect such activity can go a long way to alerting to a supply chain attack, along with a threat hunting program available to look for further evidence of a compromise.
For instance, keep an eye out for any of the following:
- Look for unauthorized changes or unusual software additions on endpoints. Attackers often modify endpoints, or install software like webshells, to further their attacks.
- Monitor for unexpected use of credentials. When machines are compromised, credentials are often scraped and used to log into other devices on the network.
- Pay particular attention to key systems, such as Active Directory servers or other domain controllers.
Focusing on Response
With prevention being difficult, if not an unattainable goal, response becomes a more viable approach to defend against