Risk

9/13/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Increasingly Vulnerable Software Supply Chain

Nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses.

In July, US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America's long-term competitive economic advantage. Threat intelligence data from a variety of sources indicates that other nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses. In fact, CrowdStrike's recent study found that two-thirds of organizations across a wide variety of sectors experienced a software supply chain attack in the past 12 months.  

Adversaries have turned to this attack vector because traditional cybersecurity solutions that protect the network perimeter are advancing to the point that adversaries have had to find other ways to infiltrate an enterprise. Software supply chain vulnerabilities are prime targets for exploiting the trust between an organization and its software providers and business partners, particularly since these third-party providers are often rushing to market and overlooking best practices for proper testing and source code security.

Because of the deployment footprint for software targeted in these attacks and because advancing malware propagation techniques often leverage privileged credentials or known infrastructure vulnerabilities, supply chain attacks are often widespread, targeting the entire trusted organizations' customer base. They are also growing in frequency and sophistication. For example, adversaries target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.

According to CrowdStrike's study, these attacks also cost businesses on average over $1 million in lost business, productivity, and response costs — though they can cost more than monetary value. The increase in software supply chain attacks coupled with implementation of the European Union's General Data Protection Regulation and other privacy regulatory requirements all have finally seemed to serve as a wake-up call for organizations. According to our recent supply chain security survey, 80% of IT professionals believe software supply chain attacks will be one of the biggest cyber threats their organizations will face over the next three years.

Where We Are
So, what are organizations doing to protect themselves, and what more needs to be done?

Although organizations are increasingly becoming aware of the supply chain as an emerging attack vector, the CrowdStrike's survey found that they're still incredibly vulnerable to such attacks. One big area of concern is supplier vetting. Unfortunately, organizations expect companies to perform strenuous due diligence with evaluating the security exposure of those they do business with, invest in, or acquire. For example, only a third of respondents in the survey said they're vetting all of their suppliers, and about the same number said they are certain their suppliers will inform them if they're successfully breached. Further, 72% said their organization does not always hold external suppliers to the same security standards as they hold themselves.

Moving forward, many organizations across all sectors are beginning to change their supplier vetting process. Nearly 60% say the process has become more rigorous because more detailed checks are needed, while 80% said they would avoid working with emerging or less-established vendors due to a perceived weakness in security strategy.

Organizations looking to defend against supply chain attacks are establishing stronger measures for thorough vetting. For example, major national banks are beginning to require their vendors to meet certain minimal network security environments to protect their customers' data. But when it comes to actual vetting, only about half of survey respondents currently look at a suppliers' internal security standards or their security software. Additionally, balancing the need to ensure timely updates to key business applications with the need to ensure updates are properly tested in a controlled environment are becoming commonplace topics of discussion with security and channel organizations.  

What's encouraging: The supply chain survey found that 95% of organizations have seen a change in their boards' attitude toward such attacks in the wake of NotPetya. A change in attitude and increase in awareness is a start, but adequately defending against a software supply chain attack requires having the right tools and processes in place to effectively prevent, detect, and respond to threats.

To make it harder for software supply chain attackers to get into and traverse an entire network unabated, we recommend organizations put in place:

  • Behavioral-based attack detection solutions that can defend against sophisticated supply chain attacks;
  • Segmented network architectures;
  • Real-time vulnerability management solutions; and
  • Improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts).

Additionally, to get ahead of future attacks, organizations should use threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. We also recommend taking proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and tabletop exercises. (Note: CrowdStrike is among a number of companies that provide these services).

Finally, organizations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organization's network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.

It's clear that industries are beginning to see the need to take software supply chain threats seriously. But organizations can't wait for another large-scale software supply chain breach; they need to act now to ensure they're doing all they can to defend against these damaging attacks.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As Vice President of Services, Thomas Etheridge oversees all service delivery associated with CrowdStrike's Falcon suite of cybersecurity products. Thomas brings over 20 years of management consulting experience and over 16 years of executive services leadership expertise in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.