Risk

9/13/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Increasingly Vulnerable Software Supply Chain

Nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses.

In July, US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America's long-term competitive economic advantage. Threat intelligence data from a variety of sources indicates that other nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses. In fact, CrowdStrike's recent study found that two-thirds of organizations across a wide variety of sectors experienced a software supply chain attack in the past 12 months.  

Adversaries have turned to this attack vector because traditional cybersecurity solutions that protect the network perimeter are advancing to the point that adversaries have had to find other ways to infiltrate an enterprise. Software supply chain vulnerabilities are prime targets for exploiting the trust between an organization and its software providers and business partners, particularly since these third-party providers are often rushing to market and overlooking best practices for proper testing and source code security.

Because of the deployment footprint for software targeted in these attacks and because advancing malware propagation techniques often leverage privileged credentials or known infrastructure vulnerabilities, supply chain attacks are often widespread, targeting the entire trusted organizations' customer base. They are also growing in frequency and sophistication. For example, adversaries target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.

According to CrowdStrike's study, these attacks also cost businesses on average over $1 million in lost business, productivity, and response costs — though they can cost more than monetary value. The increase in software supply chain attacks coupled with implementation of the European Union's General Data Protection Regulation and other privacy regulatory requirements all have finally seemed to serve as a wake-up call for organizations. According to our recent supply chain security survey, 80% of IT professionals believe software supply chain attacks will be one of the biggest cyber threats their organizations will face over the next three years.

Where We Are
So, what are organizations doing to protect themselves, and what more needs to be done?

Although organizations are increasingly becoming aware of the supply chain as an emerging attack vector, the CrowdStrike's survey found that they're still incredibly vulnerable to such attacks. One big area of concern is supplier vetting. Unfortunately, organizations expect companies to perform strenuous due diligence with evaluating the security exposure of those they do business with, invest in, or acquire. For example, only a third of respondents in the survey said they're vetting all of their suppliers, and about the same number said they are certain their suppliers will inform them if they're successfully breached. Further, 72% said their organization does not always hold external suppliers to the same security standards as they hold themselves.

Moving forward, many organizations across all sectors are beginning to change their supplier vetting process. Nearly 60% say the process has become more rigorous because more detailed checks are needed, while 80% said they would avoid working with emerging or less-established vendors due to a perceived weakness in security strategy.

Organizations looking to defend against supply chain attacks are establishing stronger measures for thorough vetting. For example, major national banks are beginning to require their vendors to meet certain minimal network security environments to protect their customers' data. But when it comes to actual vetting, only about half of survey respondents currently look at a suppliers' internal security standards or their security software. Additionally, balancing the need to ensure timely updates to key business applications with the need to ensure updates are properly tested in a controlled environment are becoming commonplace topics of discussion with security and channel organizations.  

What's encouraging: The supply chain survey found that 95% of organizations have seen a change in their boards' attitude toward such attacks in the wake of NotPetya. A change in attitude and increase in awareness is a start, but adequately defending against a software supply chain attack requires having the right tools and processes in place to effectively prevent, detect, and respond to threats.

To make it harder for software supply chain attackers to get into and traverse an entire network unabated, we recommend organizations put in place:

  • Behavioral-based attack detection solutions that can defend against sophisticated supply chain attacks;
  • Segmented network architectures;
  • Real-time vulnerability management solutions; and
  • Improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts).

Additionally, to get ahead of future attacks, organizations should use threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. We also recommend taking proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and tabletop exercises. (Note: CrowdStrike is among a number of companies that provide these services).

Finally, organizations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organization's network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.

It's clear that industries are beginning to see the need to take software supply chain threats seriously. But organizations can't wait for another large-scale software supply chain breach; they need to act now to ensure they're doing all they can to defend against these damaging attacks.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As Vice President of Services, Thomas Etheridge oversees all service delivery associated with CrowdStrike's Falcon suite of cybersecurity products. Thomas brings over 20 years of management consulting experience and over 16 years of executive services leadership expertise in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...