We've been hearing a lot about software supply chain attacks over the past two years, and with good reason. The cybersecurity ecosystem and industry at large have been inundated with warnings about this attack vector, with high-profile attacks leading to a stark increase in vendor solutions, as government regulations keep trying to catch up. Yet despite the popularity of AppSec-related incidents, Enso Security's research has shown that most organizations do not have an incident response plan in place specific to these attacks. Others that do have an IR playbook often prepare to respond to infrastructure-related attacks such as ransomware, rather than attacks based on application channels. Given the prevalence of these attacks, this post will focus on software supply chain incident response and will include a quick response playbook as well as trends and characteristics that make AppSec incident response deserving of its own plan.
Before we dive in, it's important to remember that incident response is a profession and involves a fair amount of resources and strategy. Designing a proper incident response plan for AppSec threats doesn't happen overnight, and each response plan is uniquely suited to a specific organization. With that being said, we hope our quick tips will be able to help organizations get a strong head start.
A Quick, AppSec Incident Response Checklist
Below is a basic AppSec incident response checklist for a malicious package incident, such as the ESLint attack, which, for me, was the first time I had to respond in real-time to a malicious dependency potentially running in the continuous integration (CI) pipeline.
Here is an example of a basic incident response playbook for a public popular dependency gone malicious:
1. Check CI logs for the specific usage of the malicious packages.
2. Identify the assets to which the malicious code gains access.
3. Identify all possible compromised credentials and rotate all credentials in the relevant environments.
4. Identify all associated developers who have committed the malicious package, rotate the relevant credentials, and have security or IT begin an investigation of their workstations.
5. Notify R&D that there is a malicious package suspicion and relevant keys may be rotated shortly.
6. Audit all access to organization assets. Identify any anomalies that indicate breached credentials usage. Continue this step beyond the initial incident response.
While these steps are being taken, the company's executive management team should consider and draft both an internal and a public response to a potential incident, and involve the required departments, such as customer success, external affairs, legal, etc.
Why Do We Need a Dedicated AppSec Incident Response Playbook?
R&D as the attack surface: As the rate of production is faster than ever, developers are the largest growing moving targets for attacks. Security must get in front of this attack vector by having the security controls in place and continuously collecting the relevant data from R&D — not just when there's an emergency. The nature of supply chain attacks requires security to have a much deeper understanding of the business, and they must be able to show leadership that they are able to manage and assess security issues based on their own data, without burdening R&D during an incident.
Mass-casualty event: Unlike traditional ransomware attacks that target one organization at a time, supply chain attacks are often mass-casualty events, potentially affecting thousands of organizations in one "hit." A standard incident response plan will not be suited for massive security events in which external consultations are needed. Experts will be overwhelmed and trying to assist dozens of customers in such an attack, and the organization cannot run the risk of a delayed response.
AppSec is an immature discipline: The importance of AppSec has only recently been acknowledged, evident by the current and expected increases in spending, market growth, and regulatory activity. Software supply chain attacks are also a relatively new phenomenon that security teams must deal with, as they were not prioritizing this kind of threat only five years ago. Today, security teams face these challenges on a daily basis. As the application attack surface continues to expand and has become globally intertwined, the available solutions and know-how are still playing catch-up.
Attacker sophistication not (always) required: Attackers are lucky enough to leverage the fact that there is still a concerning lack of adequate tools to defend the industry from supply chain risks, and the security tools that do exist are still quite new. Supply chain attacks are extremely lucrative and a small crime brings attackers a disproportionate amount of treasure. If an attacker succeeds, they can get access to important data from not one organization but thousands. On the defense side, organizations have little visibility into CI builds and even less visibility into developer stations, making it extremely difficult to secure this attack surface.
Despite this seemingly unbalanced match between malicious actors and AppSec teams, we shouldn't feel defeated. As these threats grow more prevalent, security teams are getting better at incident response, and vendors are building innovative tools to better serve security professionals. With a little rearranging of priorities and updating of the incident response manual to better suit threats of an AppSec nature, organizations can be ready to face the future of software attacks.