News, news analysis, and commentary on the latest trends in cybersecurity technology.

How to Fight Tomorrow's Novel Software Supply Chain Attacks

As attackers increasingly target the lucrative supply chain, organizations need to think about how they can defend against such attacks.

Justin Fier, Director for Cyber Intelligence & Analytics at Darktrace

February 17, 2022

4 Min Read
Illustration of cyber symbols overlaying a photo of an oil refinery
Source: Blue Planet Studio via Shutterstock

The past year has seen a rise in software supply chain attacks, from the devastating SolarWinds Orion compromise to the Kaseya ransomware attack and the widespread exploitation of GitLab servers. Threat actors are using software and developer infrastructure, platforms, and providers as valuable entry points into governments, corporations, and critical infrastructure.

This attack vector allows attackers to maximize ROI on a single campaign. One successful breach can result in a wide distribution of malware, potentially affecting thousands of organizations connected to the supplier. Looking at the widespread damage caused by these attacks in 2021, it is obvious that complex digital supply chains are a hacker's paradise.

It is widely expected that threat actors will continue to target the supply chain in 2022 through proprietary source code, developer repositories, and open source libraries. Indeed, the White House recently hosted a summit with the leaders of major tech companies to discuss how to secure open source software after the discovery of the Log4j vulnerability.

Ensuring that trusted suppliers are held accountable to best cyber practices is important, but in an era of unpredictable cyberthreats, all organizations must take appropriate measures to ensure they are prepared to defend against software supply chain attacks.

Stopping the Kaseya Attack With AI
Many organizations use security technology that relies on hallmarks of previously encountered threats to try to stop the next attack. Given the pace of attacker innovation today, however, it's clear this is no longer a reliable strategy. This approach leaves businesses open to attacks that use new infrastructure and new techniques for which we don't yet know the signatures.

In the well-known case of Kaseya, attackers used a zero-day vulnerability to gain access to Kaseya Virtual System Administrator (VSA) servers and then deployed ransomware on the endpoints managed by those VSA servers. This modus operandi vastly differs from previous ransomware campaigns, which have traditionally been human-operated, direct intrusions. Because of its novelty, traditional security tools were blind to this attack.

For one organization using behavior-based security tools, self-learning artificial intelligence (AI) detected the first signs of Kaseya ransomware on the network as soon as encryption had begun. When it came to pinpointing and quarantining the infected device, the AI did not look for a static string or a known ransom note. Instead — by learning what constitutes "normal" for the organization — it identified that the activity was highly unusual for that device and anything in its peer group.

By detecting and correlating these subtle anomalies, the AI identified the unusual activity as the earliest stages of ransomware encryption on the network. It took immediate, targeted action to contain the threat, stopping the infected laptop from making any connections that were new or unusual and thereby preventing any further encryption activity.

All of this happened in a matter of minutes. The infected laptop consistently tried to connect to other internal devices via server message block (SMB) to continue the encryption activity, but it was blocked by the AI at every stage, limiting the spread of the attack and mitigating any damage posed via the network encryption. For the organization in question, the Kaseya ransomware attack had been handled behind the scenes by AI, without the need for human intervention.

Enhancing Security Inside the Perimeter
In 2021, AI interrupted around 150,000 threats each week against the IT and communications sector, including telecommunications providers, software developers, and managed security service providers. For the thousands of organizations equipped with self-learning AI security tools, many of the most high-profile software supply chain threats were spotted and stopped long before news of the attacks hit the headlines.

With software supply chain attacks on the rise, it is increasingly unrealistic for organizations to avoid breaches via their supply chains, and virtually impossible to predict where and how the next software supply chain vulnerability will unearth itself. Instead, they must have the ability to detect the presence of attackers already inside their organization and stop this malicious activity in the early stages.

If attackers have planted themselves at the heart of your systems via malicious software, it is too late to build a wall against these threats. Combatting the software supply chain attacks of tomorrow means embracing technology that detects and mitigates damage once an adversary is already inside.

About the Author(s)

Justin Fier

Director for Cyber Intelligence & Analytics at Darktrace

Justin Fier is one of the United States' leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. With over 10 years' experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems, and Abraxas. Justin is also a highly skilled technical specialist, and works with Darktrace's strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights