In July, US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America's long-term competitive economic advantage. Threat intelligence data from a variety of sources indicates that other nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses. In fact, CrowdStrike's recent study found that two-thirds of organizations across a wide variety of sectors experienced a software supply chain attack in the past 12 months.
Adversaries have turned to this attack vector because traditional cybersecurity solutions that protect the network perimeter are advancing to the point that adversaries have had to find other ways to infiltrate an enterprise. Software supply chain vulnerabilities are prime targets for exploiting the trust between an organization and its software providers and business partners, particularly since these third-party providers are often rushing to market and overlooking best practices for proper testing and source code security.
Because of the deployment footprint for software targeted in these attacks and because advancing malware propagation techniques often leverage privileged credentials or known infrastructure vulnerabilities, supply chain attacks are often widespread, targeting the entire trusted organizations' customer base. They are also growing in frequency and sophistication. For example, adversaries target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.
According to CrowdStrike's study, these attacks also cost businesses on average over $1 million in lost business, productivity, and response costs — though they can cost more than monetary value. The increase in software supply chain attacks coupled with implementation of the European Union's General Data Protection Regulation and other privacy regulatory requirements all have finally seemed to serve as a wake-up call for organizations. According to our recent supply chain security survey, 80% of IT professionals believe software supply chain attacks will be one of the biggest cyber threats their organizations will face over the next three years.
Where We Are
So, what are organizations doing to protect themselves, and what more needs to be done?
Although organizations are increasingly becoming aware of the supply chain as an emerging attack vector, the CrowdStrike's survey found that they're still incredibly vulnerable to such attacks. One big area of concern is supplier vetting. Unfortunately, organizations expect companies to perform strenuous due diligence with evaluating the security exposure of those they do business with, invest in, or acquire. For example, only a third of respondents in the survey said they're vetting all of their suppliers, and about the same number said they are certain their suppliers will inform them if they're successfully breached. Further, 72% said their organization does not always hold external suppliers to the same security standards as they hold themselves.
Moving forward, many organizations across all sectors are beginning to change their supplier vetting process. Nearly 60% say the process has become more rigorous because more detailed checks are needed, while 80% said they would avoid working with emerging or less-established vendors due to a perceived weakness in security strategy.
Organizations looking to defend against supply chain attacks are establishing stronger measures for thorough vetting. For example, major national banks are beginning to require their vendors to meet certain minimal network security environments to protect their customers' data. But when it comes to actual vetting, only about half of survey respondents currently look at a suppliers' internal security standards or their security software. Additionally, balancing the need to ensure timely updates to key business applications with the need to ensure updates are properly tested in a controlled environment are becoming commonplace topics of discussion with security and channel organizations.
What's encouraging: The supply chain survey found that 95% of organizations have seen a change in their boards' attitude toward such attacks in the wake of NotPetya. A change in attitude and increase in awareness is a start, but adequately defending against a software supply chain attack requires having the right tools and processes in place to effectively prevent, detect, and respond to threats.
To make it harder for software supply chain attackers to get into and traverse an entire network unabated, we recommend organizations put in place:
- Behavioral-based attack detection solutions that can defend against sophisticated supply chain attacks;
- Segmented network architectures;
- Real-time vulnerability management solutions; and
- Improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts).
Additionally, to get ahead of future attacks, organizations should use threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. We also recommend taking proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and tabletop exercises. (Note: CrowdStrike is among a number of companies that provide these services).
Finally, organizations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organization's network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.
It's clear that industries are beginning to see the need to take software supply chain threats seriously. But organizations can't wait for another large-scale software supply chain breach; they need to act now to ensure they're doing all they can to defend against these damaging attacks.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.