Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/13/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Increasingly Vulnerable Software Supply Chain

Nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses.

In July, US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America's long-term competitive economic advantage. Threat intelligence data from a variety of sources indicates that other nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses. In fact, CrowdStrike's recent study found that two-thirds of organizations across a wide variety of sectors experienced a software supply chain attack in the past 12 months.  

Adversaries have turned to this attack vector because traditional cybersecurity solutions that protect the network perimeter are advancing to the point that adversaries have had to find other ways to infiltrate an enterprise. Software supply chain vulnerabilities are prime targets for exploiting the trust between an organization and its software providers and business partners, particularly since these third-party providers are often rushing to market and overlooking best practices for proper testing and source code security.

Because of the deployment footprint for software targeted in these attacks and because advancing malware propagation techniques often leverage privileged credentials or known infrastructure vulnerabilities, supply chain attacks are often widespread, targeting the entire trusted organizations' customer base. They are also growing in frequency and sophistication. For example, adversaries target vulnerabilities using legitimate software packages, so when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.

According to CrowdStrike's study, these attacks also cost businesses on average over $1 million in lost business, productivity, and response costs — though they can cost more than monetary value. The increase in software supply chain attacks coupled with implementation of the European Union's General Data Protection Regulation and other privacy regulatory requirements all have finally seemed to serve as a wake-up call for organizations. According to our recent supply chain security survey, 80% of IT professionals believe software supply chain attacks will be one of the biggest cyber threats their organizations will face over the next three years.

Where We Are
So, what are organizations doing to protect themselves, and what more needs to be done?

Although organizations are increasingly becoming aware of the supply chain as an emerging attack vector, the CrowdStrike's survey found that they're still incredibly vulnerable to such attacks. One big area of concern is supplier vetting. Unfortunately, organizations expect companies to perform strenuous due diligence with evaluating the security exposure of those they do business with, invest in, or acquire. For example, only a third of respondents in the survey said they're vetting all of their suppliers, and about the same number said they are certain their suppliers will inform them if they're successfully breached. Further, 72% said their organization does not always hold external suppliers to the same security standards as they hold themselves.

Moving forward, many organizations across all sectors are beginning to change their supplier vetting process. Nearly 60% say the process has become more rigorous because more detailed checks are needed, while 80% said they would avoid working with emerging or less-established vendors due to a perceived weakness in security strategy.

Organizations looking to defend against supply chain attacks are establishing stronger measures for thorough vetting. For example, major national banks are beginning to require their vendors to meet certain minimal network security environments to protect their customers' data. But when it comes to actual vetting, only about half of survey respondents currently look at a suppliers' internal security standards or their security software. Additionally, balancing the need to ensure timely updates to key business applications with the need to ensure updates are properly tested in a controlled environment are becoming commonplace topics of discussion with security and channel organizations.  

What's encouraging: The supply chain survey found that 95% of organizations have seen a change in their boards' attitude toward such attacks in the wake of NotPetya. A change in attitude and increase in awareness is a start, but adequately defending against a software supply chain attack requires having the right tools and processes in place to effectively prevent, detect, and respond to threats.

To make it harder for software supply chain attackers to get into and traverse an entire network unabated, we recommend organizations put in place:

  • Behavioral-based attack detection solutions that can defend against sophisticated supply chain attacks;
  • Segmented network architectures;
  • Real-time vulnerability management solutions; and
  • Improved controls for managing the use of privileged credentials in the environment (including control of shared/embedded admin accounts).

Additionally, to get ahead of future attacks, organizations should use threat intelligence that will help provide the necessary data and information to proactively defend against new attacks. We also recommend taking proactive measures to evaluate the effectiveness of their cybersecurity, such as red teaming and tabletop exercises. (Note: CrowdStrike is among a number of companies that provide these services).

Finally, organizations need to ensure they can quickly respond to attacks by understanding what we call breakout time. Breakout time is the time it takes for an intruder to begin moving laterally to other systems within an organization's network. The average breakout time is one hour and 58 minutes, which is a tight window during which an organization can prevent an incident from turning into a breach.

It's clear that industries are beginning to see the need to take software supply chain threats seriously. But organizations can't wait for another large-scale software supply chain breach; they need to act now to ensure they're doing all they can to defend against these damaging attacks.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As Vice President of Services, Thomas Etheridge oversees all service delivery associated with CrowdStrike's Falcon suite of cybersecurity products. Thomas brings over 20 years of management consulting experience and over 16 years of executive services leadership expertise in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...