Supply Chain Attack Defense Demands Mature Threat Hunting

The headlines have become a steady occurrence ... Kaseya, SolarWinds, 3CX, MOVEit, and there are sure to be others around the corner ... because they're effective.

The best cyber defense for organizations worried about protecting systems against the next software supply chain cyberattack comes down to active monitoring and threat hunting, experts say.

"Multiple software supply chain security failures in recent years have demonstrated that security extends well beyond the traditional 'four walls' cyber security model," IANS faculty member Jake Williams, who recently spoke to the Dark Reading audience during a June 7 webinar on "Next Generation Supply Chain Security" said.

The modern software supply chain offers threat actors an enormous attack surface, including automatic software updates, vendor-managed appliances, software-as-a-service (SaaS) tools, the cloud, and more, Williams outlined in his presentation.

"Kaseya wasn't the first attack on managed service providers to distribute ransomware, and it certainly won't be the last," Williams added. And indeed that's true — the MOVEit attack is the work of the Cl0p ransomware gang, after all. 

Evan Blair, general manager for Searchlight Cyber, also spoke during the Dark Reading webinar about securing the supply chain and illustrated the complexity challenge with a startling statistic — "For every billion dollars in annual revenue, businesses will have about 1,000 suppliers." That's a lot of avenues into enterprise systems for the cyber crooks to use.

Following the live event, Dark Reading asked Williams what enterprise cybersecurity teams can do to defend against mounting software supply chain attacks. Here's how Williams said he would start.

"This really boils down to monitoring and threat hunting," he says. "In the MOVEit case, we'd be doing targeted threat hunting presuming the appliance was compromised. First, we'd look at what it talked to on the internal network and then look for any changes to the state of those devices after (new suspicious processes, etc.)," Williams says.

Supply Chain Cyberattack Successes

Complicating matters for network defenders is the fact that well-resourced threat actors have had great success with supply chain attacks as a way into larger organizations' systems. More sophisticated state-based advanced persistent threat (APT) groups are also targeting smaller organizations, which presumably rely mostly on basic cybersecurity protections, Williams explained.

In May, North Korean government linked Lazarus Group was observed using Log4Shell, the 3CX supply chain flaw, as well as other known vulnerabilities to compromise Microsoft Web servers at a range of companies of varying sizes. And in April, Chinese APT group Evasive Panda hijacked application updates for Chinese-developed software to deploy spyware to smaller targets.

AI's Threat to the Software Supply Chain

The supply chain is further threatened by the rise of artificial intelligence (AI), which researchers have recently shown can be used to embed malicious malware into software packages targeting developers. 

Recommendations generated by ChatGPT for software building blocks that don't exist, which researchers call "AI package hallucinations," are not uncommon — and cybercriminals can take those recommendations and create a malicious package to match the false recs, then wait for ChatGPT to recommend them again. This discovery adds yet another layer of complexity into identifying supply chain threats to enterprise networks.

Organizations with robust monitoring and threat hunting programs in place are best positioned to prevent the next supply chain attack, Williams advised.

Supply Chain Security Monitoring

Monitoring the security of third parties in the software supply chain is a "necessity," according to Williams, who added, "anything less is being reactive."  Cyber threat intelligence (CTI) teams are an important way to proactively monitor software supply chain risks, according to Williams, but their task is difficult.

"Most CTI teams have difficulty monitoring their own organization," Williams said. He added that CTI teams don't have insight into cycles and data necessary to synthesize, report, or action it for third parties.

"As any CTI analyst will tell you, these challenges are not trivial," Williams said.

Dark Web monitoring in an additional source of threat intelligence, which can include accessing Dark Web forums directly or using a vendor to to curate information, but that doesn't offer real-time data, Williams said.

"When buying access to Dark Web platforms, recognize that this only accounts for a very small part of the intelligence lifecycle," Williams advised.

Valuable threat intelligence that can be gathered from Dark Web forums can include postings on recent ransomware groups' activities, hacktivist communications, and initial access brokers selling access to networks to other threat actors, Blair explained to the Dark Reading webinar audience.

Blair added that about a third of CISOs are currently using Dark Web data to monitor for cyberattacks against their supply chains, while a full 71% would like to have visibility into whether suppliers are being discussed on the Dark Web.

Beyond Dark Web monitoring, other sources of open source intelligence (OSINT) can be valuable for gaining threat insights. Simply searching Twitter hashtags can provide cataloged, dated, real-time information pooled from cybersecurity experts across the globe.

Mature Threat Hunting Helps Supply Chain Defense

"Organizations can't realistically expect to prevent software supply chain attacks like 3CX," Williams says. "This again points to the need for real-time monitoring using both endpoint and network tooling. Because we won't catch every attack as it's happening, mature threat hunting capabilities are also important."

Williams adds a warning to teams thinking about outsourcing a threat hunting program.

"For organizations that can't sustain a threat hunting cadence, be wary of managed threat hunt vendors," Williams tells Dark Reading. "Many are just front running the indicators of compromise (IoCs) that are being put into their endpoint detection and response (EDR) solutions."