How to detect software supply chain attacks
What is a software supply chain? Simply put, the software supply chain includes all the sourcing of software from outside parties, incorporates internal processes like Q/A, and encompasses software running in production. The supply chain forks into various streams, from the conception stage through the development stage, where a developer uses existing code from a library to fully build out new software. The supply chain then goes on to the distribution stage, where the packaged software is integrated into one or many environments and receives regular updates until retirement. There are many paths.
An attack, typically carried out by injecting malicious code during any stage of the supply chain, can trickle down to exploit various organizations that come in contact with the contaminated asset. Why do attackers carry out software supply chain attacks and have grown to prefer them over other methods in recent years? There are many reasons software supply chain attacks are attractive to cyber criminals, including:
- The number of victims (and valuable data retrieved by attackers) can grow quickly through automatic updates and instantaneous pathways.
- Supply chain attacks allow for specific targeting — whether it’s region, sector or industry.
- Attackers exploit trusted and previously verified pathways, gaining valuable information on otherwise well-protected organizations, while making it difficult to detect attacks.
An attack can come from any stage in the supply chain, even if the supply chain is authorized by a reliable source. In addition, if the software your organization is using has been validated in the past by a vendor, it doesn’t mean that it is free of current vulnerabilities or has not been infected after the test. To effectively detect supply chain attacks, you must carry out a systematic verification process of all assets and their pathways into your organization.
Create an Inventory of All Assets
Before carrying out an effective plan for detecting and mitigating supply chain attacks, you must create an inventory of all assets within your network; this includes mapping out all data pathways within your organization. Where do software updates come from and what is the destination behind each update? What does normal traffic look like within your network? Is your firewall tuned in to all incoming pathways? Essentially, you must apply analysis on your entire network to identify all systems and be able to effectively detect gaps within your system and prevent potential attacks.
Assign a Threat Actor Profile to Every Asset
Once you’ve identified all the assets, systems and pathways within your network, the next step is to create a threat model according to your environment. A threat model is different for every organization, though it typically involves assigning your assets under several adversary categories as part of the scoring system that determines the priority of an attack. At this stage, it’s crucial to review your assets, either asset by asset or by categories, and determine the type of adversary that would be within the range of possibility for each system.
The threat actor profiles used across the cybersecurity industry are the following:
- A vandal or script kiddy: amateur hackers that leverage malicious scripts and existing open source malware to cause disturbance.
- Insider threat: individuals affiliated with your organization leaking or distributing sensitive information for personal or competitive gain.
- Crimeware or ransomware: individual or groups of hackers seeking financial gain.
- Hacktivist: a political or activist group targeting an organization to send a public message.
- Nation-state: government-sponsored attackers.
Some high-threat actor profiles, like Hacktivist and Nation-state, may not apply to your organization due to the specificity of their targets. However, even one of the adversary types listed above can wreak havoc on your network’s most high-stakes systems. As you categorize your assets under a threat actor profile, each category will represent a risk score, which will create a priority system for attack detection.
Determine (and Update) Risk Scores
Assigning a risk score based on the adversary type is only one aspect of the scoring system. The process also includes looking at the history of vulnerabilities within your software. What is the density of the defect? How sophisticated was the attack? What has your organization done to protect this asset so far? All of this information will cause an adjustment of the risk score.
As you order your assets from least to most at-risk, apply new efforts and new security controls based on what you’ve determined. The score will continue to be adjusted based on various conditions, including those that occur in real time. A vendor's announcement of a vulnerability within a specific system, for example, will summon you to temporarily adjust the risk score until you or the developers mitigate the vulnerability.
Establish a Test Phase
Testing new updates is a crux aspect of security hygiene. All new software updates, even seemingly legitimate ones coming from trusted applications, must undergo testing in a small test environments or sandboxes (a sandbox provides a protected space where you can initiate and analyze an update or other third-party software). Even if the asset does not present a potential attack to your network, new updates aren't always reliable when it comes to not completely derailing your existing software. Either way, you don’t want to roll out updates blindly without testing.
Master the 4 Stage Malware Analysis
Once you establish a foundation for security across all assets within your organization, the 4 Stage Malware Analysis outlines a systematic (albeit sophisticated) process for effectively detecting supply chain attacks on your network. The process analyzes potential attacks in four stages, ranging from simple automated analysis to complex manual testing.
1. Fully-Automated Analysis: automated tools that produce general reports on large amounts of data regarding malware file activity, registry keys, mutex files, etc.
2. Static Properties Analysis: a process carried out by an analysis that gains access into the executable file without viewing the actual instructions.
3. Interactive Behavior Analysis: this process requires the analyst to implement the malicious program in a sheltered environment to analyze its behavior.
4. Manual Code Reversing: a reverse-engineering process that results in decryption of hidden data as well as revealing the framework and methodology behind the attack.
The four-stage pyramid serves as the basis for effectively detecting attacks threatening your organization. The processes involved within the system are not linear; however, as each task gains insight and informs the next stage of the analysis, it creates a strong foundation for the security of your network and its high-stakes assets.
The growing sophisticated attackers continue to bypass traditional methods of cyber defense; the volume of attacks on software supply chains in particular is on the rise every year, with consequences affecting everyone from regular users to high-stakes government operations. It’s your responsibility to detect supply chain attacks and protect your organization - and all other potential victims anywhere within the supply chain.
Read our prior blog on supply chain attacks “How Existing Cybersecurity Frameworks Can Curb Supply Chain Attacks”
Join our Oct 15 webinar "How to Inject Security Into Your Software Development Life Cycle"