A Nation State Attack Surface: Software Supply Chains

By

Today's digital supply chains are a continuously growing and dynamic ecosystem of web-based services, applications, and IT assets. These ecosystems are enabled by an extensive network of partners, vendors, and third-party services. Attention has recently focused on attacks on national software supply chains and software infrastructure. As a result, enterprises are increasingly concerned with their growing attack surfaces and their security hygiene.

To expand upon my previous article, 2 Attack Vectors are Forcing Changes in How to Secure Software, where I discussed two classes of threats and growing attack surfaces, I will add a third class of cybercrime: nation-state attacks. These attacks are not only dangerous and damaging to national security, they weaken a company's competitive advantage in a global economy.

One example of a nation-state attack, possibly the worst in technology history, is the SolarWinds attack, first reported by FireEye on December 13, 2020. It was a pervasive attack on national security, initiated by attackers invading SolarWinds' development environment in September 2019. The attack remained undiscovered for more than a year. During that year, SolarWinds had over 30,000 enterprise customers whose systems were potentially vulnerable to malicious code.

This attack involved sophisticated planning and a flawless implementation, with the attackers targeting the Orion infrastructure monitoring platform of SolarWinds. There was an orchestrated effort to understand the development team, practices, and build processes before inserting malicious code by replacing an existing tmp file. SolarWinds' customer base was exposed to this malicious code through a periodic software update.

After access, the perpetrators established servers on Amazon and GoDaddy to enable updates. "They cleaned the crime scene so thoroughly investigators can't prove definitively who was behind it," said Dina Temple-Raston in The Untold Story of the SolarWinds Hack.

Once activated, the attackers had a list of high-profile SolarWinds customers including FireEye, Microsoft, and the Department of Homeland Security. The victim's networks were targeted using the backdoor entry from SolarWinds. The malware, dormant for weeks, could not have been detected by static analysis or pen testing tools alone.

Protect Your Cyber Assets

Software supply chains are one of the highest risk areas causing an increase in nation state attacks. Companies are forced to rely on third party libraries which often do not incorporate strong software engineering practices. In the case of the SolarWinds attack, traditional techniques such as pen testing and static analysis would have been futile.

Based upon the nature of third-party libraries introduced, enterprises must use better code review practices along with advanced, real-time monitoring. Instead of using a predetermined set of outdated practices, a threat modeling phase can be used to identify and model threats based on the risks associated with supply chain, zero-trust principles. This approach will help identify secure engineering practices that are relevant to the current architecture.

Recommendations

Here are four recommendations to help prepare your organization to prepare for a future cyber attack:

  • Know what you have: Conduct an audit of your organization's cyber assets, such as the state of  your cloud workloads, code repos, devices, users, and vendors. Know what cyber assets you have and where they reside

  • Visibility, context and knowledge: Determine the relationships between your cyber assets within your organization

  • Executive leadership support: Bring your executives together to make security a boardroom conversation and a priority across your entire organization, not just the security team.

  • Third party assets: Use advanced, real-time monitoring, especially as third party libraries are introduced into your organization

  • Outdated practices: Stay current on using new technology such as a threat modeling phase can be used to identify and model threats based on the risks associated with supply chain, zero-trust principles.

This approach will help encourage secure engineering practices and identify gaps in your cyber asset attack surface security plan.

Hema Nair
Hema Nair

Hema Nair (Srikanth) has a Ph. D in Computer Science from North Carolina State University. Her interests are in all aspects of Software Engineering, with focus on secure engineering. Her core skills are in data analytics and data science and using data to deliver security and quality requirements. She has been a consultant for the last five years for security and technology companies helping them deliver secure systems. Prior to that she worked with IBM for over ten years as an engineering leader, and the latest role as a secure engineering leader for IBM's analytics division.

To hear more on securing modern software get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.