The Main Frame: Supply Chain Attacks

[00:00:33.430] – Jason Pufahl

right on the spot, define what a supply chain attack is.

[00:00:37.320] – Steven Maresca

So many different definitions for supply chain attack, but in the most basic sense, it’s something that affects suppliers of software or hardware that your business uses in conducting its own day to day activity. So that may mean software that you purchased for the purpose of creating something that you sell, something that you use to make your infrastructure more effective. It’s open ended. If it’s something that you can purchase and something you use in your business, and it’s a tech plain attack but you have the supply chain attack.

[00:01:18.060] – Jason Pufahl

So I think typically, when I think of them might probably think more in the hardware space, the inability either to get hardware, potentially, because third party has been impacted. But we’ve seen in the news recently a bunch of software ones, specifically SolarWinds, with that probably six months ago. And then within the last week, it’s the Kaseya attack.

[00:01:43.270] – Steven Maresca

[inaudible 00:01:43] with the hardware attacks are more esoteric. They seem more sophisticated. They’re more frightening because hardware is tangible. It needs somewhere touched something I can move around. The truth is that software supply chain attacks are far easier to actually achieve.

[00:02:02.080] – Steven Maresca

So when we’re worried about something like SolarWinds or Kaseya, it’s because attackers have abused those suppliers mechanisms for actually deploying their software and therefore enabling attackers to reach the clientele of those entities. So that’s why it’s such a big concern in that case, and more effective to actually achieve. If it’s software, you can push out an update. And in fact, that’s how some of those attacks are achieved.

[00:02:31.330] – Jason Pufahl

Right. Well, it’s interesting, too, the distinction between them in that if you get a piece of hardware that’s potentially compromised, it’s probably harder to update, where you’re potentially with the software ones, there’s maybe a remediation or mitigation path. I’m thinking back to some of the laptop issues you have a few years back, where people are really concerned about laptops coming out of China, and potentially the hardware that was in those. And people just stop buying it.

[00:02:58.960] – Steven Maresca

Absolutely. And the other thing that often mentioned the hardware realm or Stuxnet attacks with industrial controls, software and hardware that impacts uranium refinement and things of that nature. Those are deep, deep nation state sponsored supply chain attacks. What we deal with on a day to day basis, and what most folks are concerned with are more garden variety, closer to home risks.

[00:03:25.880] – Jason Pufahl

So in a couple of other episodes we talked, some about ransomware and the ability to potentially compromise or exploit companies. And you focus a lot, probably on return on investment. And the fact that cyber crimes of business, they’re looking for the targets of opportunity the easiest way to compromise. It strikes me that you’re both SolarWinds and Kaseya, which are your tools used by a lot of IT companies, manage service providers to manage their customers, offer just a great opportunity to potentially impact large volumes of customers or companies in one fell swoop.

[00:04:09.540] – Jason Pufahl

Is that underpinning of these attacks, do you think?

[00:04:12.320] – Steven Maresca

Yeah. I mean, its efficiency of achieving the attack. Those platforms have a many to one relationship in terms of payout. An attacker can compromise the parent entity that produces the software and then downstream affect any customer that deploys the software that they’ve manipulated or otherwise altered. That’s why they’re especially of interest.

[00:04:37.280] – Steven Maresca

The alternative is where you have a piece of software used by a very specific market and very specific type of entity. And obviously, the scope is narrow there. But if it’s a piece of software used by an IT service provider, odds of impacting a lot of companies and customers is extraordinarily high.

[00:04:57.940] – Jason Pufahl

And I have to imagine it pretty attractive because of the level of access a lot of those software provide. SolarWinds is designed to essentially have administrative type access into the customers that clients that have MSP supports, right? So not only do you compromise the software, you really get elevated access into your potential targets, which is that gold mine.

[00:05:24.420] – Steven Maresca

They’re innately using its more based on fraud capabilities in order to do damage. And honestly, they’re difficult to fall off. But if you can insert code as an attacker into a piece of software used in that administrative context, you can do anything.

[00:05:41.040] – Jason Pufahl

With privileged by design, right? So you get everything they want that you try to get through fishing and credential elevation. They’re getting by default, which is that gold line for it. So you are talking about, say, other types of software that might be impacted. Can you give an example of something that comes to mind for you in that broader context?

[00:06:06.950] – Jason Pufahl

So a minute ago you’re saying, hey, there’s other software that’s broadly used outside of something like a SolarWinds or Kaseya. I’m just curious if there’s other things that really come to mind having brought in back to risk.

[00:06:21.780] – Steven Maresca

Well, certainly many vulnerabilities are present in software that companies use. One example would be the Microsoft Exchange vulnerability that was back in March. Thousands from thousands of companies use Microsoft Exchange. You might think on some front, it wasn’t that part of the supply chain. But the truth is that Exchange itself wasn’t modified. It simply has broad penetration in the market, therefore, there are lots of potential targets for an attacker to reach. But it’s not necessarily a supply chain attack on to itself.

[00:06:56.240] – Steven Maresca

But it’s a useful foil for supply chain attacks, in general, in my opinion, because the risks present in the software the companies purchase to make their lives easier, to administer their systems, to generate revenue, in general, those risks from those third party suppliers, that software manufacturers, are essentially inherited by the companies that use them. And we’re beholden to the sound security practices of those companies. And if they’re in any way failing, we as the users of that software, fail as well, or at least are exposed to risk.

[00:07:36.950] – Jason Pufahl

So let’s spend a minute on what can a company do to help protect themselves. Because it makes me think a little bit about, say, cloud providers, for example, where a lot of organizations have pretty robust security assessment or security questionnaires that they provide their cloud suppliers to get a sense of, do they adhere to security best practice, development practices, things like that? That gives you a picture of at least how mature or robust accompany security practices are. But it certainly doesn’t prevent an attack from occurring or from, say, unwanted code to be injected into some third party.

[00:08:20.910] – Jason Pufahl

Short of doing some of that due diligence, do you think there’s much a company can do to protect themselves against the supply chain attack like that?

[00:08:29.900] – Steven Maresca

I mean, certain compartmentalization systems is always a recommendation of ours. And to the extent that you can protect against the abuse of software intended to act in a privilege manner, you’re limited. The best defense is robust monitoring. It’s more of the ability to determine what happened after the fact if it should occur.

[00:08:52.010] – Steven Maresca

But again, making sure that your vendors and your manufacturers that you use on a regular basis or contracts that you establish with cloud providers include attestations of their security practices and proof that they are acting in accordance with their defined requirements. Those are the things that you need in order to generate reassurances that you’re less likely to be subject to those issues.

[00:09:20.050] – Steven Maresca

That doesn’t preclude the fact that one of those suppliers might have a rogue inside employee. That happens on a regular basis. We’ve been involved in some incidents, where data was exposed due to precisely that issue. It’s not a software attack, but it’s akin to a supply chain attack simply because the entity that you entrust with your data allowed it to be exposed in some fashion, or enabled it to be exposed because of insecure practices with their own employees. It’s a bit of a tangent to a supply chain attack, but I see them as somewhat similar.

[00:09:56.980] – Jason Pufahl

So it brings to mind to me the idea of you trust, but verify whenever you start talking about, are you monitoring? Are you logging? Are you collecting data that at least gives you information post incident, maybe incident is a little bit of a strong word for some of this, but your post event to be able to say, well, here’s where my the potential impact was, here’s what my risk was? So often when you’re dealing with any kind of incident response, the more data that we have, the better equipped we are to answer questions around what the potential impact was.

[00:10:32.400] – Jason Pufahl

Even with something like the SolarWinds and Kaseya, where really there’s a third party actor who compromised the software. Having visibility really can give your customers peace of mind, can give your company ownership peace of mind, the better the clarity of the information you have, the better the questions you can answer.

[00:10:51.510] – Steven Maresca

SolarWinds is a really good example for that’s the case. There were very few actual customers of SolarWinds that are truly affected. At least it’s substantial subset of their overall install base. But the monitoring employed by a lot of those organizations allow them to exclude their infrastructure as the focus of the attack.

[00:11:13.120] – Steven Maresca

They were still vulnerable. They were still possible to undermine from the attackers perspective if they felt so inclined. But at least they could say definitively, no, this didn’t occur even if they had, in fact, pushed an update that made us exposed.

[00:11:29.760] – Jason Pufahl

Right. Yeah, I mean, I think the worst thing you can be in the position where there is an event, and you’re asked, what’s the scope of what’s the impact? And your answer’s, well, I don’t know. Because the reality is with some basic steps, you actually can get the information to really know. And these vendors are coming out with really clear information.

[00:11:49.630] – Jason Pufahl

Kaseya is really and so we don’t know what’s on there. SolarWinds was able to tell you very clearly what products were impacted. It was pretty straightforward for companies to say, yeah, we use them. No, we don’t. And if we do use them, whether the deployed in a manner that actually put us at risk, you want to be able to figure that out.

[00:12:04.900] – Steven Maresca

Right. And it’s very common in the scenarios that we’re describing today that users of the software platforms may not know if they are victims. And that’s partly because of the law enforcement involved. That’s partly due to the specificity of the attacks. Some of the information is quite sensitive and may never be released.

[00:12:24.080] – Steven Maresca

But collecting, monitoring in a really robust way, it allows you to at least self-assess before the information is made public. Law enforcement obviously engages very aggressively with entities that are known to be compromised or identified as targets. But if you fall outside of that, when there is a supply chain attack, at least you have something to go back to to review and make sure that you are as safe as you can be.

[00:12:49.860] – Jason Pufahl

So I think as we look to wrap up, one of the things that comes to mind for me is, you really want to be plugged in a little bit to some of the common sources that would give you information about these types of attacks, your threat posts, sands, et cetera, so that when something is released, you can pretty quickly triage, assess your vulnerability and maybe make some decisions, right? It could be as simple as shutting down a service, or disabling software, or something like that. But you want to know as early as you can so that you can take those mitigation steps, because you can’t control everything. You need to do, your due diligence, and you need to be able to react on these events.

[00:13:30.860] – Steven Maresca

Right. And certainly the companies that are victims, the suppliers, the software manufacturers that are victims of the supply chain attacks, have it in their best interest to be open. So they are, in most cases, very willing to describe the issues at hand, share what’s known about how to identify the risk, to determine whether attack are present, and relying on their disclosures, their publications. And frankly, those security researchers working with them is a really, really important thing to pursue in the event that you think that you might be impacted by a supply chain attack.

[00:14:04.700] – Jason Pufahl

Yeah, certainly transparency is key in all of this. Well, brief old review on supply chain attacks. If anybody’s interested in hearing more about that, feel free to reach out to us. Twitter, @VancordSecurity. We can cover a little bit more detail. Again, thanks for listening to CyberSound, and hope you enjoyed it.

[00:14:27.840] – Speaker 3

Stay vigilant. Stay resilient. This has been CyberSound.