Understand the difference between software supply chain attacks and vulnerabilities

The rate at which cybercriminals have used software supply chains as an attack vector has increased dramatically in recent years, writes Rohan Langdon of Extra Hop.

Indeed, cyber-attackers use the software supply chain as the first vector of intrusion in many different industries. Intrusion specialist Mandiant’s 2022 M-Trends report shows that supply chain compromise has overtaken phishing as the most widely used initial intrusion vector.

However, it is important to recognize that not all software supply chain security issues are the same. IT security teams need to understand the differences and what steps to take to ensure effective asset protection.

Attacks against vulnerabilities

An example of a software supply chain is when a cybercriminal compromises a software vendor and uses that software vendor’s privileged access to then compromise their customers.

A software supply chain vulnerability, on the other hand, is an accidental security flaw in software that is embedded into other applications, making them vulnerable. An example is the Log4Shell vulnerability, which was not an intentional attack, but has impacted thousands of organizations.

In addition to exploiting these vulnerabilities, attackers have many other ways to introduce malicious code into trusted open source packages. Confusing dependencies, typosquatting, and simply adding malicious code and issuing a pull request are all methods by which attackers can abuse the open source software supply chain.

Work together

While there is clearly a difference between supply chain attacks and vulnerabilities, that doesn’t mean they can’t be used together to mount a successful attack.

An example is the highly publicized SUNBURST attack. In this case, cybercriminals introduced their own malicious code into the SolarWinds Orion product. This code was then distributed through SolarWinds’ own update channels to a large number of customers. Another example is the Kaseya VSA attack in which the REvil ransomware group used an accidental vulnerability in the VSA software. This created an opening for attackers to compromise customers and distribute ransomware through VSA software, making the supply chain the attack vector.

Winning the Supply Chain Battle

IT security teams can take a number of steps to combat the threats posed by attacks and supply chain vulnerabilities.

They understand:

Constant Software Fix:
In the past, security incident response and software patching were considered different activities in terms of speed and urgency. Indeed, the 2022 ExtraHop Cyber ​​Confidence Index – Asia-Pacific revealed that only 31% of teams are able to implement mitigations or apply a patch (if applicable) in less than a month. day, with 42% taking one to three days. , 17% requiring a week and 6% requiring a month or more.

However, faster software fixes in response to the disclosure of a widespread vulnerability are becoming increasingly necessary. Take the time to review your organization’s approach to patches and ensure that all new patches are rolled out as quickly as possible.

Create and maintain a comprehensive register of IT assets:
Any effective IT security strategy must be based on a comprehensive register of all IT assets. This can help guide the efforts of the security team in protecting against and responding to a cyberattack.

This need was highlighted when the Log4Shell issue was first raised. Security teams needed to quickly determine which apps and devices in their environment were vulnerable and needed patching. Without an up-to-date register, this would be an extremely difficult task.

Use AI/ML-based detection and response tools:
Once an organization has effective intrusion protection measures in place, the next important step is to focus on response capabilities in case an attacker breaks in.

It is recommended that organizations develop a baseline of what constitutes “normal” activity within their infrastructure. Artificial intelligence and machine learning tools can then be used to continuously monitor activities that occur outside of this baseline that could be potentially malicious. The tools can then alert the security team to investigate and act accordingly.

Supply chain vulnerabilities and attacks will likely continue to be a very serious concern for organizations of all sizes for a considerable period of time. By understanding the problems they create and the steps to take to reduce the associated risks, IT teams can be in the best possible position to prevent them from happening or quickly counter them if they do occur.

Rohan Langdon is the ANZ National Director at ExtraHop.