Supply Chain Cyber Attacks Don’t Mean Stop Patching Software
*Note: This article was originally published by the author on May 19, 2021.
Unfortunately, whenever there is a discovery of a massive data breach there is an immediate and predictable knee-jerk reaction trend that occurs both in private industry and in the government. It is unfortunate because it is indicative of a scrambling, unprepared reactive response rather than a successful proactive cybersecurity approach. Alert notifications renew focus on whatever particular attack vector was exploited. The most recent cyberattack example was no different. It was a classic supply chain cyberattack involving the SolarWinds security product vendor that just happens to have over 300,000 customers around the world. But then again, one wonders how many organizations were truly taking the threat of supply chain attack seriously? The answer may surprise you.
Say what you will about SolarWinds, but the fact is that any company that supplies software products or services to other companies can become the victim of a supply chain cyberattack and it could still turn out in the case of the SolarWinds compromise investigation that there are other software companies that were compromised by the same or other cyber threat actors. That’s because there is no such as ‘perfect’ security. This is partly due to the complexities of computer system design, aging internet protocols that are still in use today, the desire to connect everything to the internet, and a plethora of undiscovered bugs in software code among others.
Perfect security simply doesn’t exist despite the wishes of governments and corporations around the world who spend billions on cybersecurity products and professionals every year to secure their computer networks and systems. If an adversary wants in bad enough and they have the necessary skill and resources, they will eventually get in. That’s why they’re called Advanced Persistent Threat (APT) groups. They’re very good at what they do, customized malware for certain types of software vulnerabilities and they don’t stop until they get what they’re after. A lot of this criminal hacking is financially or politically motivated but they could sometimes also be after certain types of scientific or defense research intellectual property.
Attribution of cyberattacks, of which computer network exploitation (CNE) is a form of a cyber attack (Schneier, 2014), can be a tricky thing. Attackers are able to easily obfuscate their true IP addresses by using proxy servers and planting false flags in their malware code that is designed to throw off their scent during follow-on investigations. Oftentimes, digital forensics investigators have to consider adversarial political goals to help fingerprint attackers. Russia has been known to plant false flags in their malicious code as we saw with Olympic Destroyer in which Russian cyber threat actors tried to make it appear as though North Korean hackers had caused the interruption to the 2018 Winter Olympics in Pyeongchang, South Korea (Greenberg, 2018). Things are ominously not as they may seem in cyberspace.
Supply Chain Attacks Are Not a New Phenomenon
For those new to cybersecurity, supply chain cyberattacks are not a new phenomenon. In recent years they have been increasing in quantity. If you recollect the 2013 Target point of sale (POS) system hack, it was later determined to have been compromised via an HVAC supplier (i.e., Fazio Mechanical Services) that had shadow IT access to Target’s network to monitor the heating and air condition in Target stores (Secarma, 2018). This wasn’t a sophisticated attack. The attackers simply targeted an alternate route into Target’s network that may have been easier to compromise. Why go in the front door when you can sneak in through the side?
Then there were the 2016 NotPetya and 2017 WannaCry worms that exploited Microsoft Windows SMBv1 vulnerabilities using the leaked NSA EternalBlue exploit. NotPetya targeted Ukraine via a supply chain cyberattack that infected a financial services company called MeDoc which was a kind of software-as-a-service company that the Ukrainian government used to pay pensioners (Secarma, 2018).
Of course, I would be remiss not to mention Avast’s 2017 CCleaner supply chain attack it was discovered that attackers had penetrated Piriform’s network, an Avast’s subsidiary company that it acquired in 2017 which created CCleaner, and was rooting around inside the network for nearly five months during which time the attackers poisoned CCleaner updates with a backdoored version of the software that was downloaded by millions of customers (Khandelwal, 2018). Oh, and remember when Lenovo shipped 16 million Windows laptops pre-loaded with the Superfish malware on 11 different types of Lenovo laptops? Yeah, that happened, too. With the Superfish malware,
“Attackers [were] able to see all the communication that’s supposed to be confidential — banking transactions, passwords, emails, instant messages,” said Timo Hirvonen, a senior researcher at security software maker F-Secure (Rosenblatt, 2015)
Dragonfly, also known as Energetic Bear, was another example in which Russian hackers targeted over one thousand Western energy firms through compromised software by injecting a Remote Access Trojan (RAT) into industrial software (Khandelwal, 2014). The interesting aspect of Dragonfly was that it was an early attempt by Russia at creating and deploying their own Stuxnet Industrial Control System (ICS) malware. It proved the boomerang effect that when countries like the U.S. and Israel create malware such as Stuxnet, it will eventually be copied, modified, or mimicked by other adversaries and later used against the U.S. and Israel. It’s important to note that the U.S. has dirt on its hands also, it is not an innocent party in this cyberwarfare stuff. The U.S., along with its allies, has been engaged in cyberwarfare activities for just as long as Russia and other nations.
There’ve been quite a few examples of supply chain cyber attacks but they are still actually pretty rare. We could wag our fingers at SolarWinds and say, “You screwed up, why didn’t you conduct static code analysis on every single line of code before posting an update to your website for the Orion software?” But what good does that do for anyone now? Perhaps that was always an unrealistic expectation when you consider the amount of manual programmer work static code analysis entails. Code analysis tools are great and they’ve come a long way but there still needs to be a knowledgeable set of human eyes pouring over that code to understand what is going on. This is an area where Artificial Intelligence (AI) may prove invaluable in the future, with those sorts of mundane code analysis tasks, if we can ever get AI to that level of proficiency.
I wonder how many software development firms conduct static code analysis on a routine basis, prior to every software update website posting? Is it a risk management framework checklist action item? It sure is but the truth is that profit drives all sectors of business and it’s not profitable to spend exorbitant amounts of time analyzing static code. Get the code to production and we’ll create a software patch later for security if need be.
Good or bad, the world revolves around money. If you can’t understand that and you work in cybersecurity, you’re going to have a tough time understanding how security is supposed to be an enabler in business and not an impediment. Executive management is all about getting that code to production, ship it now, not later. Until such time as that paradigm shifts, if it ever does, we will continue to see nation-state APTs go after third-party suppliers to compromise lucrative targets like FireEye, defense industry firms like Boeing, Northrop Grumman, Lockheed Martin, and government agencies like OPM, NSA, CIA, DHS, or the FBI.
The Basics Still Apply
Cybersecurity isn’t a game of whack-a-mole. Ok, well sometimes it can feel that way. But just because the big news one month is about supply chain attacks doesn’t mean you can afford to let down your guard on other routine components of a solid defense-in-depth cybersecurity program. All the best cybersecurity practices still apply and will help any organization that actually implements them avoid all but the most sophisticated cyber threats.
- Anti-Virus Software for Endpoints
- Hashing of executables to verify authenticity prior to install
- Patching systems in a timely manner after the patches have been tested for system compatibility
- Least Privilege / Functionality
- Encryption of data-at-rest and in-transit
- Segmented Networks
- Multi-Factor Authentication (MFA)
- Separation of Duties / Privileged Account Management (PAM)
- Event logging and routine frequent auditing
- Business Continuity & Disaster Recovery Preparedness
- Security Awareness Training
- Penetration Testing (Internal/External) — white, gray, black box
- Risk Framework Compliance
And so forth, this is by no means meant to be an exhaustive list of best practices but you get the idea.
Disconnecting Everything From the Internet is Not the Answer
When major data breaches occur, it’s tempting to despair. You might even think of implementing an extreme solution like, “We should just disconnect and air-gap everything from the internet!” However, disconnecting isn’t the panacea that you might think it is. Although in some instances it makes perfect sense that some systems should absolutely not be connected to the internet, like sensitive information systems for example. But the vast majority of systems are fine to connect online so long as due diligence is being taken by responsible information system owners and their hired guns (administrators) to continuously update and monitor these systems. That’s not happening though, they’re overwhelmed.
It’s when basic cybersecurity practices (i.e., cyber hygiene) are not followed that trouble eventually ensues. We continue to hear the same old song and dance about how employers can’t find enough qualified cybersecurity job candidates. “There’s a skills gap and we must fill it ASAP!” But did you ever stop to think that maybe, just maybe, there isn’t a skills gap and the saga of data breaches is due to the fact that too many employers don’t staff their companies and organizations with an adequate amount of cybersecurity professionals, or pay them what they are worth, to begin with? Could that perhaps be a possible factor in why there is this perceived “skills gap?”
We could disconnect our computer systems but we would be taking a major step backward in terms of modern technological capability. Rather than go back to the days of analog technology, is it not smarter to try to design computer systems and applications more securely from the outset to prevent entire classes of software vulnerabilities from existing? That seems like a more worthwhile endeavor to me. The problem is getting the entire world on board with such a plan. It is nearly impossible to get the entire U.S. body of government to agree on anything, imagine trying to get every nations’ government to buy into a new concept of the internet. So, what to do? Start small and let the ripple effects change the world from the U.S. outward.
How Do We Stop the Bleeding?
If the U.S. can change how the internet operates within its own borders by designing more secure and private internet protocols and more secure software products, the rest of the world will eventually follow suit if it wants to continue doing business with the U.S., the largest economy in the world. The problem is that security solutions are never that simple. If it were that simple, we would’ve already done it by now.
Tolstoy once said, “Everyone thinks of changing the world, but no one thinks of changing himself.” If we want to end the hemorrhaging from cyber attacks, we first have to be willing as a nation to change how we do business. We have to be willing to sacrifice some measure of convenience for added security and privacy controls on our technology. We are still a long way off from that though and so the hemorrhaging will continue.
Russia, China, North Korea, and Iran have long been U.S. adversaries. These countries, and others, will not stop their cyber warfare activity any time soon, economic sanctions or not. Not so long as there are no consequences to their actions as there hasn’t been during the entire Trump administration. One thing is for certain, the incoming Biden/Harris administration will definitely have its hands full with Russia and other nation-state APT groups that seek to undermine the U.S. in every way possible via cyber warfare.
However, the incoming Biden administration has already stated that cybersecurity will be a top priority after the recent SolarWinds supply chain cyberattack (Kinery, 2020). Let’s hope it’s not more of the same old unsealed Department of Justice indictments of foreign criminal hackers which has little effect on deterrence.
Greenberg, A. (2018, February 12). ‘Olympic Destroyer’ Malware Hit Pyeongchang Ahead of Opening Ceremony. Retrieved from https://www.wired.com/story/olympic-destroyer-malware-pyeongchang-opening-ceremony/
Khandelwal, S. (2014, July 2). Dragonfly Russian Hackers Target 1000 Western Energy Firms. Retrieved from https://thehackernews.com/2014/07/dragonfly-russian-hackers-scada-havex.html
Khandelwal, S. (2018, April 18). CCleaner attack timeline — here’s how hackers infected 2.3 million PCs. Retrieved from https://thehackernews.com/2018/04/ccleaner-malware-attack.html
Kinery, E. (2020, December 17). Biden Calls Cybersecurity a ‘Top Priority’ After Russian Hack. Retrieved from https://www.bloomberg.com/news/articles/2020-12-17/biden-calls-cybersecurity-a-top-priority-after-russian-hack
Rosenblatt, S. (2015, February 20). Lenovo’s Superfish security snafu blows up in its face. Retrieved from https://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/
Schneier, B. (2014, March 10). Computer network exploitation vs. computer network attack. Retrieved from https://www.schneier.com/blog/archives/2014/03/computer_networ.html
Secarma. (2018, September 1). A brief history of supply chain attacks. Retrieved from https://blog.secarma.com/a-brief-history-of-supply-chain-attacks/