Attacking your supply chain

Posted on 2 November 2017 by George Michael

There has been a huge surge in the use of supply chain attacks by cyber threat actors over the last 12 months. The implications that this will have on security are broad, as not only does it suggest a shift in who will be targeted, but also how organizations prioritise and implement security requirements. This piece aims to provide more detail on how these attacks are being conducted, and what you can do to secure against them.

 

Supply chain attacks: the basics

 A supply chain attack is a cyber-attack that seeks to breach primary targets by compromising associated third-parties and using them as an attack vector. There are several ways in which threat actors may execute such an attack, and some of the main methods may include:

 

  •  Targeting IT service providers who, by nature, provide attackers with simple access to the target’s systems and data.
  • Compromising the source code of software providers, causing them to distribute malicious versions of their software.
  • Spear phishing from a trusted third-party.

 If threat actors perceive primary targets to have advanced security controls in place, they may look to bypass many of these mitigations by going through the target’s “supply chain”. While supply chain attacks may take longer for attackers to achieve objectives, their recent rise in popularity may be down to two key factors:

  • Primary targets are improving security controls.
  • Attackers continue to develop and adopt new techniques in order to improve their probability of success.

 

The growing trend

 In 2017, there has been an average of at least one supply chain attack or campaign reported per month. This compares with an average of just one or two reported per year in recent times. The timeline of attacks below, whilst not exhaustive, demonstrates the variety of industries and organisations affected by this shift.

supply chain timeline

 While many of these attacks were attributed to certain Nation States (largely either China[1] or Russia[2]), the adoption of such techniques by criminals is also a growing threat. As demonstrated in the above timeline, the advanced criminal group Cobalt has already picked up on this successful trend. In the wider criminal threat landscape, attackers follow the news, and as a result there is potential for them to adopt further the techniques used in many of these well-publicized cases. Similar cases of trend-following by cyber-criminals have been seen in the past – for example, a few months after news of the North Korean “SWIFT attacks” against banks around the world was released, it was reported that a prolific criminal hacking group had initiated an almost identical campaign[3].

 

Securing against supply chain attacks

 Securing against supply chain attacks is difficult for a number of reasons. Not only are they designed to bypass many popular mitigations, but also the responsibility of securing against them goes beyond your organisation and includes partners and suppliers.

 

 Defending against supply chain attacks requires a mixture of prevention and detection. While the following suggestions are by no means exhaustive, they may provide a kick-start for an upgraded security roadmap against this growing threat:

 

Prevention
  • Terminate third party connections into your network in a dedicated “controlled access” DMZ, to facilitate aggressive firewalling and traffic inspection.
  • Ensure any accounts provided to third parties on your domain are subject to least privilege and role-based access control and audited regularly for anomalies.
  • Avoid creating unnecessary domain trusts between organisational Active Directory forests.
  • Ensure a comprehensive “Code of Connection” is signed and agreed between organisations, to outline specific security controls and acceptable use of the shared connection.
  • Whitelisting and software restriction policies would stop rogue installations and executions of unauthorised apps[4].
  • Ensure that when software is installed, it is integrity-checked wherever possible using checksums and hashes after download.

 

Detection
  • Ensure that all traffic between organisations is captured and inspected wherever possible and is subject to traffic behaviour analysis (using machine learning, or similar).
  • Ensure that any external/high-risk accounts are monitored and subject to standard UEBA analysis (again using machine learning, or similar).
  • More widely, ensure any access into critical network segments, such as server VLANs, is given additional scrutiny.
  • Utilise EDR with low-level network connection tracing, to flag unusual behaviour from trusted applications (e.g. notepad making C2 connections, NetSarang DNS requests to China, etc.).
  • More widely, carry out anomaly detection on standard protocols, such as DNS, in order to detect C2 and exfiltration traffic.

 To find out more about how you can protect your business from ever-evolving cyber threats, fill in the contact form above or email info@countercept.com.

 



[1] The Axiom threat actor group has been associated with the Chinese government in the past, and is widely considered to have conducted the Kingslayer and CCleaner attacks. Operation Cloud Hopper was linked to APT10, another group suggested to be state-sponsored by China. The backdoor used in the NetSarang breach is also considered to have been developed by the Winnti group, a Chinese group which, while not necessarily state-sponsored, is thought to have close ties to the Chinese government. However, it is difficult to say whether the Winnti group itself was behind the NetSarang attack.

[2] The Russian government was widely accused of launching the NotPetya attack. The attacks against US critical infrastructure supply chains were also linked to the Russian state-sponsored Energetic Bear group by the FBI.

[3] The Register, “Second hacking group targets SWIFT-connected banks”, https://www.theregister.co.uk/2016/10/11/swift_bank_hacking_reloaded/

[4] However, whitelisting would be ineffective if these tools were already in use, as they would have been whitelisted and consequently authorised (referring to cases such as NetSarang). From a corporate perspective, whitelisting may have been effective against attacks such as the CCleaner case, as CCleaner is not typically an enterprise tool.