How to Prepare for the Next Software Supply Chain Attack

Learn strategies for mitigating risks stemming from cyberattacks and vulnerabilities against your IT vendors.
By:
Dave Shackleford
,
Owner & Principal Consultant, Voodoo Security
May 01, 2024
Share:
Blog 2024 05 Software Supply Chain Attack

In recent years, cyberattacks have evolved right along with our defenses (to absolutely no one’s surprise). Attackers are looking for, and finding, new and innovative ways to compromise assets and data – from end-user attacks like credential theft and browser-based malware to cloud-focused attacks that leverage APIs and cloud-native services.

Unfortunately, cyber attackers have also discovered how to compromise us through software, which is undoubtedly the weakest link in many corporate environments. Let’s face it: a huge percentage of large enterprises don’t have an accurate or up-to-date software inventory, and we often know very little about the software developers creating, packaging, and delivering this software to us.

Just because we purchase software from large, well-known providers doesn’t mean attackers haven’t infiltrated their environments and shipped out something nasty, unbeknownst to the software manufacturer. This is exacerbated when dealing with smaller firms and start-ups – whether packaged software, SaaS, open-source providers, or other cloud services – due to their lack of resources dedicated to software security.

In short, the software supply chain is a mess.

Examples of Software Supply Chain Attacks

If you say “SolarWinds” to anyone in IT security, you’re likely to get a shake of the head and a frown – yes, it was that bad. They were owned, they shipped, we got owned, and there you have it – a very elegant malware distribution supply chain at its best.

We’ve seen the crushing impact of the Log4j vulnerability in development environments, and now attackers are loading compromised packages and content to package repositories. More recently – and different from the Solar Winds, Log4j, or the Codecov incidents – we've seen the XZ Utils vulnerability, where an attacker used social engineering to get into the backdoor of the widely used open-source data compression utility in Linux systems.

Third-party breaches won’t slow down, either. That is until we start to get a handle on who we’re buying software from, where it lives in our environments, what privileges it has, what it has access to – and, most importantly, whether we can trust it in the first place.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Mitigating Software Supply Chain Attacks

There are some great industry efforts underway to strengthen software supply chain security. Many in the IT security and software industries, along with the entire risk management community, have advocated for organizations to publish and maintain a software bill of materials (SBOM) that can be disclosed to customers upon request. An SBOM is a formally structured list of components, libraries, and modules required to build a piece of software. SBOMs provide a much deeper insight into the potential vulnerability posture of the software itself by enumerating its components.

Some software manufacturers have resisted creating SBOMs, likely due to the perception that they’re somehow disclosing sensitive intellectual property. However, we all know that everyone uses open source everywhere. SBOM isn’t source code; it’s a list of packages and components used to build software, many of which are highly vulnerable to attacks over the years. The U.S. government is pushing for SBOM, and it could easily become a leading element of third-party risk management monitoring and reporting in the near future.

Other focal areas in the industry include the creation of software supply chain attack workflows such as MITRE ATT&CK, a universal vulnerability reporting mechanism, and syntax for software bugs.

Four Best Practices to Mitigate the Risk of Software Supply Chain Security Incidents

This latest vulnerability serves as a reminder that organizations should have a third-party incident response plan in place to quickly determine the impact of software supply chain compromises on their third-party vendors. Here are four best practices to consider:

1. Develop a centralized inventory of all vendors.

This will enable you to tier and profile your vendors according to the criticality of the services provided and to quantify the likelihood and impact of a breach. Accurate profiling and tiering also enable you to right-size your ongoing due diligence based on the vendor’s tier. High-tier vendors (e.g., those whose failure created an operational problem for your company) get the most attention.

2. Understand which vendors are using the impacted technology.

Collecting fourth-party technologies deployed in your vendor ecosystem during the inventorying process helps identify relationships between your organization and third parties based on certain technology usage. This will help you visualize attack paths in your enterprise and take proactive mitigation steps. You can accomplish this through a targeted assessment or via passive scanning.

3. Assess third parties’ business resilience and continuity plans.

Proactively engage vendors with simple, targeted assessments aligned with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed up the remediation process and close those gaps quickly.

4. Continuously monitor vendors and suppliers to provide visibility, including cyber posture, negative news, and cyber-attacks.

Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually or look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.

Get More Tips for Safeguarding Your Software Supply Chain

I’ve partnered with Prevalent to deliver a best-practices webinar on software supply chain security that examines how a mature third-party risk management strategy can help you get a handle on attacks against your IT vendors. Watch How to Assess Your Software Vendors' Cybersecurity below.

Tags:
Share:
Dave Shackleford
Dave Shackleford
Owner & Principal Consultant, Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and faculty at IANS Research. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. Dave is a SANS Analyst, serves on the Board of Directors at the SANS Technology Institute, and helps lead the Atlanta chapter of the Cloud Security Alliance.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo