In the classic 1990s gangster movie “Goodfellas,” protagonist Henry Hill describes how the mob exploits the longtime trust its members build up with each other when they want to dispose of one of them.
“See, your murders come with smiles. They come as your friends, the people who've cared for you all of your life,” said Hill. “And they always seem to come at a time that you're at your weakest and most in need of their help.”
A company’s third-party IT suppliers aren’t friends per say, but they are increasingly being exploited in a similar fashion by malicious hacking groups of all stripes. Whether it’s coming from foreign intelligence services (SolarWinds), ransomware actors (Kaseya) or both (Microsoft Exchange), these kinds of upstream attacks are becoming more and more common, and some think we’re merely at the beginning of the downward slope.
Matt Tait, chief operating officer for Corellium, posited that two trends — supply chain attacks and a dramatic increase in discovered zero day vulnerabilities — could be converging in a way that portends an even bleaker future. The rise of zero days, as noted by researchers at Google’s Project Zero, Apple, Microsoft and others indicates that “offense seems to be taking the gloves off.”
“This is both in the government sector — doing espionage — and in the financially motivated crimeware industry,” Tait said during a speech at the Black Hat cybersecurity conference in Las Vegas. “It’s getting to the point now where it’s beginning to overwhelm our ability to respond in the defensive sector.”
Mass exploitation with zero days is rare, as the costs of burning a high-value vulnerability, replacing its surrounding IT infrastructure and the benefits from increased platform security have made such broad, “shotgun”-style attacks either too risky or impractical.
But in the past 12 months, the SolarWinds/Orion compromise, the Kaseya ransomware attack, mass exploitation of Microsoft Exchange servers and the CodeCov compromise, the breach of Accellion’s file transfer system all demonstrate clear desire on the part of state and criminal hacking groups to cast a broader net for victims where possible.
There are a number of incentives for such targeting. Supply chain attacks can dramatically simplify the work that threat actors have to do around target selection, scanning the attack surface, privilege escalation and lateral movement, things are often harder, more complex and come with higher costs in more traditional or targeted intrusions.
While the SolarWinds and Kaseya hacks caused broad downstream damage, Tait pointed out that both could have been much worse, as the threat actors ultimately used their access to infect a fraction of the customers who ultimately downloaded the corrupted updates.
Sherri Davidoff, CEO of LMG Security, said that while all of these supply chain incidents are slightly different, they often require a similar evolution in the way defenders conduct digital forensics and incident response.
Incident responders must pay closer attention to scouring change management logs to determine the window of compromise — when the infected update was released, when the customer downloaded it and how long they were exposed.
A recent executive order mandating federal agencies and contractors implement a software bill of materials (essentially a list outlining the origins of different parts of your codebase) could trickle down to the private sector, something that Davidoff said could provide a new tool to defenders.
“This is going to become part of our incident response process over the next few years, because if this comes to pass, you may have the ability to review those [lists] when there’s an announcement to determine what your risk is of downstream compromise because of software your vendors are relying on.”
For companies, it can also include simple or proactive things, like querying their vendors on update practices, or following them or security researchers on social media where you can often learn about vulnerabilities or hacks before they show up on news sites.
Tait believes another group carries the bulk of the responsibility: platform vendors who could be doing much more to design their products in a way that collectively moves us away from the failed model of putting the security burden on end users.This approach has traditionally been avoided because it runs afoul of “very, very entrenched, substantial business interests,” but Tait said there aren’t really any other stakeholders positioned to have a similar impact on the problem without drastically changing the way society works.
“This isn’t going to be fixed by a collection of international organizations, it’s not going to be fixed by the U.S. government, it’s not going to be fixed by federal agencies, it’s not going to be fixed by a consortium of governments,” Tait said. “The only way to tackle supply chain intrusions at the scale that’s needed is to fix the underlying technology.”