"A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system."
Cybersecurity and Infrastructure Security Agency (CISA)
Attackers often use supply chain attacks to target weak links in larger organisations' supply chains. By doing this, they can infiltrate bigger organisations that usually have strong security programs in place via smaller vendors that aren't as well-protected.
Recent supply chain attacks that caused the greatest damage
The most talked about supply chain attacks in recent years have been the SolarWinds SUNBURST attack which was discovered in December 2020, and the Kaseya attack which came to light in July 2021.
The group behind the SolarWinds attack accessed SolarWinds Orion (an IT infrastructure monitoring and management platform) build server using an implant and inserted a backdoor into the product. The infected versions of the software were then spread through legitimate product updates and used by attackers to compromise thousands of government agencies and private enterprises that used the platform.
In the Kaseya attack, the REvil ransomware group exploited authentication bypass and arbitrary code execution vulnerabilities in Kaseya's Virtual System Administrator (VSA) to distribute a malicious loader to systems with VSA agents installed. The attack spread quickly and caused widespread damage because the affected product was used by a large number of MSPs to provide services to their own customers.
Sophisticated and well-planned supply chain attacks can spread quickly and often have long dwell times. The SolarWinds attacks, for instance, were infecting users' systems as early as the beginning of 2020 but were discovered only in December 2020. Attackers lurked on some target networks for over nine months.
While this seems troubling, it also means that the attackers went through multiple steps before executing the final stage of the attack, meaning blocking them at any of the initial steps would have prevented serious damage.
Serious attacks that do the most damage make the biggest news, but what is often missed is that organisations with strong and well-executed security programs are bouncing off such attacks all the time.
Outsourcing detection and response operations gives businesses access to not just the latest and best security tools in the market but also cyber security and incident response expertise that comes with years of training and hundreds of thousands of hours of handling alerts and incidents.
Managed Detection and Response (MDR) providers can help businesses fight off supply chain attacks by:
• Giving them complete visibility across their network, endpoint and cloud environments and eliminating blind spots
• Using a combination of signature-based and behaviour-based threat detection to catch threats early
• Leveraging threat intelligence to add context to all alerts and speed up investigations
• Stitching together data from various sources, tools and data sets and using machine learning for superior analytics
• Enabling faster and better coordinated incident response
• Providing 24/7 access cyber security specialists with years of industry experience
Supply chain attacks today are often targeted, sophisticated and backed either by nation-states or large, well-funded and well-organised criminal groups. They are also carried out in a series of steps, each of which would require a different set of tools and techniques to detect. In such a scenario, organisations’ best bet against attackers is to take a defence-in-depth approach to security and combine signature-based and behavioural-analytics based threat detection driven by machine learning.
Network visibility, log collection and long-term storage, too, are important for security teams to be able to thoroughly investigate threats that lurk in enterprise environments for months before the final stage of the attack (and reveal threat casualties and timelines). Effective parsing and quick analysis of all the data that is collected can be accomplished through automation and machine learning.
• Security analysts at LinearStack have decades of combined industry experience and are experts at handling advanced threats.
• We stop the vast majority of attack attempts with best-in-class prevention tools and detect the more advanced, stealthy threats in minutes.
• Our team conducts regular table-top exercises to stay attack-ready for quick, proactive threat response when needed.
• We run more than 40 research-based threat hunts and handle 2300+ incidents each month.
• Our MDR team tracks 1000+ ransomware families and works with over 4000 detection use cases.
• We deliver a follow-the-sun cyber vigilance service to protect businesses from threats 24/7
We can help you place strong and effective security controls at multiple points in your network to stop sophisticated supply chain attacks before they disrupt your business. Our security experts can also help you design a network based on the “never trust, always verify” zero-trust model to prevent attackers from moving laterally once they’re inside your environment.
----------------------------
Read more about our Managed Detection and Response service here.