While cybersecurity has a lot of competing priorities, there is one in particular that can no longer take a backseat to the others.
GUEST OPINION by Rohan Langdon, Vice President Australia and New Zealand ExtraHop: software supply chain compromise is among the top five threats of most concern to Australian organisations
An organisation’s software supply chain consists of all the companies it buys software from, all of the open-source repositories developers pull code from, all the service organisations allowed into the environment, and more. All of these sources represent an enormous and difficult-to-secure cyber attack surface.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), “a software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.”
Clear risk mitigation and defensive action by Australian organisations is needed as supply chain attacks grow in breadth and volume.
Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chain.
In addition, PwC says 72% of Australian organisations expect to see an increase in reportable incidents in 2022 from attacks on the software supply chain, yet only 33% have formally assessed their enterprise’s exposure to this risk.
Australian organisations need to move past the current situation where supply chain cyber risks are being neglected, or are taking a backseat to other security concerns.
Supply chain security risks need to be promoted to be front-of-mind and front-of-line for funding and risk assessment.
Security risks ‘considered’
Recent research by ExtraHop shows that just over half (51%) of Australian organisations allow third-party access to their networks (although government organisations are considerably less likely to, at 33%).
They do so, very cognisant of the risks these arrangements potentially pose. Of the organisations that have granted third-party access to their networks, most (87%) say they have considered the security aspects.
But this is an issue that requires more than mere consideration.
Organisations and security leaders need to show they can take meaningful action to understand the breadth of risks.
As a preventive measure, most organisations conduct due-diligence security assessments of software they plan to use. This is important for weeding out basic security holes but is insufficient for catching and stopping more advanced adversaries.
But they also need to go deeper, establish a greater degree of visibility of their environment, and map out third-party relationships and dependencies.
By monitoring network behaviour, particularly inside of their environment, organisations are better able to detect and catch the advanced attackers that might sneak through.
Widening attack vectors
Supply chain attacks are now more than an attacker introducing their own malicious code into an official update, or finding and exploiting a vulnerability in a supply-chain dependency that perhaps someone else has uncovered.
ISACA finds ransomware, poor information security practices by suppliers and third-party data storage to also be vectors for supply chain attacks, in addition to malicious code insertion or vulnerability exploitation attack scenarios.
We recently also performed a desktop study of the supply chain threat landscape to get a better handle on the growing diversity of threats in this category. This culminated in a finding of the existence of five potential blind spots that leave organisations open to supply chain vulnerabilities and attacks.
It is worth exploring those blind spots in a little bit more detail.
The first potential blind spot is application servers and software update pathways. Enterprise software-based supply chain attacks often weaponise legitimate update mechanisms to deliver malware. To detect such threats, security teams and security tool developers need to develop greater understanding of the types of observable behaviour that are most likely to indicate a threat.
Software makers sometimes publish a software bill of materials (SBOM) to disclose components and open source packages that are present in commercial software. It would be valuable for security teams to also request disclosure of any commercial software’s expected network behaviour.
Vulnerabilities in open source software packages and libraries may also be a blind spot. Open-source software is a common target. Attackers may simply submit code to open source projects and hope that it is not caught by code reviewers. They may also use a technique called “dependency confusion” to publish open-source software.
A third potential blind spot is unmanaged hardware and software components. Accurate inventories are crucial. A continuously updated asset inventory driven by real-time visibility into the devices and workloads operating on your network offers a better chance to discover vulnerable or compromised devices on the network.
Another blind spot can be devices under remote management, and communication pathways with remote managed service providers. Devices that a managed service provider has access to should have their behaviour observed and analysed, particularly if the devices have privileged access to sensitive data. The same goes for cloud-based services; these should also be observed and their regular behaviour well understood so that anomalous behaviour is more apparent.
