Protecting Against Supply Chain Attacks

Download as an eBook

60%

Year over year increase in attempted intrusions

650%

Year over year increase in software supply chain attacks

1,500

The number of customers estimated to have been impacted by the Kaseya supply chain attack

While the attack is indirect, bad actors are attracted to attempt supply chain attacks to gain immediate access to a broader set of end-users .  For example, when remote management vendor, Kaseya, was breached in July 2021, bad actors were able to immediately spread ransomware to more than 1,500 of their customers. The number of software supply chain attacks is significantly increasing.  In Sonatype’s 2021 State of Software Supply Chain recognizes a 650% year-over-year increase in supply chain attacks from 2015 to 2021. According to the Identity Theft Resource Center (ITRC), there were 19 supply chain attacks just in Q4 2020.

How do supply chain attacks work?

Supply chain attacks are multi-staged attacks leveraging a variety of attack techniques to reach desired goals. By indirectly infiltrating supply chain vendors, bad actors seek to gain access to the networks of their end-users or customers. Two varieties of a supply chain attack are: 

Method 1: Partner Network Access

In this supply chain attack, bad actors gain access to a partner network, such as a managed service provider (MSP), to then gain access to the MSP’s clients’ networks.  For example, in the 2013 Target breach, bad actor’s initially gained access to Target’s HVAC partner’s network.  This network is used to monitor the HVAC systems at Target stores.  By gaining access to this less secure partner network, the bad actors were able to find their way to the Point-of-Sale (POS) networks to install RAM scraping software on POS units to steal credit card information.

partner-network-access-01.png

Method 2: Embedded Malware

In this supply chain attack, bad actors infiltrate supply chain vendors to discover source code repositories or update systems to inject their own malicious software.  In today’s networking environments, both software applications and hardware appliances regularly ‘phone home’ to retrieve and perform updates. Often these updates are automated. It is not uncommon for upgrades to fetch data for other libraries, including third-party sources.  Often upgrades run with root or administrator privileges, and execute a variety of scripts throughout the update process.

 

For example, in the SolarWinds breach, bad actors successfully added a malicious DLL (Microsoft Data Link Library) file to a SolarWinds update.  Once installed on a customer’s system and activated after a random wait period, the DLL performs command-and-control, retrieving and executing commands from a third party system managed by the Bad Actor.

embedded-malware-01.png

How do you detect a supply chain attack?

Like much of security, there is no single bullet. According to Gartner, they recommend three methods to help detect software supply chain attacks.

tools-01.png

Inventory and monitor third-party tools

remote-access-01.png

Monitor remote access granted to suppliers

monitor-3rd-party-01.png

Monitor third-party providers

While performing all of these methods reduces risk of a successful attack, it will not guarantee an attack can be prevented. For many organizations, it is difficult at best to sustainably accomplish all three methods.

How to use Spyderbat to detect supply chain attacks early

Spyderbat goes beyond Gartners’ recommendations by creating a detailed view of every third-party action and software upgrade performed in your environment automatically.  

 

Spyderbat collects all interactions between applications and the processor to generate and maintain an operations plane, mapping each activity with its causal parents and children. 

Spyderbat works proactively to generate this system-wide causal graph rather than relying on a trigger by an alert or detection. 

CUSTOMER CASE STUDY

challenge-01.png

Challenge

  • Lack of perimeter breach detection for Linux instances exposed to the public internet

  • Increased supply chain and compliance risks with inability to monitor third-party vendor products using Linux, like AWS

  • High operational costs for staff with Linux programming experience

solution-01.png

Solution

  • Visibility into all Linux environments, including owned and vendor supplied

  • Ability to apply behavior analysis to Linux

  • Enrich Linux monitoring with network traffic analysis and indicators of compromise tracing

  • Trace supply chain attacks at the operator level

benefits-01.png

Benefits

  • Reduced mean time from incident detection to root cause

  • Protect assets and monitor Linux at the OS level

  • Trace full path of events across Linux environments

  • Create alerts from playbooks for consistent detection across environments

For example, here is the Spyderbat Causal Tree from performing a ‘sudo apt update’:

Sudo-Apt-Update.png

Spyderbat captures the causal relationships across every process, network connection, and file access performed by the update.

 

Spyderbat:

  • Captures all third-party activity to validate access controls for third party users to remove any finger-pointing of who did what with an authoritative record.

  • Captures all third-party update activity including outbound network data retrieval,  and files created or touched. 

 

Once attack techniques are detected, Spyderbat allows for an immediate recognition of the source back to the third-party update even if months prior. The attack’s full footprint is revealed since any/all activity between the previous software update and the current detection is captured, even if the bad actor/malware uses random weight periods in between activities.

 

Because Spyderbat does not rely on log data analysis, the attack trace is captured even if logging systems were disabled (or never enabled to begin with). This allows for full mitigation of the threat including new installed backdoors, created user accounts, etc.

Ready to See Spyderbat in Action?