How to tackle vulnerabilities in your Supply Chain

hello good day good evening and welcome to which secures supply chain webinar series how to tackle vulnerabilities in your supply chain with secure has extensive history working with organizations securing their infrastructure and systems from cyber attacks recovering from incidents as well as keeping tabs on the current threat landscape and figuring out what is actually lying out there waiting for us online with me today I have yarniamela a principal researcher with secure intelligence he has worked with witsecure in the past 22 years and with secure formally ftsecure Labs of course uh you've been working on analyzing identifying malicious behavior and planning automatic malware Handling Systems and today you're automating Cyber attack detection and planning new Cyber defense systems for with secure and for with secure products and services and with yarn we have also Mohammed qasim Hassan nejad and you joined with secure four years ago and you work or you focus on threat analysis intelligence and detection engineering and my name is Laura kangalam and I work as a senior security consultant at with secure so today supply chain what do we mean with supply chain thanks for asking Laura so I think uh to understand supply chain it really we have to look at the what an organization needs to achieve their business outcomes so a company usually has a supply chain Network that consists of all the resources and services that they need to procure in order to achieve their business outcomes and that can range from software components to Hardware Appliances to even productivity tools and office tools like project management software but usually in our field the we usually look at the software uh supply chain and it's it's in today's world it's gotten pretty complex because of the interconnection and one Reliance on one another so one supplier can actually be a supplier back like there can be a bi-directional relationship between suppliers and um this makes it a pretty complex web of supply chain Networks and with this of course comes the potential threats that that this poses because of this interconnection and third-party Reliance on one another in in today's world exactly so when we have this interconnected systems what do in your opinion the supply chain attacks actually mean well basically supply chain attack is an indirect form of attack into some kind of Target or group of targets it can be because the actual Target of the attacker is well defended and going through a supplier software component tampering with the printer in mail or anything else is the easiest part the path of least resistance to getting on the target organization is looking for easy Mass distribution so if they are able to get into certain software supplier that has ten of thousand ten thousand interesting customers or several Millions the tens of millions of customers globally being able to infect a component that is supplied then to all of those customers gives an enormous leverage for the attacker yeah it's kind of a force multiplier yeah so why attack one when you can attack multiple but then uh a question for both of you but who are actually victims or who can fall victim to a supply chain attack and now we're talking about organizations company companies and bigger communities so who can actually who are the victims for these types of attacks yeah well there's of course the high profile targets forty five hundred companies and other very important targets from business-wise or then it can be smaller companies that are actually not don't think think themselves to be necessary that interesting but they have something that the ease of value be that scientific value medical research Etc for example in Finland we have a company called visalat they make high-end sensors but those sensors are needed for many critical applications and they cannot really easily be replicated so thus it's a very interesting Target or then the other option is that as mentioned it can be that a certain company is a supplier for a very difficult Target and the attacker thinks that going through this target is the path of least resistance yeah or then the mass effect that was mentioned before absolutely because um do you think anyone is safe from supply chain attacks no I think uh every organization these days is part of at least one supply chain and because of this interconnection and this complexity that it provides like jarno mentioned sometimes an organization even a small business can become a stepping stone and but I think just like how an organization there are critical assets that um that the in a network that the company wants to protect like their domain controller server or their code signing servers um there are also certain suppliers that are part of a considerable number of these supply chain networks or part of um critical Supply chains that contain high value targets but again anyone can be a Target because um we cannot neglect even the smaller businesses because in some scenarios they might be like jorna mentioned the path of least resistance and if we think about the attackers they come with different motives for some some it may be money it may be gaining access to some specific systems for Espionage so if we try to sum up who are behind these types of supply chain attacks so who would you say are doing this or leveraging basically this interconnected world and systems that we live in I think with traditional supply chain we usually look at supply chain attacks as something sophisticated and the first group of threat actors that come to mind are either a nation state actors or state-sponsored actors um but I think depending on the class of the class and the objectives of the supply chain attack the threat actor can differ um I I think I I sometimes think of it uh like kind of like with this analogy that um any criminal can enter a bank but not every criminal can pull off a bank heist and then we have um small mankinds then we have big Bank heists so for nation state actors usually they're after Espionage sabotage or intellectual property theft and they're the most well-resourced and knowledgeable entities so they can pull off these sophisticated attacks but they're not the only um actors that that would leverage a supply chain attack to achieve their outcome but they probably would usually um use different classes of supply chain attacks going from physical Hardware software and even service level supply chain attacks to Target usually um the type of targets that has some sort of um interest for the state so intergovernmental or governmental agencies and institutions um companies and organizations that are part of uh high value or strategic sectors like uh telecommunication energy uh defense technology or any critical infrastructure but then of course there are cyber crime gangs and still Small Time actors Yeah Yeah you mentioned you talked a lot about Espionage so the intelligence that they can gather but what about cyber crime gangs and how what's their interest in in supply chain security or without security attacking supply chain they are opportunists so for criminal first of all they need to find out a way to hit the target and once they find out a way to hit the target then they monetize it so it means that either some Gang has figured out an opportunity to perform a supply chain attack or somebody has done a discovery and sold the information for them so I don't think we are going to see anytime soon any cyber crime gang that would be specializing a supply chain attack that's not the mode operation some gang found an opportunity and they are leveraging it yeah the again cyber gangs they typically operate in these affiliate networks they have people they can buy this information and exploits from so so that's important to understand that there are many types of threat actors behind this but essentially supply chain can be sometimes the easiest easiest way in then but if we think about supply chain well one obvious part of internet and systems and services we use is of course the software that we are running on them so uh if we start with talking about development and and development as part of the supply chain so Jana would you want to share some thoughts and we have some examples here about for example poisoned packages for for different software components or where you can download software components from or then phishing for credentials and things like this so what do you think is in common with these well they're basically are three different types as they have been outlined here first of all is that it depends whether the category is trying to hit the organization or whether it's high it is attacker is trying to gain access to the organization's customers through the organization and in this case the software development would be just the door of Entry but if you're talking about the software libraries with malware they basically are two different use cases for that either Attica kids and basically and counterfeit software Library which is a copy of original software library and then adds malicious payload on it and creates a copycat name that is very similar relying on carelessness or and for example using Google searches and Google advertising or something else a search engine optimization to people to get to install the package of their name and not the original name and that way being able to get into the organizations or the other more targeted which could be done by nation state is that they have a certain targeted organization that they know is doing a lot of development they have figured out that they have certain packages be it on Ruby python or something else that has same name that internal package not shared outside of the organization so they are going to create a public package with the same name and if the package manager is not earned right they it will always favor the public one before the private and that way they get their software installed and what then happens depends very much on the on the target it can can be installing a back door basically gaining access it can be still in the developers cloud or some other credentials so basically a credential theft or then trying to modify build configurations or something else so there's many different things but the point in here is getting an access through falling or either package manager or the developer to install a bronx a wrong Library yeah the other way is then that attacker actually obtains an access software package for example by finding an username and password on some previous breach that has happened all then basically doing a phishing attack or otherwise compromising some developer system and then being able to feed in malicious payload on a valid software repository so the difference here is that the refer now the library is exactly the correct one it just has been tampered with at the source while then with counterfeit it's of course is not exactly the same same Library and then the third one which is actually rather interesting is using money so there have been cases where the attackers have been purchasing software projects or with somebody is about to give up or just giving them enough money there have been cases where there are Chrome plugins have been bought and been used to distribute either adware or malware mostly these kind of things have been for some Curious reason Chrome extension plugins so attacker finds some kind of an extension contacts the developer and offers to buy them and then the developer sees enough money and maybe suspect something maybe doesn't but anyway sales the access to that repository yeah perhaps doesn't have any interest in maintaining it anymore and yes that happens with open source so many times it can be that a very critical component is tankless being tankless is being maintained by somebody for 10 years and they kind of would like to get rid of it yeah and that what lays the crown foundations for our modern society because I'm do you have anything you want to add here I think I agree with yarno's points and I I think that these are these type of attacks especially the ones that rely on the open source ecosystem are generally they generally tend to be used by either Small Time threat actors or the cyber crime gangs and the reason for that is the sophistication in these don't require you to Target a specific supplier and try to compromise them which requires a much more methodical approach especially if because you can assume that still most suppliers have their own security and defense systems in place and this sort of approach is I believe like Miranda mentioned more about selling bait and hoping someone bites and usually for nation state actors uh they are much more interested in covert operations because at the end of the day they want to try to reach their target um leaving as minimal footprint as possible and that level of sophistication especially if there if it's related to the open source um it can be discovered uh potentially a lot quicker than some some level of uh for instance planning and execution that that you know a nation-state actor might do to compromise A supplier yeah and perhaps sometimes compromising a software Library does not grant that easy access into a system so perhaps this nation state and other actors are using different types of means in to get into systems for example just last year we got an example of of caseya which is a company providing I.T Services especially monitoring and and maintaining your it infrastructure related services in April 1st 2021 actually Dutch Institute for vulnerability disclosure warned casaya that they have multiple vulnerabilities in their system but they didn't have enough time to patch all of them and unfortunately then a criminal group was uh criminal groups aware or group uh called so russian-speaking private ransomware as a service operator was able to take or leverage these vulnerabilities and gain access uh through their virtual system administrator so this VSA component which is used to remotely connect to services there were authentication bypasses and certain types of vulnerabilities which allow these threat actors to basically gain access to then remote services and perhaps because one of the or at least most visible one of the victims to fall to this attack was Coop through visma so this mob was actually affected and through that groceries grocery store chain called Coop especially operating in Sweden and in the nordics got affected had to close 800 stores uh because they could not basically have any any cash register money flows going and things like that so what's different with this compared to for example the previous examples that we were discussing cousin yeah I think uh uh like Karina mentioned uh since this was actually done or claimed by a cyber crime gang and um here it's about again opportunity seeking where a cybercr a ransomware gang is usually interested in hitting as many victims as possible and this this case is a bit interesting I think because basically what happened was that um msps that were using caseya's VSA on-prem servers were compromised through the exploitation of the vulnerabilities that at that time I believe caseya was working on fixing and by gaining access to those systems now they use the inherent trust that the clients of those uh managed service providers have to the client environments to actually infect the customers or so it's sort of like a multi-chain sort of compromise where it the msps were used sort of as a stepping stone to get to a much larger target audience and deploy the ransomware both across the clients as well as the msps and um I I think this this case is sort of like the scenario where it's sort of differentiates between for example a nation-state actor and a cyber crime gang because they are financially motivated it's more about seize the opportunity hit by a hit big and hit fast and utilize that trust that has been established in this sort of chain because um the cassaya services and the product and software runs as with high privileges on the client's environment because they are inherently there's an inherent trust that they have to their managed service providers and that sort of is one of the things that this highlights that one of the problems with having sort of a blind trust um in in your supply chain yeah um exactly and well we have another example here of it's it's a little bit different because for you mentioned as well that this Rebel is they are a cyber criminal gang so they are not necessarily at least always working with government they're based like their motivations are based on money so they want the the coaching basically but uh for solarwinds I'll just quickly go through this so what what was this if I'm sure many of you you online also read about this when when this was happening but uh actually this this already came to light on December 20 2020 but last year was basically the year that this was being uh like more like this was more on the news and they started by a cyber security company called fire eye noticing that some of their hacking tool tooling so red teaming tooling had been stolen and through that incident response process they noticed that uh this actually this attack originated from solar winds Orion software and Orion software is this it management software installed on their clients and this is basically what kicked off this whole thing but in the end it turned out that there were victims such as most Fortune 500 companies NATO European Parliament AstraZeneca uh very different types of high profile uh high-profile victims basically to this attack what do you think about attacks like this yeah well this is very typical for an high value supply chain Target so there were many different targets and preaching and one critical point allowed access to so many multiple organizations and as Casa mentioned the trust is very integral part in here for example the thyroid and security company was not able to detect a breach in their own organization because it was done by trusted component which is one of the things we were highly aware when we started developing our own attack detection systems some people sometimes laughed at us a bit because we are so paranoid that we don't even trust our own software which means that yes we have false alarmed on which secure or previous AF secure components but there is Method behind the madness and that is not trusting even yourself and that is the probably the critical thing that separates many different organizations and many different security approaches yeah because the old style antivirus style thinking is that you have clean software and you have trusted components yeah while what you actually have is a set of trusted and known behaviors and everything else is of suspect so this basically outlines the whole thing why the supply chain attacks are so damaging and why it is so important to have the right kind of thinking on the security mindset altogether yeah exactly so trust is very dangerous in this domain because do you have anything to add to this I think one other point to add on to yarn is uh um points uh I think also one again this sort of differentiates between nation state actor and cyber crime gangs and and small time actors where the interesting part of this is the operational uh aware the optic awareness and and the methodical approach that the threat actor took because um it's not like I mentioned it's sort of any criminal can walk into a bank even a small time actor could have by chance um landed into the solarwind network but in order to pull it off and remain uh sort of under the radar for long enough because I believe this uh the initial compromise it into the solarwinds network was um quite a bit before um the first public report by by mandians yeah yeah and and that sort of differentiates between the um how how careful the nation-state actors are because they want to leave minimal Footprints and that could also be seen in the sophistication of the back door itself and how it was done but of course this is a high profile attack I believe because of the targets as well as how it was pulled off but we're this is sort of not something that um all businesses would in all suppliers would sort of have to worry about I I think this is something that doesn't isn't really the um common type of supply chain attack this is the ideal that they are the most uh the most prophylic one or high profile one yeah exactly and like as you said that this is um or now we've been talking about these cases and I think it's good to understand how these things happen so that we can then discuss countermeasures so uh in a couple of sentences well this is not probably something that you cannot answer in couple of sentences but um yeah what would you say are the key takeaways and the most important things to consider when defending against a supply chain attacks I already covered the the thing that one has to lack trust in a sense that it is very typical that vein and software company takes new library in the use the new library is outdated and vetted check it for legal Etc before it's taken into use and then it's going to be used blindly while then that kind of monitoring should be on continuous process which of course means that one probably cannot afford the resources to do that so thus it might be a good idea to look for a provider who can then audit the libraries and make sure that the Ia you are using the correcting and not the counterfeit and B there hasn't been anything maliciously slipped in so basically instead of once verifying and then trusting it needs to be a constant vigilance and that of course means that the processes need to be built so that it is financially feasible it's security is very easy to do wrong in a way that you are doing too much and especially doing too much yourself and that ends up in a situation where the security gets discarded altogether because it becomes a business risk yeah and there is the Compromise of using well not compromise necessarily but when we talk about supply chain security and perhaps not doing and Reinventing the wheel for every application you do is it's not a good thing to do it's not a good practice use modern technology what about cousin yeah I agree with with yarn though I think uh for for example for software suppliers like security has to sort of be baked into your software development life cycle you need to do thread modeling for um for the the projects that you have software projects that you have but again if you're unable to do that then relying on an external um external team and knowing your suppliers but again not having a blind trust because in the case of cassaya or solarwinds for example if uh I've seen in this in the past with with uh some of the customer engagements that I've had where a customer just blindly uh does like a broad exclusion of like the software that they typically use saying that like they they do not like if it causes a false alarm they just want to silent that false arm but sometimes at least in the case of cassaya for example um it's you you want to have some sort of system in place that's able to detect the anomalies but at the same time not blindly trust that whatever this software does is inherently safe because yeah not no soft like you're going to mention even we we cannot trust that our own software can always whatever the process does would be safe yeah exactly and by the way everyone listening in make sure to have if you have any questions make sure to write them down in the comment section and let us know we'll talk a little bit about predictions what we think will happen in the future and then we'll go to uh to your questions and try to answer those as as well as possible but if we think about future and future of supply chain security or the threats what do you think are the the most prominent things that people should take into account kazem so I think the traditional supply chain attacks are definitely here to stay I mean things such as the solarwinds and these high profile attacks by nation-state actors are are definitely here to stay specially with the with today's complex and interconnected supply chain networks and the Reliance on third-party suppliers but I also think the um the explosion especially in the past five to ten years in the open source ecosystem with uh with packet package managers and software repositories and the adaptation by majority of businesses that have if you've seen in the past 10 20 years like most the majority of uh businesses have moved away from closed off proprietary and in-house solutions to using um components or libraries that are open source in in their own systems and also with the increase in the amount of small time threat actors that are looking to make it big I think that we're gonna see uh or we're gonna hear more about compromises that uh come from a open source uh ecosystem more commonly but at the same time doesn't mean that they're going to be successful but they're going to be more common than the big high profile attacks especially because they're easier also to pull off for a wider range of threat actors and not just for instance Nations data or state-sponsored actors what about your thoughts and the like what's the big next thing that's going to happen well one of the benefits of getting old is starting to get a long-term view into things and what I have learned is secure the erosion so whenever there is a new threat that comes to people's attention measures will be taken and that threat will be of less less concern because effort is put in diminishing it then fast forward further 10 years and then people will forget new the people who've had were dealing with that problem before have either changed companies or have been promoted so high that they have no effect on day-to-day business on the level that where the vigilance was needed and then we are going to see this again and then of course the dynamic nature of the open source economy is one of its biggest downfalls when it comes to this new languages are coming up and then shortcuts are constantly being taken so I would say that probably as Casa mentioned the open source is going to be a very significant vector but my guess is that what we are going to see is bundled software that used to be the big source of supply chain attack five seven years ago what do you mean with bundled software everything that comes with your laptop with the operating uh especially on Windows laptops even corporate laptops does all kinds of all kinds of supplementary software that come with it which all can have their own self update systems and what has happened before was that there were multiple different cases where those windows of those softwares were breached and then their software was being used to distribute CC Cleaner was an example then there was at least one or two different update softwares by their laptop vendors that were being used to distribute Marissa's payloads that has not happened for a while because which lens started so now it's a waiting game until the Defenders forget an attackers will reduce the Discover it not the same attackers they have moved to some deals but New Breed a new generation of attackers are going to discover the same mistakes that people forgot yeah maybe we also need to do a better job in passing on information that was discovered is if the next Generations would ever listen that is we didn't yeah it's a rebelous nature thank you for your thoughts and uh we are now ready to head into questions we've actually gotten some good questions in the chat and um I would like to read this first one for you and then you can decide whoever wants to answer to this um as a small business owner how do I know how much security is enough to protect my company or and our supply chain how much security is perhaps hard to measure but what like what would be the at least the minimum requirements and the minimum things that should be taken into account I have a personalizer for that and that would be the things that can be mass produced and taken into use for with the relatively small cost because of course the cost of security must not ever be a significant correction of running your business if it is then you need to rethink your business model so important detection and response definitely and preferably of the paranoid nature that doesn't even trust itself because that's the best job protection against supply chain attacks and then of course good endpoint protection because the com your company obviously doesn't want to be a stepping stone into your customers I agree with uh yarn though that um and a good endpoint for detection can help detect these uh malicious behavior but at the same time having good um ID policies and and access controls I mean just the the usual run-of-the-mill cyber security practices is is usually a must um I mean for example in if you have endpoint protection that's not like a magical Band-Aid that will solve everything but I think security is always about layering and and having a defense in depth but like yarn to mentioned sometimes it's not sensible for small businesses to really full-on um like have a cyber security strategy that's bigger than than what they need but a good starting point is endpoint protection and I think just you know um General I.T policies in place uh having the right sort of for example access controls to the like to different assets in in the company um and and that I think in in an organization is usually the starting point and then from there you can sort of build and build a cyber security strategy that um that supports your business and your business outcomes and that's not uh dehabilitating like they doesn't take away for the the ability of of the employees to do their day-to-day work because security has always sort of been seen as as a trade-off of security and convenience and um I don't think it always has to be like that and there's it can be a whole there can be a whole debate about that but yeah yeah absolutely yeah and as yarn and qasim said like just start from something and start building from there you don't have to make security work overnight it's it's a continuous Pro process and there's no clear goal for any any size of business actually um then we have a couple of more questions I think we have a time to answer both of them so how can I tell when a third party app on my laptop which I have trusted before has become compromised for that then button detection risk and endpoint detection and response is the crucial point because when it looks the application as a set of known and allowed behaviors it will alert on potentially suspicious Behavior no matter how long the software has been there in fact if the fact that totally new Behavior occurs that hasn't occurred before even makes it even even more suspicious yeah so the thing is that you need software that is not built like an old-fashioned anti-virus and this comes from old-fashioned antiverse researcher everybody's got to learn that the world has changed so nowadays it's a set of behaviors and then the problem is that this doesn't really show on any kind of product reviews yeah so it is just asking questions and hoping that the sales engineer actually knows what they are selling um yeah and then uh next question to you kazem so the most prominent platform for the next major attack is one of the widely used Remote Management tools or platforms like kasea or or the larger the larger the user base of the say tool the more prominent it is so perhaps this is the question so is the uh so is the next prominent attack uh one of the widely used Remote Management tools or platforms uh sorry perhaps I don't quite understand this like I say or the Remote Management yeah or Administration yeah software provider the person who asked this question but you next yeah so um yeah so how I would understand this is that it's the most is the next attack going to be something like cassaya or is it going to be something else I mean I think it's hard to um predict like because again supply chain attacks can happen but it also depends like the next big one um usually things like the cassaya uh attack a supply chain attack are the ones that are considered big um but again it's hard to predict whether like that's uh really going to be the way in um but I think it comes down to the the way that we have to sort of be vigilant and have the and and make like like not have blind trust for for example um the the sort of behavior that is usually done through these remote Administration software for example because if a company like like Ariana mentioned usually like how um how EDR for example would be beneficial here is that um by by if if a remote Administration software starts uh acting erratically or it starts doing something that's considered anomalous that that is not part of the routine Behavior then that's where it could be picked up but again I think it's really the the question is is hard to answer with with whether it's not like a yes or no because again supply chain attacks come in all shapes flavors and forms and and but I think yeah like um the more we're gonna hear more about at least the um supply chain attacks that started or are from the open source ecosystem at least here about the more commonly even if they're not profiling yeah yeah my personal guess is backup software the upcast they are everywhere nobody pays attention to them and they already have the accepted behavior of accessing every single file what would be the better uh alternative and I really hope I didn't give any other ideas is close to yours yeah and it doesn't necessarily have to be like remote administrator it can be back up it can be any basically client software that has wide access rights to the specific platform server workstation whichever it is all right um I want to thank you all for for coming and listening to this webinar series how to tackle vulnerabilities in supply chain thank you jarno thank you kazem for the interesting discussion um we would like to now wish you good night good evening or whichever time your Zone you're in have a good rest of your day thank you thank you thanks