Cisco UK & Ireland Blog

Protecting Against Supply Chain Attacks.

2 min read



Supply chain attacks present a tempting opportunity for threat actors to introduce malicious software into organisations. Compromising the software update mechanisms of otherwise legitimate software packages allows threat actors to introduce the means to execute malicious instructions by piggy-backing on the distribution of legitimate software.

Recently, a malicious backdoor was discovered within the security tool CCleaner, which was used to deliver malware to selected targets who had installed the otherwise legitimate tool. This attack is similar to the means of distribution of Nyetya (NotPetya) which utilised the legitimate update mechanism for MeDoc financial software to install and distribute wiper malware. In turn, these attacks are reminiscent of the use of co-distributing potentially-unwanted-programs alongside the download of freeware software.

Protecting Systems

It is clear that security managers must do more than simply secure threats at the perimeter. As attackers constantly seek innovative techniques to bypass perimeter defences, so must defender innovate new protection. End point protection remains a key point of protection against these types of attacks. The CCleaner back door was discovered as we conducted customer beta testing of our new exploit detection technology in Cisco’s Advanced Malware Protection (AMP).

The network itself can act both as sensor and as enforcer. Domain Generating Algorithms (DGA) such as those used for command and control in the CCleaner incident can be blocked by the data analysis systems and threat intelligence integration provided by Cisco Umbrella. Using network traffic as a sensor of malicious activity is precisely what Cisco’s Digital Network Architecture (DNA) is all about.

Solutions such as Stealthwatch, Cognitive Threat Analytics, or the managed solution Advanced Threat Analytics, all help organisations identify and resolve the unusual activity within networks that betray the presence of a compromise.

Protecting Code Base

This incident is another wake-up call for organisations that publish software. Maintaining the integrity of source code and the distribution supply chain is something that Cisco has invested in over many years.

Any software publisher must consider the steps necessary to secure their code base. How incursions are detected, how unauthorised software modifications are spotted, and how the software update system is secured are as important as user stories and unit testing in the development process.

Keeping Up

Making sure you have solid visibility, control, and segmentation across your network allows you to keep your network safer. By identifying threats quickly, having the means to keep them contained, and limiting their access to spread, defenders can respond to these threats and ensure that incidents are swiftly identified and rapidly resolved.

Authors

Martin Lee

Technical Lead, Security Research - EMEA

Talos Security Intelligence & Research

Leave a comment