Rapid Development Requires Trust in the Supply Chain
The theme of NIAS’19 is: “Digital transformation: smart machines for smarter decisions.” The modern military is in many ways no different from any other business. It is reliant on good information and data to drive good decisions. It seeks to innovate, rapidly assess new ideas in order to gain advantage, and react to the innovations of competitors.
This swiftness of development and reaction requires a solid IT infrastructure which can provide a reliable platform and suite of services upon which new functionalities can be developed. A mechanical military runs on oil, the modern military functions with the ‘new oil’: data.
The importance of IT to the modern military has not escaped the attention of adversaries. As perimeter defences such as firewalls have improved and become more effective at keeping out attacks, so attackers have had to become more inventive in how they penetrate computer systems.
Hence, attackers have developed supply chain attacks, where the attacker compromises the source code of trusted software and uses this trusted, genuine application as a means of compromising systems. At Talos, we have researched two such attacks in detail, that of MEDoc which was used to launch the destructive worm NotPetya, and that of CCleaner which was detected and resolved before the attacker could take full advantage of the compromised systems.
Infiltrating the software used in digital transformations allows attackers both to launch large attacks from numerous systems, but also to profile systems to identify exactly the organisations that they use a part of a subsequent targeted attack. For instance, the attacker behind the CCleaner breach compromised over 800 000 systems across the world, yet was looking to infiltrate only a handful of organisations. From this large pool of systems, the attacker could identify those specific systems within the intended organisations to target and activate additional malware.
Protecting against such attacks is difficult. Partly it depends on everyone throughout the supply chain playing their part and implementing source code control and cyber defences correctly. Yet, every criminal leaves traces at the site of their crime, and we can use these signs to detect and block attacks.
AMP for Endpoints can detect the tell-tale evidence of malicious code integrated within legitimate software. Tools such as Cisco Stealthwatch and Cisco Umbrella can detect and block command and control communications between the threat actor and the endpoint.
We can enable organisations to rapidly develop and deploy systems to meet changing needs, but we also need to be aware of the possibility that components within these systems may be have compromised. Mandating security standards for supplies is only part of the solution. Being aware of the risk, maintaining vigilance and constantly checking for evidence of a successful breach will help protect against many types of attack, not just supply chain and ensure that new systems can be relied upon.
At NIAS’19 in Mons on Tuesday 15th October I will be speaking about Cisco Talos’ experiences researching supply chain attacks.Tags: