32

In reference to the Solarwinds attack, since many organisations have no access to the source codes of the software vendors from whom they just consume the services, how can organisations defend against supply chain attacks?

loopbackbee
  • 5,308
  • 2
  • 21
  • 22
Nathan Aw
  • 1
  • 7
  • 12
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/118855/discussion-on-question-by-nathan-aw-how-does-one-defend-against-software-supply). – Rory Alsop Jan 24 '21 at 14:55

3 Answers3

35

You can't avoid the risk, but you can mitigate it in several ways.

  • Reducing the attack surface. Instead of using lots of tools from lots of different vendors, only use a few ones that you really need. Uninstall anything that you don't need. Less software running on a machine means a lower risk of infection.

  • Separate environments, virtualization, other kinds of separation in general. If you keep some software separated from other important data, you can mitigate the impact of an infection. For example, if you run some software inside a virtual machine, a supply-chain infection of such software won't affect the external environment (unless it is combined with the exploitation of a severe bug in the VM). Using separate physical machines to run different software (maybe less trusted software) is another option. Other kinds of separation in general could be anything related to separation of privileges, or separation of networks, strict firewall rules, etc. Lots of these security controls could be considered to be part of what is often called defense in depth.

  • Detection. You might accept the risk of infection, as long as you are able to detect the infection as soon as possible. Intrusion detection systems and periodic audits will alert you if anything suspicious is going on, and you will be able to limit the damage.

  • Independent software analysis and review. Open source software can be inspected before compiling and installing it. If you don't have a team of programmers and security professionals though, reviewing all the new code in every new release is going to be impossible, so this kind of defense can only be attempted by large organizations. Note that this process takes time but on the other hand updates usually need to be installed as soon as possible, so you need a good patch management plan to find a balance.

  • Write your own critical software. This is usually done when you are too scared of relying on an untrusted party for something that is critical to your business. There might not be open source alternatives to what you need, so you might not want to trust a closed-source binary blob. Or you might be a government agency that can't trust software from another country. Whatever the reason, remember that writing your own application might require an enormous amount of resources, that often you'd better spend on the other points I mentioned (analysis, detection, patch management, security controls in general, etc.).

reed
  • 15,398
  • 6
  • 43
  • 64
  • 6
    You forgot infrastructure not connected to the internet. If your internal (secure, disconnected from outside) network is only receiving data from the outside and not sending them out electronically, then the thing you're worried about is mainly the destructive stuff, as the spyware does not have anywhere to send anyway – mishan Jan 20 '21 at 18:41
  • 4
    Even if you don't have your own reviews, public audits of software may exist that have been done for other people. That decreases the chance of a supply chain attack. Though you can't rely on them for new versions. – user1937198 Jan 20 '21 at 20:20
  • Point 1 applies to updates, too - once you have one binary validated, you don't update it, unless you absolutely have to. – Haukinger Jan 21 '21 at 13:44
  • @mishan careful there. Attackers at this level may be able to bypass an airgap. There are several methods for doing so in the literature, and at least one malware doing it (via sound between one system airgapped and one online) has been found in the wild. – Tom Jan 22 '21 at 05:17
  • The issue with writing your own critical software is…how do you build it? – spectras Jan 22 '21 at 20:02
  • Good list, but missing the most important kind of separation: separation of accounts and privileges. Don't have global admin accounts (so a keylogger on a compromised workstation doesn't enable an attacker to break into your servers), carefully restrict what accounts can log into what classes of machines at all, don't allow remote logins to the most important machines at all. – Michael Borgwardt Jan 23 '21 at 20:26
  • @MichaelBorgwardt, the point about separation was meant to include every kind of separation in general, even though I just gave a couple of examples regarding separate machines. I just edited my answer to mention other kinds of separation suggested here (privileges, networking, etc.). – reed Jan 23 '21 at 22:04
  • @spectras, what do you mean? – reed Jan 23 '21 at 22:05
  • @reed, do you also build your own compiler? linker? support libraries? Otherwise, you're back to trusting a huge amount of code you did not read when you compile your homemade critical software. – spectras Jan 23 '21 at 22:10
  • @spectras, oh, of course you will always need to trust something. As I said, you can't avoid the risk, you can only try to mitigate it. And writing your own software only makes sense in some cases, otherwise it's going to be ineffective (you'll waste a lot of resources and you'll end up with worse and more insecure software than the one you wanted to avoid). – reed Jan 23 '21 at 22:18
  • @spectras If you don't have the skills, you can pay a team who does (and is willing to provide you the source code for what they build). If you have neither the skills nor the money to pay for them, then you're stuck with proprietary vendors. – preferred_anon Jan 24 '21 at 11:48
15

This kind of attacks are why ISO 27002 has chapters 14 and 15 (acquisition and supplier relations). In theory, properly checking the security aspects of systems you source elsewhere should secure you as good as possible. In reality, you are limited by the information available and that's rarely the source code. But let's not kid ourselves, even if you had the source code, it would be unlikely that you find any issues in it, unless you're the NSA.

Thus the first answer is that a critical assessment of the security of your suppliers, including any certifications they hold, etc. ensures that you buy something that doesn't fall apart as soon as someone looks at it funny. It's a good practice to do that.

The second answer is that Solarwinds is ISO 27001 certified plus a bunch of other certifications and that didn't do squat because it doesn't include a peer-review of all source code or other deep analysis. I do ISO 27001 stuff for a living and the amount of actual security a certification gives you is fairly basic. It's a great tool in an age where most companies fail to achieve even basic security that anyone with some resources doesn't laugh about, but if you are looking for assurance that a state-level or other high-competence threat actor didn't compromise them, it's worthless.

So the third answer is that for your REALLY important stuff, you trust nobody and nothing and you have as many layers as protection as you can get. Eventually, your data has to be stored somewhere and must be worked on with something, but does that stuff have to have Internet connectivity? Do you need outgoing traffic to the whole world (including the malware C&C servers)? Do you need every software to be able to access every file on your devices? Does data you don't access at this time need to be stored unencrypted?

With a good defense-in-depth, you can reduce the impact of even a successful breach, and supply-chain or not, in the end what happened was simply that customers of Solarwinds got a piece of malware installed. It didn't magically disable their firewalls or DLP systems.

So if your security philosophy is not to build an impenetrable castle but to assume that you're already breached and work towards securing as many crown jewels as possible in that scenario, then such attacks have a limited impact on you.

Tom
  • 10,124
  • 18
  • 51
  • 1
    I'd strike a more nuanced tone than "as many layers of protection as you can get". An additional layer of protection can add surface area, and may prove to be an attack vector in its own right. Antivirus can fall into this trap, and indeed some customers will have seen SolarWinds Orion as such a layer of protection. – James_pic Jan 21 '21 at 10:48
  • @James_pic yes, of course. There's also a point where an aditional provides no additional security (friends of mine broke through five layers of firewalls - using the same exploit on all of the identical devices...) - the basic message is: "think defense-in-depth" and "think that you're already compromised and work from there". – Tom Jan 21 '21 at 12:22
9

In practice, they cannot. They would have to build from scratch their internet browsers, their operational systems, their routers, their computers. It's not possible because companies have to rely on others, and even after researching the security practices of all suppliers and choosing those with solid security, some of them can be compromised.

You have little resort if your antivirus company got breached and software running with SYSTEM privileges on every computer and cell phone of the company got compromised. And even if you have a very skilled security team and are following security best practices, those attacks will damage you.

KetZoomer
  • 103
  • 3
ThoriumBR
  • 50,648
  • 13
  • 127
  • 142