Software supply chain attacks have become a steady occurrence in recent years, with notable breaches affecting companies such as Kaseya, SolarWinds, 3CX, and MOVEit, among others. As a result, experts are emphasizing the need for active monitoring and threat hunting as the best defense against such attacks.
According to IANS faculty member Jake Williams, the modern software supply chain exposes organizations to a massive attack surface, including automatic software updates, vendor-managed appliances, software-as-a-service (SaaS) tools, and the cloud, among others. This has made it easier for cybercriminals to conduct supply chain attacks, which have increasingly become a preferred vector for gaining access to larger organizations’ systems.
The complexity of supply chains provides ample avenues for malicious actors to exploit. Searchlight Cyber’s general manager Evan Blair, for instance, pointed out that businesses have about 1,000 suppliers for every billion dollars in annual revenue. This presents a significant challenge for organizations that need to keep their systems secure.
To defend against software supply chain attacks, Williams emphasized the importance of monitoring and threat hunting. In the case of MOVEit, for example, he recommended targeted threat hunting, presuming that the appliance had been compromised. Williams suggested starting with examining what the compromised device had been communicating with on the network and then researching any changes to the state of those devices after infection.
Well-resourced threat actors have had great success with supply chain attacks, particularly advanced persistent threat (APT) groups which are targeting smaller firms that have basic cybersecurity protections, Williams explained. Last May, North Korean Lazarus Group was observed using Log4Shell and other vulnerabilities to compromise Microsoft Web servers at a range of companies. And in April, Chinese APT group Evasive Panda hijacked application updates for Chinese-developed software to deploy spyware to smaller targets.
The rise of artificial intelligence (AI) has further complicated supply chain security, with some studies showing that AI can be used to embed malware into software packages meant for developers. AI-generated recommendations are not uncommon, and cybercriminals can take those recommendations and create a malicious package to match the false ones, making it hard to detect supply chain attacks.
One effective method of preventing the next supply chain attack is by having robust monitoring and threat hunting programs in place, Williams suggested. Monitoring third parties in the software supply chain is necessary, “anything less is being reactive,” he added. However, cyber threat intelligence (CTI) teams face significant challenges, mostly because they have difficulty monitoring their organization. The monitoring of the dark web, open source intelligence (OSINT), and mature threat hunting can provide additional threat intelligence to help prevent supply chain attacks.
Organizations can’t realistically expect to prevent software supply chain attacks, Williams warned. This emphasizes the need for real-time monitoring using both endpoint and network tooling to catch as many attacks as possible. Moreover, mature threat hunting capabilities are critical in identifying supply chain threats, and teams should be wary of managed threat hunt vendors. Many such operators are only front running the indicators of compromise (IoCs) that are being put into their endpoint detection and response solutions, he concluded.