What happens inside an organization during a supply chain attack?

 

What is a supply chain attack?

A supply chain attack is when an attacker targets a third-party software vendor or supplier to gain access to an organization's network and sensitive data. These attacks can be particularly damaging as they can bypass traditional security measures and go undetected for long periods of time. 

An example is the SolarWinds incident where the vendor SolarWinds fell victim to a Russia-based threat actor APT29 aka Nobelium in December 2020.

https://www.csoonline.com/article/3613571/the-solarwinds-hack-timeline-who-knew-what-and-when.html 

Scenario:

The security team from a prominent semiconductor manufacturer Biochip (a fictional organization) recently learned about a security incident at a software maker Sentry (a fictional organization). Biochip’s security team is concerned because they’re using Sentry’s products across their organization. They have not yet received technical details of the incident at Sentry and but there’s a confirmation that the attackers targeted customers of Sentry.

It is the Biochip security team's responsibility to make sure there’s no malicious activity originating from Sentry’s software installed on all the laptops and servers. After about 2 days, Biochip releases a blog on their website that stated we have investigated for any signs of suspicious activity from Sentry’s products in our environment and concluded there was evidence of unauthorized access to sensitive or personal data of our customers and services.

As a beginner in Cyber security or someone with curiosity, you’d be wondering how Biochip came to their conclusion and what process they had taken. This blog aims to walk you through what happens during these times in organizations that use compromised products from the software vendor.

Investigation:

Note: Every organization would have its own way of responding to security incidents by following its own policies. 

Once the security team hears about the news, the Incident response (IR) analysts would start looking for clues like,

• How did the attack happen? (possibly limited information as it is recent)

• Before performing the investigation, it is a good idea to reach out to the security team of the compromised software vendor to share their findings with us. Ideally, the company would provide the data, as they get available to them.

• If there’s no official data released by the software vendor, the next best option is to reach out to your Threat Intelligence team or utilize your threat intel retainer service from orgs like Mandiant, etc.

• The other option is to use Google, and OSINT, or reach out to close threat intelligence communities to get some more information.

• What is the implication to their organization?

• This is a very important step. For this step, the IR team might have to work with other internal teams to clearly understand the impact and nature of the software in question.

• For example, let’s say a VPN software maker fell victim to a threat actor, and your organization is using the same VPN and have installed it on all your laptops, then it is a concerning activity.

• In some cases, the software would be running with a higher privilege on the laptops, which might give a threat actor an advantage, as it is already running with elevated privileges.

• How many services and hosts have the affected software installed?

• To get this data, the IR team will reach out to the Vulnerability Management (VM) team and ask for the list of hosts and the current software version.

• In some cases, the data might be readily available via a Database or a Splunk query.

• This data should give the IR team an understanding of what is the scope of the incident.

• Are there any critical services or systems that have the affected software installed?

• This is another important set of data that the Vulnerability management team can provide.

• This data would help the IR team to prioritize their investigation and response on critical services or hosts.

• Are there any signs of malicious activities originating from the compromised software vendor?

• This is where the IR team spends a significant amount of their time. Now that they have the list of services and hosts where the affected software is installed they would start sweeping through the logs in their log analysis tool or SIEM (Splunk, Elastic, etc.) 

• Every organization would have a standard approach (Playbook) to perform investigations like these.

• Since there are no confirmed Tactics, techniques, and procedures (TTPs) or Indicators of compromise (IOC) from the vendor, the IR team has to perform threat hunting for any signs of abnormalities.

• The investigation time depends on various factors like the size of the organization, input from other internal teams, data availability, etc. 

• What measures can we take to resolve this issue?

• The software vendor might reach out to all of their customers with more technical updates.

• At some point during the investigation, the compromised software vendor might release a public notice which would include a new version of their software addressing the security issue.

• Once we have that information, the goal is to start patching the services and systems to the newer version.

• What happens if sensitive data have been accessed by the threat actors using this supply chain attack to target customers?

• During the investigation, if the IR team identifies sensitive data has been accessed by the threat actors. Then they need to loop in the team that owns the sensitive service, legal team, Compliance & Risk team, communications team (to release public blog posts), and Senior Management team (C-levels CISO, CEO, CTO, etc.)

• All these teams must be kept updated on new findings from the IR team as it is vital.

• As part of the investigation, the IR team has to start documenting all their findings, which customer data have been accessed, and what type of data has been accessed by the threat actor.

• Do we have to release a public-facing blog about the investigation or notify our customers about the incident?

• If the supply chain attack leads to access to our customer's data, usually the legal team would help the communications team in sending out emails and public blog posts. 

• Each organization would follow a standard process in notifying its victims.

• It is our responsibility to reach out to individual customers and let them know about the incident, what data of theirs has been accessed by the threat actor, and the necessary prevention steps taken by us.

Sample email announcement to customers

Finally, the incident response team will conduct a post-incident review (PIR) to evaluate the effectiveness of the response and identify any areas for improvement. This may include analyzing the incident data to identify trends or patterns that can help to prevent future attacks, as well as updating incident response plans and procedures to reflect the lessons learned

Conclusion:

In summary, supply chain attacks are getting more prevalent as threat actors find new ways to stay under the radar. The response steps that I mentioned in the blog are not extensive and each organization would follow its own approach. The best approach to mitigate these types of attacks is to use a defense-in-depth strategy. If one mechanism fails, another step up immediately to thwart an attack.

References:

• https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/

• https://www.ncsc.gov.uk/guidance/vulnerability-management

• https://www.sentinelone.com/blog/supply-chain-attacks/