Software supply-chain attacks are not a new issue, but security teams need to learn how to manage them correctly.
After a remote attack on SolarWinds in 2020, software supply chains have become a hot topic. Unfortunately, SolarWinds has not been the only victim of a supply-chain attack.
In 2017, a NotPetya attack on tax accounting software by M.E. had detrimental effects on Ukraine. Shortly after this attack, an advanced backdoor was embedded in one of the code libraries of NetSarang’s server management software. The hacking continued when Piriform’s servers inserted malware into CCleaner’s releases. Malicious attackers targeted the Asus Live Updates Utility in Operation ShadowHammer that inserted a live backdoor, affecting more than one million users.
“Shift left” refers to a practice in which DevOps focuses on quality and security earlier in the development process. Shifting left might not be a solution to all security problems and does not remove the need to secure the right side of the DevOps chain, but it should result in less vulnerable production code. A good security strategy should cover both sides of the chain.
Here are five ways that you can protect your organization against supply-chain attackers.
- Avoid the use of third-party modules
Any third-party that is used needs to be pulling the correct module from the right repository. The efficiency that third-party modules add to the developer’s process makes it slightly impractical to get rid of it entirely, so they always need to be double-checked before downloading.
2. Look out for threats when using modules created by unknown authors
Avoid using code from Stackoverflow tutorials or other popular forms. Instead, always verify code from multiple independent sources. It can be challenging to identify when the author of a malicious module has changed the code to import a typosquatted malicious module and used SEO tactics to get their tutorial ranked high in searches.
3. Perform automated scans of code submitted in repositories
By following scans very closely, the team can take action if they detect something unusual in the modules they use. Keep track of imports and automate checks against modules that have been known to be compromised.
4. Always have a plan made for external services
Using “command and control channels” or “phone home” features can help receive commands or exfiltrate sensitive data from external services. A team can detect malicious attempts earlier if they ensure good visibility in traffic patterns and detect irregularities.
5. Create an on-premises and cloud strategy
Use enterprise EDR and application-level gateways, centralized logs, and run anomaly detection across all collected data and events when working on-premises.
Use automated systems that track activity and detect anomalies in the cloud. Major public cloud providers already have facilities that let teams carry out event and data collection to detect irregular behavior, but these tools need to be enabled. This will be helpful when considering agility and DevOps that create and destroy environments in the cloud for research, development, and testing. Always stay attentive because eventually, any malware or backdoor will run an anomalous behavior, exposing itself. Try to keep false positives limited to remain useable.
Protecting against supply-chain attacks is imperative for companies and organizations. In order to avoid making a small mistake that could put a company’s data at risk, supply-chain attacks need to be prevented.
The content from this post was sourced from an article our Radware team was interviewed for in S.C. Magazine .