PA Consulting’s head of cybersecurity, Elliot Rose, discusses the SolarWinds breach and how organisations must tighten their security to avoid software supply chain attacks.
The article discusses how, in December 2020, with much of the world distracted by a Covid-19 resurgence and the aftermath of the US presidential election, security researchers were busy tracking a new malware campaign – UNC2452 – which had grave implications for cybersecurity in the western world.
Subsequently linked with Russian state-sponsored cybercrime gang APT29 (or Cozy Bear) the attack ‘trojanized’ software updates to Orion, an IT monitoring and management application from SolarWinds.
Withn days, dozens of global businesses and government departments were reporting Sunburst infections, including Microsoft and the US Department of Homeland Security.
The world had just witnessed its largest ever software supply chain attack.
What is a software supply chain attack?
A software supply chain attack happens when hackers manipulate the code in third-party software components in order to compromise the ‘downstream’ applications that use them.
Attackers leverage compromised software to steal data, corrupt targeted systems, or to gain access to other parts of the victim’s network through lateral movement.
Can you prevent or mitigate supply chain attacks?
At the technical level, increasing security awareness among DevOps teams is the first and – many experts argue – most critical step.
Teams need to incorporate security into the entire development process, have a comprehensive map of the dependences used by their applications, be alert to vulnerability disclosures, and have a robust system for patching security bugs.
Organizations should also tighten up their software acquisition strategies. IT departments, which often rely on questionnaires and vendor self-certification to perform due diligence, should also consider audits, source code reviews and penetration testing – more robust, if costlier, alternatives.
More organizations should follow this lead, suggests Elliot: “Many organisations recognize that they need to put in place continuous monitoring and assessment of critical third parties.”
“This is not easy but is increasingly necessary, and there are new tools and approaches available to ease the burden.”