Supply Chain Attack Defense Demands Mature Threat Hunting

  /     /     /  
Publicated : 23/11/2024   Category : security


Supply Chain Attack Defense Demands Mature Threat Hunting


Active threat hunting is the best protection against supply chain attacks like MOVEit and 3CX, experts say.



The headlines have become a steady occurrence ...
Kaseya
,
SolarWinds
,
3CX
,
MOVEit
, and there are sure to be others around the corner ... because theyre effective.
The best cyber defense for organizations worried about protecting systems against the next software supply chain cyberattack comes down to active monitoring and threat hunting, experts say.
Multiple software supply chain security failures in recent years have demonstrated that security extends well beyond the traditional four walls cyber security model, IANS faculty member Jake Williams, who recently spoke to the Dark Reading audience during a June 7 webinar on
Next Generation Supply Chain Security
said.
The modern software supply chain offers threat actors an enormous attack surface, including automatic software updates, vendor-managed appliances, software-as-a-service (SaaS) tools, the cloud, and more, Williams outlined in his presentation.
Kaseya wasnt the first attack on managed service providers to distribute ransomware, and it certainly wont be the last, Williams added. And indeed thats true —
the MOVEit attack
is the work of the Cl0p ransomware gang, after all. 
Evan Blair, general manager for Searchlight Cyber, also spoke during the Dark Reading webinar about securing the supply chain and illustrated the complexity challenge with a startling statistic — For every billion dollars in annual revenue, businesses will have about 1,000 suppliers. Thats a lot of avenues into enterprise systems for the cyber crooks to use.
Following the live event, Dark Reading asked Williams what enterprise cybersecurity teams can do to defend against mounting software supply chain attacks. Heres how Williams said he would start.
This really boils down to monitoring and threat hunting, he says. In the MOVEit case, wed be doing targeted threat hunting presuming the appliance was compromised. First, wed look at what it talked to on the internal network and then look for any changes to the state of those devices after (new suspicious processes, etc.), Williams says.
Complicating matters for network defenders is the fact that well-resourced threat actors have had great success with supply chain attacks as a way into larger organizations systems. More sophisticated state-based advanced persistent threat (APT) groups are also targeting smaller organizations, which presumably rely mostly on basic cybersecurity protections, Williams explained.
In May, North Korean government linked Lazarus Group was observed
using Log4Shell
, the 3CX supply chain flaw, as well as other known vulnerabilities to
compromise Microsoft Web servers
 at a range of companies of varying sizes. And in April, Chinese APT group Evasive Panda
hijacked application updates
for Chinese-developed software to deploy spyware to smaller targets.
The supply chain is further threatened by the rise of artificial intelligence (AI), which researchers have recently shown can be used to embed malicious malware into software packages targeting developers. 
Recommendations generated by ChatGPT for software building blocks that dont exist, which
researchers call AI package hallucinations,
are not uncommon — and cybercriminals can take those recommendations and create a malicious package to match the false recs, then wait for ChatGPT to recommend them again. This discovery adds yet another layer of complexity into identifying supply chain threats to enterprise networks.
Organizations with robust monitoring and threat hunting programs in place are best positioned to prevent the next supply chain attack, Williams advised.
Monitoring the security of third parties in the software supply chain is a necessity, according to Williams, who added, anything less is being reactive.  Cyber threat intelligence (CTI) teams are an important way to proactively monitor software supply chain risks, according to Williams, but their task is difficult.
Most CTI teams have difficulty monitoring their own organization, Williams said. He added that CTI teams dont have insight into cycles and data necessary to synthesize, report, or action it for third parties.
As any CTI analyst will tell you, these challenges are not trivial, Williams said.
Dark Web monitoring in an additional source of threat intelligence, which can include accessing Dark Web forums directly or using a vendor to to curate information, but that doesnt offer real-time data, Williams said.
When buying access to Dark Web platforms, recognize that this only accounts for a very small part of the intelligence lifecycle, Williams advised.
Valuable threat intelligence that can be gathered from Dark Web forums can include postings on recent ransomware groups activities, hacktivist communications, and initial access brokers selling access to networks to other threat actors, Blair explained to the Dark Reading webinar audience.
Blair added that about a third of CISOs are currently using Dark Web data to monitor for cyberattacks against their supply chains, while a full 71% would like to have visibility into whether suppliers are being discussed on the Dark Web.
Beyond Dark Web monitoring, other
sources of open source intelligence
(OSINT) can be valuable for gaining threat insights. Simply searching Twitter hashtags can provide cataloged, dated, real-time information pooled from cybersecurity experts across the globe.
Organizations cant realistically expect to prevent software supply chain attacks like 3CX, Williams says. This again points to the need for real-time monitoring using both endpoint and network tooling. Because we wont catch every attack as its happening, mature threat hunting capabilities are also important.
Williams adds a warning to teams thinking about outsourcing a threat hunting program.
For organizations that cant sustain a threat hunting cadence, be wary of managed threat hunt vendors, Williams tells Dark Reading. Many are just front running the indicators of compromise (IoCs) that are being put into their endpoint detection and response (EDR) solutions.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Supply Chain Attack Defense Demands Mature Threat Hunting