Myst - stock.adobe.com
In early 2021, Sita, a supplier of IT systems for the airline industry, started informing airlines using its passenger service system that their frequent flyer programme data could have been exposed.
As it turned out, the passenger service system, which airlines use to send data of frequent flyers to other airlines in the same alliance so that they can accord benefits to their customers, was compromised by a highly sophisticated cyber attack.
Singapore Airlines was one of the affected airlines even though it did not use the Sita system. That’s because it provided the data of its frequent flyer members to a Star Alliance airline that was using the affected system, exposing information such as membership numbers, tier status and, in some cases, member names.
While airline alliances bring benefits such as network effects that enable airlines to fly their customers to more destinations, the interconnectivity between their systems also attracts cyber criminals looking to exploit the weakest links through supply chain attacks. These links can also take the form of popular third-party systems that many organisations use to run their IT operations.
One such system is the SolarWinds network management software, which had malware inserted into its software updates by threat actors in a supply chain attack that compromised large enterprises and government agencies.
Feixiang He, adversary intelligence research lead at Group-IB, a Singapore-based cyber security company, says there are some driving forces behind the rising popularity of supply chain attacks.
First, the cyber defences of many high-value targets are in a much better shape than before. Direct attacks against target systems may take a lot of effort and yield little results. Hence, it is more effective for cyber criminals to move up the software supply chain to exploit weak links outside their target’s cyber defences.
He says the use of open-source software also poses a supply chain security risk, debunking the assumption that security is almost guaranteed in popular open-source projects.
“In an ideal community approach, weaknesses and malicious behaviours should be discovered by someone and fail the code review. In reality, most of such projects are maintained by volunteers who have various focuses that are not necessarily related to security. It is unreasonable to assume security by default,” he says.
“Furthermore, open-source projects are usually for general purpose uses. Some seemingly secure designs may become a vulnerability in a specific system architecture. Last, loosely managed open-source software library repositories also give the attackers extra options to covertly deploy malicious software.
“We’ve seen multiple cases where the attackers upload malware to a Python PIP package manager repository and infected software developers in large corporates,” he adds.
He says the shift towards cloud infrastructure and the “as-a-service” model also introduces uncertainties to ownership and accountability, making incident detection and response challenging.
Ultimately, any weaknesses in supplier systems automatically become weaknesses in the enterprise, says Joseph Failla, security lead at Accenture in Australia and New Zealand.
Citing Accenture’s research, Failla notes that while organisational cyber resilience is on the rise, many cyber security programmes only actively protect about 60% of the business ecosystem on average, while the remaining 40% of security breaches are largely indirect.
Adding to the challenge is the difficulty of gaining visibility into the partner supply chain. This could be due to legal constraints and other organisational barriers preventing suppliers from sharing information.
“Other times, their security capabilities aren’t up to scratch. This lack of visibility impedes organisations’ abilities to understand where to focus assessments and mitigation efforts,” Failla says.
Mitigating supply chain risks
Despite the challenges of fending off supply chain attacks, especially if a nation-state or state-linked threat actor is involved, becoming a sitting duck for such attacks is not an option.
Jonathan Tan, managing director for Asia at McAfee, advises organisations to maintain an aggressive and healthy cyber security posture to contain risks as much as possible in the event of a potential breach.
That means identifying the most critical data and applying the principle of least privilege. A sound approach, Tan adds, is to assume that the most critical assets are under attack, especially those that leverage third-party applications where elevated privileges are required for their effective operation.
Raen Lim, group vice-president of South Asia and Korea at Splunk, notes that the adage of auditing one’s suppliers is harder than it sounds “because your one ‘video-conferencing vendor’ or ‘payment processing vendor’ is actually composed of maybe a half-dozen business systems, through external APIs [application programming interfaces] and services”.
“You need visibility into every data component and flow. You also need to know how to respond quickest when a breach is discovered, both to shut it down and to determine which data may have been compromised,” she adds.
As such, Lim advocates for the zero-trust security model to minimise security risks as it is focused on users, assets and resources rather than a network perimeter. The model also demands organisations to rigorously authenticate users as they move towards a more distributed security environment.
Automating security operations, she adds, will also help organisations to identify and respond to cyber attacks without human intervention, along with improving the effectiveness of security analysts through automation and analytics.
Sanjay Aurora, managing director of Asia-Pacific at Darktrace, agrees, noting that by augmenting human security teams with artificial intelligence (AI) technology, organisations can focus on understanding what’s ‘normal’ behaviour across their digital estate, and constantly enforce that normal when things go amiss.
“This technology can identify the subtle indicators of this malicious activity wherever it emerges, and thwart it before damage is done,” he adds.
Changing role of the CISO
The reliance on third-party providers has created new demands on cyber security defences, adding complexity to the responsibilities of the chief information security officer (CISO).
Now more than ever, CISOs need to be more directly engaged with the broader risk management function or even take on a risk management leadership role.
Recent high-profile supply chain security breaches have attracted the attention of CEOs and their boards. CISOs have found themselves needing to leverage both technology and leadership skills to effectively communicate the potential impact of supply chain attacks to the leadership team, and to drive executive buy-ins on solutions or mitigation efforts.
Accenture’s industry intelligence found that CISOs have significant concerns around how supply chain risks can be managed. These include effectively monitoring vulnerabilities, increasing internal early detection capabilities, whether scenario planning exercises are keeping pace with more sophisticated threats, and if teams are prepared to deal with new threats.
“The industry intelligence also proposed that CISOs need to strike a better balance between their technology and leadership competence,” Failla says. “CISOs are not only expected to demonstrate practical capabilities but be equally good at communicating in a non-technical manner.
“This form of communication will better resonate with the senior leadership team and the board, helping CISOs align cyber security with enterprise risk management practices while building trust internally.”
What the software industry can do
McAfee’s Tan says the most insidious aspect of the SolarWinds attack was the use of a backdoor and stealth tactics to monitor if malicious activity was being analysed, by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behaviour in those scenarios.
The backdoor then enabled the attackers to take any number of secondary steps, which could involve stealing data, destroying data, holding critical systems for ransom, or any number of other malicious actions.
“The attackers may still be doing damage right this instant, if they implanted additional malicious content to stay in control and maintain access,” Tan says, adding that backdoors are a critical risk that need to be addressed to help lessen the risks organisations face if they are subject to a supply chain attack.
“Until that day arrives, organisations should protect their most critical information and data with the utmost care, as supply chains continue to be a threat vector.”
David Wheeler, director for open-source supply chain security at The Linux Foundation, says there is only one strong countermeasure for a SolarWinds-style attack in the longer term: verified reproducible builds.
“A reproducible build is a build that always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organisations produce a build from source code and verify that the build results come from the claimed source code.
“Almost all software today is not reproducible, but there’s work to change this. The Linux Foundation and Civil Infrastructure Platform has been funding work, including the Reproducible Builds project, to make it possible to have verified reproducible builds,” he wrote in a blog post.
Darktrace’s Aurora says while following best practices such as reproducible builds is important, the software industry must also strive to do security by design. “In the rush to market a product, security is still too often an afterthought and development is outsourced to the cheapest bidder,” he adds.
Splunk’s Lim says software providers also have a duty to conduct a regular refresh of their own suppliers and ask them how they mitigate the risk of emerging threats – and communicate that information to customers.
“Take SolarWinds as an example – we took immediate action to confirm the safety of our systems and code from the attack, proactively reached out and assisted customers to use Splunk to detect the compromised SolarWinds software update in their environment.
“We also quickly created a response website to provide latest updates on the attack and responded to inquiries from customers looking to assess our exposure,” she adds.
Read more about cyber security in APAC
- Security experts at Black Hat Asia 2021 discuss the state of ransomware and supply chain attacks, two of the most common attack vectors that offer high returns for threat actors.
- ViewQwest’s SecureNet service uses Palo Alto Networks’ next-generation firewall with deep packet inspection capabilities to guard against cyber threats.
- Australia’s Channel Nine was taken off the air by a cyber attack on its IT systems that disrupted live broadcasts out of its Sydney broadcasting facility.
- Security operations teams in India and Japan see the increased volume of cyber threats as their biggest challenge amid the Covid-19 pandemic.