The Interrelationships of the Latest Supply Chain Breaches
*Update 12:49pm PT 4/22/21*
After this blog article was published, CISA issued a new alert relating to the vulnerabilities found in VPN software discussed here. Attackers have leveraged the VPN vulnerability to move laterally and install malware known as SUPERNOVA on a SolarWinds Orion server to gain access to login credentials of at least one unnamed agency. CISA has issued instructions for businesses and agencies potentially at risk to follow. This is another reminder that if attackers are taking advantage of relationships by stringing together attacks, it is imperative to have visibility over all your relationships in your organization to properly protect yourself.
Visibility and Application Relationship Management has taken center stage as a necessary priority within cyber security and resilience. On April 20th, CISA has issued its 3rd emergency directive since SolarWinds, within hours of news that U.S. government agencies have again been affected by a Supply Chain attack, this time exploiting vulnerabilities found in virtual private networking (VPN) software, derived from earlier CVEs attributed to a string of potential nation state targeted attacks going back to June 2020 or earlier. While Directive 21-03 focused on the required federal level response, additional critical national infrastructure targets and private entities in the US and Europe have been cited as well as potentially compromised by this attack.
Once again, lack of visibility and understanding of application relationships exacerbates how a Supply Chain attack tainting trusted software becomes invisibly embedded deep within an organization’s infrastructure through seemingly normal processes. In the most recent example, highlighted by Directive 21-03, this attack utilizes a highly sophisticated use of local proxy devices within residential locations, making it very difficult to detect or prevent from the outside. For example, it can’t be addressed by monitoring or blocking access from high-risk or non-local geolocations. What’s worse is that the systems are compromised with additional security-deflecting functions, enabling bypass of all forms of authentication and persistence through patching.
Emergency Directive 21-03 outlines several immediate steps that CISA has mandated to U.S. agencies (and recommended to other potentially impacted organizations) must take by Friday, April 23rd. These include running the VPN vendor-provided detection tool, updating to the latest software version, and investigating any anomalous behavior.
This vulnerability, however, when paired with the other major attacks in trusted software over the past few months, shows just how big of a problem this is. We can no longer trust what was once trusted. Existing CVEs related to embedded functions and libraries are now being exploited in a daisy-chain manner that portends a trend of more sophisticated attacks. What can businesses and government agencies do when it is no longer possible to trust the integrity of previously trusted operational and security infrastructure?
They should of course immediately follow CISA’s guidance. But a few additional steps to consider:
- Visibility of applications, workloads and systems across all environments is key for organizations to establish a baseline for communications among interconnected assets. This can help to quickly identify where material new and anomalous communications behavior occurs. In particular, from infrastructure systems that do not otherwise change significantly over time.
- Focusing on applications and the relationships between those applications can help with incident notification and response, enabling businesses to understand new relationships associated with the suspect and exploited systems that can point to the extent of the attack. With an existing assessment of the criticality of impacted assets, response teams can prioritize remediation resources more effectively.
- Improve Identity Governance for users and machine identities to validate, monitor and enforce appropriate entitlements and privileged access to applications and systems.
- Ensure internal boundary defenses are in place to reduce the attack surface which can be exploited between zones and business functions.
- Leverage an orchestrated segmentation approach, which enables an automated, data-driven approach to deploy effective and consistent least-privilege security policies around critical functions and between zones.
Events of the past few months have shown that the infrastructure ecosystem of the enterprise, including systems management servers, email infrastructure, and now security systems, is being targeted by highly capable adversaries in sophisticated campaigns. In each instance, it is very difficult for operators to detect these breaches before the software is brought in through the door and deployed. However, by closely monitoring your environment and taking a data-driven approach to recognizing material changes in behavior, it is possible for organizations to respond and mitigate the worst impacts. Application Relationship Management enables organizations to understand their environment’s baseline, place proactive controls in place to make breach proliferation difficult, and respond rapidly and accurately.