By Sam Curry
April 12, 2021

December 13, 2020, the world learned about the alleged attack by APT29, Cozy Bear, on SolarWinds and the downstream implications with potential victims stretching into the thousands. Later in early 2021, a similar style of attack leveraging Microsoft to infect still thousands more, this time with an alleged Chinese state actor as the culprit, sent a second shock wave through the security community and the world at large. Congress and the Biden Administration have held hearings and are looking at new legislation, regulation, and executive orders to try to improve security across the United States in the face of these supply chain attacks; but the truth is that simply mandating more-of-the-same security isn’t going to result in improvements. Before getting to the keys to future supply chain security and integrity, it’s worth diving into this class of attacks a little deeper.

Supply chain attacks aren’t news as there has been a subset of these as a theme, from RSA’s upstream compromise in 2011 (and its downstream victims too) to Target’s compromise or the NotPetya attacks on the Ukraine that caused so much ancillary damage. However, the speed, size and scope of the recent attacks through SolarWinds and Microsoft to downstream targets was both unprecedented and deeply scary because practitioners downstream could do everything right in their security programs and still be compromised. That’s worth internalizing: all the hygiene, patching, monitoring, vetting of partners, countermeasures, and incident response in the world were completely useless in detecting this avenue of attack. The organizations that were vectors for infection are sophisticated companies with mature security programs. Not only did 2020 present humanity with a novel biological virus, it also heralded a novel cyber threat; novel in the sense that there is effectively no auto-immune or protective measure that can adequately handle the threat.

Having said that, there are specifically three keys to making a meaningful difference in securing the supply chain. Critically, there is no vendor, no service, no pre-packaged solution with an SKU that is going to simply solve the supply chain issue. We need to collectively disabuse ourselves of that because we are dealing with a second order chaos system in cyber conflict. First order chaos systems, to borrow Harrari’s language from his book Sapiens, are natural, complex, adaptive systems. COVID is a first order chaos threat in the biological system, and hurricanes are a first order chaos system in the meteorological system. Cyber attackers are intelligently adaptive in the connected world system, which implies that no static defense will work. So before anything else, we have to do the hygiene and the basics right, in an automated way and highly efficiently. Gone are the days of arguing with senior management about the necessity of a patch program, for instance. That is just table stakes. What comes next matters more.

The first key is to prepare in peacetime for limiting exposure, damage or “blast radius,” fragility and ensuring resilience. IT environments will need to seek least trust, weed out single points of failure aggressively and continuously test automation to ensure that IT processes aren’t abused or turned against defenders in the same way that players in chess who simply mirror their opponents are exploitable. As in other systems with intelligent opponents like espionage and warfare, but more mundanely in legal conflict and go-to-market competition, we have to adopt a similar adaptive, self-analytical, data driven and fundamental critical approach to management processes. Now is the time to get good at trust-but-verify and to not simply verify-then-trust, as so many do. If you’ve approved a vendor for use in your environment, maintain knowledge of access, dialog on security changes, and realize that this trust partner could be a vector into the organization and plan contingencies accordingly. This is saying that you aren’t looking for perfect suppliers but rather organizations that you can monitor and work with in an ongoing way and not simply review-then-ignore.

The second key is to take a detection mindset. This is a call to action for all procedures, all tools, and all practices in defense to become more behavioral and to unpack what happens within organizations. Assume compromise of prevention, no matter how deep the defense, and look for telemetry and analytics that will not simply throw everything into a big bucket of logs or telemetry for later sorting. Eventually, bad people do bad things, and they branch off from legitimate use cases. They may hide in processes, use legitimate identities, or piggyback on high-use protocols, but the chains of behavior will stand out. The place to go looking is the identity behavior, endpoint behaviors, network behavior, cloud behavior and more. More-and-more what started with EDR, and is now hyped as XDR, is most successful when behaviorally driven and when every piece of equipment can be used to build behavioral webs, insights, and telemetry that can’t be hidden from. The key to finding existing and future tactics and techniques in the MITRE ATT&CK framework is to ensure that a substrata of behaviors are recorded and analyzed from all controls: Identity, Endpoint, Network, Cloud and beyond.

The final key is not to accept that the status quo is inevitable and unchanging. It’s a call to innovate. Of course, we cannot make life harder for developers. We have to work in security with how they work, but we can instrument what they do better. We can do for source code and object code in the supply chains what companies have done with “next generation” antivirus: we can begin to analyze and apply machine learning with vast feedback pools to tell when a patch, a minor release, a new release is looking different from expected locally, across vendors or in a wider sense. The solution doesn’t exist today, but tools can be made to do this in an automatic way to provide trust scores downstream, and we could do more to provide verification of components downstream without disrupting how developers work. Having said that, this is just a call to arms and one specific example. But whether you work in a large ISP lab, in a small startup, or are in the halls of DARPA, more can be done to provide trust in the software and services supply chains.

We don’t have to sit here and lament our fates with seemingly insoluble supply chain issues, and we don’t have to merely pile more money into measures that don’t work or retreat from pushing the boundaries of technology innovation in the connected world. We can fight back and get the basics right finally (no more excuses), and we can up-level our game in peacetime, take a detection-first mentality, and invest significantly locally and in the community-at-large to build bit-by-bit real trust in our supply chains. We can frustrate the adversary, deny them succor, reverse the asymmetric advantage in cyber conflict. But it’s going to take embracing these key concepts and doing things a little differently. The attackers are going to keep getting more aggressive, innovative, and effective; so it’s up to us to change our games singly and collectively.

Sam Curry has 2+ decades as an entrepreneur, info sec expert and executive at companies like RSA, Arbor Networks, CA, McAfee, Cybereason, and more. Sam is dedicated to empowering defenders in cyber conflict and fulfilling the promise of security, enabling a safe, reliable, connected world. He is a public speaker, holds multiple patents, hosts a podcast (Security All-In), sits on some select boards and publications, and is an InfoSec mentor. If I can help, I’ll always listen and will be straight.