On October 4, 2018, a Bloomberg Businessweek article alleged that in 2015, manufacturers inserted microchips onto the motherboards of servers destined for U.S. public and government organizations to provide Chinese government-sponsored threat actors with unauthorized access. The story was immediately refuted in its entirety by the three companies named in the story: Apple, Amazon, and SuperMicro. In addition, both the U.S. Department of Homeland Security and the UK National Cyber Security Centre released statements that they are unaware of any evidence to support these claims.
Secureworks® Counter Threat Unit™ (CTU) researchers have observed no technical evidence that supports these allegations. However, the article highlighted the importance of the technology supply chain that all businesses rely on, and supply-chain attacks are used by targeted actors seeking to compromise targets.
Various types of hardware-level attacks are technically feasible. However, CTU™ analysis has revealed threat actors using a large number of alternate methods for targeted intrusions that are not as technically complex or as costly for the attacker. Most supply-chain compromises focus on software rather than hardware. Third-party managed service providers (MSPs) and contractors, software distribution portals, software development environments, and software update mechanisms are the most common targets. Incidents such as Stuxnet, Havex, XcodeGhost, CCleaner, Netsarang, and NotPetya illustrate that pattern.
Organizations should be mindful of the risks of supply-chain compromises, including hardware and firmware attack vectors, as they can require a significant response effort. However, CTU researchers recommend an informed and prioritized approach to managing cybersecurity risk that focuses on the less-sophisticated techniques threat actors are using to gain unauthorized access to networks.
Supply-chain risk assessments, vendor management, and third-party audits all help organizations understand and minimize the risk posed by their supply chain. However, most globally connected, cloud-enabled, modern business enterprises unavoidably rely on complex supply chains and third-party services. Any of these components could provide an easier route to compromising an organization than a direct attack.
Most organizations would benefit from improving their visibility into their extended IT environment and their ability to detect early and respond robustly to all of these scenarios. The following five control recommendations reflect the most common advice and guidance given during Secureworks IR engagements in 2017. All of these recommendations are crucial components of a holistic defense-in-depth approach to cybersecurity that will hinder threat actors’ movement and facilitate early detection of known and unknown cyber threats in the network.
- Implement or enhance logging — Too often, incident responders are unable to piece together what happened because logs are not available or do not contain the right information. Collecting and retaining appropriate logs dramatically increases the effectiveness of the response effort.
- Adopt multifactor authentication (MFA) — Networks and services that are accessed remotely by users cannot be protected by a username and password alone. Sooner or later, public-facing or third-party accounts without MFA will be compromised. Adding MFA to an environment hinders malicious efforts and reduces the usefulness of captured credentials. MFA can be used across the business but is particularly effective for Internet-exposed systems, business-to-business links, and critical internal assets.
- Manage user account privileges — Attackers routinely exploit accounts that are redundant or that have unnecessary access rights to obtain more privileges in a compromised network. They often target administrative access on end-user systems to gain an initial foothold.
- Integrate endpoint security capabilities — A consolidated view of suspicious behaviors and events on endpoint systems is a powerful tool for detecting and responding to a threat after a compromise. This endpoint visibility is crucial in understanding the nature of an ongoing intrusion.It may not be possible to prevent every intrusion, particularly via the supply chain, but rapid detection and reduction of a threat actor’s dwell time in the environment are critical to limiting the incident’s impact.
- Develop or practice incident response planning — Effective incident response is difficult without the right preparation. Organizations are more resilient when tried and tested response plans are in place.
When it comes to getting the biggest “bang for your buck,” these recommendations cut across a wide range of cyber threats as opposed to expensive niche solutions to a low-likelihood event. At the same time, they provide a strong defensive posture if a supply-chain compromise leads to an intrusion.