#BHUSA: How Supply-Chain Attacks Change the Economics of Mass Exploitation

Written by

Supply-chain security is one of the most impactful topics today, and it was the subject of the opening keynote at the Black Hat US 2021 hybrid event, held both online and in-person in Las Vegas.

Jeff Moss, the founder of the Black Hat conference, opened the event with a brief conversation on what’s needed to help immunize the global IT community from attacks. When it comes to supply-chain security, he had a very somber observation.

"We all depend on the supply chain’s being fully immunized, and it's not there," Moss said.

Some ideas on how to address the challenge of supply-chain security were put forth in a keynote address by Matt Tait, chief operating officer at Corellium. Tait noted that supply-chain intrusions are completely appending the entire traditional mechanics from the attackers' perspective.

"Supply-chain intrusions are relatively straightforward; instead of targeting the system that you actually want to target, you target a system that's upstream from that system," Tait said.

The Scope of Supply-Chain Intrusions

Supply-chain attacks have had an enormous impact in 2021, though it could have been much worse.

In the case of the SolarWinds attack, Tait noted that SolarWinds has over 300,000 customers; of those, 33,000 were using the Orion platform that was attacked, and ultimately it was approximately 18,000 customers that got infected with the first stage of that attack.

In the case of the Kaseya ransomware attack, Tait observed that Kaseya has up to one million small businesses using their software, while only approximately 1,500 were infected by the attack.  As such, only  0.1% of Kaseya's actual customers ended up getting infected. However, while the infection numbers were only a small percentage, the real-world impact was significant.

"Supply-chain intrusions are not like other intrusions; we might like to think of them as just unusually big intrusions, but they're not—they're different," Tait emphasized.

With other types of attack, threat actors need to specifically identify a target. Tait noted that with supply-chain attacks, the target selection is easy, as it could potentially be all of the supplier's customers. Finding the attack surface for a supply-chain attack is also easy, in his opinion. With a supply-chain attack, the threat actors go after the supplier's update system, which will just automatically route the malware directly, often bypassing any cybersecurity defenses that the organization might have. Additionally, lateral movement across an organization is not a problem, because the supply-chain software often has agents that are running on all the client systems.

How to Fix Supply-Chain Risk

In Tait's view, the only way to tackle supply-chain intrusions at the scale that's needed is to fix the underlying technology, and this requires platform vendors to step in.

"Ultimately, the question that we're asking in supply-chain security is: Can we automate trust?" Tait said.

Tait noted that in the mobile space there is the concept of entitlements. He explained that with mobile entitlements, an app does not have any components running as root, and there is no system-wide permission.

"In the event that a supply-chain attack does compromise your app, it is only going to compromise the app; it's not going to compromise the entire phone," Tait said.

In the desktop world on Windows, entitlements are rarely, if ever, used. In Tait's view, there is a need to de-privilege Windows applications. He said that an entitlement gives the system a machine-readable understanding of what the app should be allowed to do. As such, Tait said, in the event of that app’s becoming compromised, the ability of malware inside that app to do things outside of the scope of the application becomes dramatically reduced.

While mobile devices provide entitlements, Tait noted, there is limited device observability, as the mobile operating system vendors do not generally allow full device forensics to operate. Tait wants both mobile and desktop vendors to step up and help provide the necessary visibility and controls to limit the risk of supply-chain attacks.

"Supply-chain infections can only be fixed by platform vendors; the government is not coming to save you," Tait said.

What’s hot on Infosecurity Magazine?