How to Mitigate Risk in the Supply Chain by Testing Third-Party Software Code
By: Team CodeHunter™
The natural assumption is trust when organizations adopt third party software, an assumption that could lead to irreversible damage. Hackers often target the digital supply chain, given that it can affect many people, leading to a large payout. Supply chain security is the responsibility of developers, vendors, and customers, but it often goes neglected by all three parties. Here, because each party assumes that the other is taking safety measures, security falls to the wayside and software attacks occur. The importance of risk mitigation in the supply chain must be a priority, and the measures taken to address potential risk are paramount. Understanding the proactive steps for proper cyber security, and the best methods of detecting unknown malice in code, is key to business success.
Table of Contents
Over the past decade, the use of third-party software has seen a considerable and rapid increase. Most businesses rely on third-party software to achieve their mission and objectives, sometimes outsourcing core functions to increase production and cash flow. Relying on resources and expertise through third-party software provides many businesses with a competitive edge and increased value quality. Despite the many benefits of utilizing external applications, these organizations open themselves up to the risk of malware attacks.
This reliance on open-source or widely distributed software from third-parties has become a favored target for hackers. They move up the supply chain to accomplish their mission and wreak havoc across organizational systems, infecting data sent to clients and across the web. In the future, the greatest challenge for businesses is to understand how to be proactive, and how to prevent oversight, on third-party software before it’s too late.
Notable Software Attacks
The exponential increase of high-profile attacks on organizations using third-party software is a common topic in the developer world. International news stories feature these breaches, and the impact of these attacks can often cause long-lasting damage to vulnerable elements of the supply chain. Some of the more infamous cases include:
NotPetya, the 2017 ransomware attack: One of the most destructive strains of ransomware originated from a compromised version of Ukrainian accounting software that was widely used in the country. There were similar infections reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. This attack resulted in losses in the billions of dollars.
CCleaner v5.33, the 2017 supply chain malware attack: CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers, became infected with malicious code and installed over four million times.
Asus, the malicious 2019 hacker attack: Asus, one of the world’s largest computer makers, unknowingly delivered malicious content with authorized software updates. A lapse in software security created a backdoor in the code, which was present for at least five months before discovery. The malware infected over a half-million machines. Asus experienced, and still battles, with the crippling damage done to their reputation.
Orion and SolarWinds 2020 software attack: The widely used IT infrastructure management software Orion from SolarWinds had malicious code inserted into legitimate software updates that would allow an attacker remote access into the victim’s environment. As a result, about 18,000 organizations downloaded and used this software embedded with malware.
The central theme linking each of these attacks is that each software target was a third-party vendor working with an extensive network of organizations. This minor detail, and the lack of software security testing for unknown threat behavior, left many businesses open to exploitation, regardless of their maturity of cyber defenses.
False Legitimacy in Software
Software Supply Chain attacks seek vulnerabilities in a way that breaks the current model of Cyber Security. Trusted partners have recently taken on an increasing source of risk & compromise. Attacks can involve whitelisted, or perceptively safe, software that passes basic and advanced security checks. These attacks can have valid digital signatures or code signing, a recognized “stamp of approval”, from the vendor that the infected software is legitimate. In addition, patching software, which is a critical capability to eliminate vulnerabilities, can be the attack vector and foothold a hacker needs to infect software code.
Ken Thompson, co-author of UNIX, foresaw this problem over 30 years ago in his paper titled Reflections on Trusting Trust. In his research, he created a version of the C compiler that would automatically create a backdoor to every single program ran through it. Ken argued that the attack would be impossible to detect because all the debuggers, disassemblers and other security tools used to detect it would have the same backdoor. He came to a grim conclusion, “No amount of source-level verification or scrutiny will protect you from using untrusted code… If you didn’t write it, you can’t trust it”
Building an Effective Risk Mitigation Strategy
Unfortunately, there is no silver bullet to solve this problem. This is a complex, widespread issue that has global implications. The industry has made progress, in cooperation with governments, to address issues surrounding cyber security and increasing threat sophistication. However, it is ultimately the responsibility of the organizations that use third-party software to protect their business interests and property from a damaging cyber-attack.
To do so, there are five key steps to create a successful and effective risk mitigation strategy:
Inventory all third-party risk sources—You can’t secure what you don’t know about. It is critical for organizations to understand all third-party software they rely on, and which of those have the highest possibility of introducing the highest levels of risk.
Defense-in-depth—Cyber Security is an asymmetric battlefield, where the attacker will always the upper hand, and security controls will ultimately fail given enough attacker effort. Organizations must build their defenses so that if they bypass one component, the entire system does not fail.
Assume a breach is inevitable—Once an organization accepts that a cyber attack is unavoidable, they can invest heavily in detecting and responding to breaches faster, reducing the average time to resolution, and limiting the damage an attacker can achieve.
Build security requirements into every vendor contract—A strong policy with logical terms is the best place to start. Using economic buying power to influence the security of third-party software providers, expectations around cyber security will increase to the benefit of the community.
Trust, but more importantly, verify—Assessing the security of third-party software used in your organization ensures that it is free of threats. Leveraging automated techniques like Software Behavior Computation to identify what the software code actually does and will provide information about potentially malicious code.
Using Behavior Computation to Mitigate Risk
Organizations rely on CodeHunter™ to assess the true nature of third-party applications that are in use. The platform’s Supply Chain Security Use-Case applies behavior computation to compiled binaries regardless of their origin or provenance, without requiring access to source code. Routine use of CodeHunter™ in both Information Technology and Operational Technology environments can help reduce enterprise risk from corrupted supply chain and open-source code. Since developing and distributing applications across a wide range of systems, it is critical to assess third party software across all distribution and usage points.
Using CodeHunter™, organizations can:
Identify malicious content in legitimate software before it affects your critical business operations
Detect embedded malware invisible to existing security solutions, such as sandboxing and anti-virus
Automate reverse engineering of suspicious files without requiring access to source code
Experience a 95% reduction in time conducting an in-depth analysis of software
Reduce the time to discovery from weeks/months to minutes/hours
Adopting technology that uses behavior computation over more traditional methods is the future of cyber security and a pivotal step to avoiding future software attacks.
In reality, it’s infeasible for a company to rely solely on software they produce. Banks are in the business of being banks, hospitals are in the business of being hospitals, not writing C compilers, or developing operating systems for their sole use. Organizational reliance on third-party software will always be present, but prioritizing security will ensure that this software is free of vulnerabilities, whether inserted intentionally or unknowingly.
Brumaghin, E., Gibb, R., Mercer, W., Molyett, M., & Williams, C. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved from Talos Intelligence: https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Retrieved from Wired: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Sanger, D. E., Perlroth, N., & Schmitt, E. (2020, December 15). Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit. Retrieved from The New York Times : https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html
Thompson, K. (1984, August). Reflections on Trusting Trust. Retrieved from TU/e: https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
Behavior Computation has picked up where sandboxing, dynamic analysis, and machine learning have left off, and is resistant to evasion techniques targeted at those threat detection methods. Using behavior computation reduces the risk of malicious, unknown code passing through DevOps security checks.
CodeHunter™, the first platform of its kind in the cyber community, computes the full behavior of software as executed by the CPU and makes any obfuscation, spaghetti logic, dead-end code, or other evasion techniques useless. Once exposed, developers can determine the software’s true capabilities.