Introduction
When someone thinks of a cyber attack, they typically think of a hacker breaking into a system and stealing data by exploiting known vulnerabilities in the target software. However, there’s another way to infiltrate software: supply chain attacks. As opposed to a traditional application flaw when an attacker finds a vulnerability in the target software and exploits it, supply chain attacks involve utilizing open source components upon which the target software depends. In other words, an attacker infiltrates the build process of their target. The attacker then uses this as an entry point to introduce malware into the target software.
You might think this kind of attack is an impossible fantasy and requires a high level of sophistication, but it’s not. It’s a very real threat, and it’s getting more common. Let’s look at how these attacks work and why they’re so hard to detect or prevent.
Open source software isn’t just code; it includes code libraries that are easily accessible to anyone who wants them. They’re powerful: many popular technologies like WordPress are built on top of open source libraries, and much of the internet runs on some form of Linux, an open source operating system (OS). Because so much of modern computing relies on open source libraries, any vulnerabilities in those libraries can put millions of users at risk. It doesn’t matter if you use WordPress or not-if you rely on a technology that uses one or more vulnerable open source libraries as part of its core functionality (as most do), your systems could be compromised by supply chain attacks.
How to — Attack Execution:
Choose a popular open source software (OSS) project and add some malicious code to it. This could be anything-a new feature, a minor bug fix, or just random nonsense. Make sure to be sneaky about it so that no one notices. Then wait for someone else to link your code into their own product or pull the latest update with your new code. It won’t take long before devs start embedding the infected library into their system.
This is the premise of a “supply chain” attack. And it uses malware hidden inside inherently trusted software to deliver devastating results.
It’s important to note that supply chain attacks are not targeted at any one person in particular, but rather at anyone who uses the OSS project in question. A successful attack can have massive repercussions across entire industries, with victims having no idea that something bad is happening until long after the deed is done.
What now?
Organizations that are serious about their security posture will want to get involved with running auditing tools to identify potentially malicious code embedded into their dependencies.
This should become a part of the library selection process — as the engineering team puts together the high-level solution during the design phase.
To begin adding assurance in this domain, consider the following:
Maintain an inventory of open source components
- Performing a software composition analysis alone may not be enough to keep up with the evolving threat
Perform an audit against all OSS in the organization for maliciously injected code
- Strategize a risk tolerance level based on the provided risk scoring or using a tailored scoring method for your organization
Embed a security component to open source software selection during the technical design phase of the SDLC that includes checks against known malicious libraries
- Consider performing analysis on libraries before performing production OSS updates
- Automated processes can be configured to prevent OSS library upgrades with new risk scores that negatively deviate from its previous or baseline
- Consider leveraging and contributing to open source security tooling:
- OSFF Scorecard-action is a Github action maintained by the OSFF community
- Analyze OSS libraries using OSS Gadget instantiated by Microsoft
As for defense-in-depth, modern SIEMs that support detection based on behavioral models as opposed to correlation rules alone will provide the organization with improved visibility of an ongoing attack.
Conclusion
Supply chain attacks are becoming increasingly popular. We all know that humans are the weakest link in security. When it comes to malicious code bundled into new features to your favorite OSS libraries, the human element remains constant.
How is your organization protecting itself against these types of risks?
In another piece, I’ll discuss more in-depth about malicious code detection techniques within OSS and how to approach rolling out defense in depth against this risk in your organization.
Originally published at https://www.linkedin.com.
