CSO Perspectives (Pro) 2.7.22
Ep 68 | 2.7.22

Pt 1 – Supply chains.


Rick Howard: Because of the various intrusion kill chain models, like the Lockheed Martin model, the MITRE ATT&CK framework and the diamond model, network defenders have known for at least a decade that cyber adversaries have to string a series of actions together in order to accomplish their goals. One of those actions is to establish a beachhead on the victim's network somewhere. Gaining that foothold would allow them to start moving laterally to find the data they've come to steal, destroy or hold hostage. Traditionally, in order to counter that important first step, network defenders have focused on direct attacks on our most important and material information and the digital islands where we store it all, like traditional perimeter, endpoints, SaaS, IoT, infrastructure in the cloud and platforms in the cloud.

Rick Howard: The main attack techniques adversaries have used to gain that initial access have been phishing, watering hole attacks and other social engineering scams. And preventing those have been hard enough. Until recently, though, most of us have totally ignored an indirect way to establish the beachhead - a backdoor way going around our frontline defenses through the supply chain. Now, to be fair, most of us knew that this indirect attack vector was a potential problem. We just hadn't seen it pop up in traditional attacks that often. But this past year, it feels like the bad guys have just discovered this path, with some recent high-profile compromises like the attacks against SolarWinds and the Log4j vulnerability. 


Unidentified Person #1: A so-called supply chain attack against SolarWinds, a company that specializes in network tools, gave hackers access to potentially thousands of targets. 

Unidentified Person #2: The SolarWinds hack was, and really is - continues to be one of the biggest espionage campaigns recently discovered. 

Unidentified Person #3: Log4Shell is the nickname given to a critical zero-day vulnerability. And it has a maximum severity score of 10. By the weekend, it had become widely known to be a huge concern, given its ease of attack and the potential for compromising servers given its attack surface is relatively ubiquitous and used across millions of applications. 

Rick Howard: Digital supply chain defense just became the attack vector that network defenders have to worry about in 2022. Let's find out how we got here and what we can do about it. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor. And you are listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: So we absolutely knew that attacks leveraging those back-alley supply chain paths could be immaterial to the business. After all, supply chain management in the physical world has been a material part of the business since ancient times. In the industrial age, Frederick Taylor, the founder of industrial engineering, wrote "The Principles of Scientific Management" in 1911. He sought to apply scientific rigor to running business operations. This is from a 2000 YouTube clip of how Taylor used his scientific management ideas to improve worker productivity along the Ford Motor Company's Model T assembly line. 


Unidentified Person #4: As he reorganized his factory to turn out Model T's, he was influenced by the efficiency expert Frederick Taylor. Taylor complained that hardly a workman can be found who doesn't devote his time to studying just how slowly he can work. And then he devoted his life to speeding them up. 

Rick Howard: This is the same year - 1911 - UPS opened its doors and global supply chains started to take shape. By the 1940s and during World War II, the military on all sides of the conflict became interested in how to efficiently move large pallets of materials around the world and started calling it supply chain engineering. When computers entered the picture in the 1960s, researchers began automating the process of warehousing, material handling and freight transportation. By the 1970s, DHL and FedEx had started their operations, and J.C. Penney built their first - just in time - warehouse management system. In the next decade, 1982, a Booz Allen Hamilton consultant named Keith Oliver coined the term supply chain management, defining it as, quote, "the process of planning, implementing and controlling the operations of the supply chain with the purpose to satisfy customer requirements as efficiently as possible. It spans all movement and storage of raw materials, work-in-process inventory and finished goods from point of origin to point of consumption," end quote. 

Rick Howard: If any of that sounds familiar, work in progress is also how Gene Kim described DevOps in his cybersecurity canon hall of fame book "The Phoenix Project," which is about many things. But here specifically, it's about how building software is similar to an assembly line - like building cars at the Ford Motor Company - and has similar problems. Quote, "we know that WIP or work in progress is one of the root causes for chronic due-date problems, quality issues and expediters having to rejuggle priorities every day," end quote. From the 1980s to the early 1990s, the entire world began to prepare for Y2K. And if you don't remember what that is, according to Clay Halton at Investopedia, quote, "Y2K was commonly used to refer to a widespread computer programming shortcut that was expected to cause extensive havoc as the year changed from 1999 to 2000," end quote. 


Unidentified Person #5: There still exists a general state of either denial, complacency or even apathy about both the reality and the potential effects of Y2K. 

Rick Howard: For that concern, researchers invented enterprise resource planning, or ERP. And the IT industry spent tons of resources to make sure digital Armageddon didn't happen, and I was one of those guys. I was stationed at the Pentagon at the time, running the network for the Army's command operations center. And all of us in the center that night followed the sun by watching giant video screens, watching important cities and news feeds as the date clicked over from 1999 to 2000. And at the end of the day, when nothing happened, the eternal chicken and the egg question emerged. Did our Y2K efforts prevent the disaster? Or did we all overreact and didn't really have a problem in the first place? A question for the ages. I will leave that as an exercise for all of you to ponder. 

Rick Howard: But in 1998, Microsoft rolled out Windows Update for its Windows 98 operating system for the first time. 


Rick Howard: Now, some technology vendors offered this over-the-internet update in various forms before this. But I can make a strong case that this is the point when we all needed to start worrying about digital supply chains. At this point, everybody had some version of the Windows operating system running somewhere. This was the first time that a potential digital supply chain attack could go global instantaneously. Before Windows Update, we all did software updates with floppy disk and, later, CD-ROMs. Bad guys could still insert Trojan horses into vendor code, but the new code distribution system was via snail mail. The potential impact was present, but it wasn't instantaneous. 

Rick Howard: After Windows Update came out, the practice of upgrading your software via the internet started to become acceptable. Today, it's common practice. Most people don't think twice about clicking the upgrade button on whatever software they're running. By the 2000s, the concept of managing supply chains became so important that in 2005, the Council of Logistics Management changed its name to the Council of Supply Chain Management Professionals. In the digital space, GitHub launched its first platform in 2008. And that same year, synopses released its first version of the Building Security In Maturity Model, or BSIMM. For the nontechies out there, GitHub is a cloud-based service that helps developers manage their code storage via git, spelled G-I-T, an open-source version control system created by Linus Torvalds in 2005. 


Linus Torvalds: And the key word here is actually the distributed parts. There's a lot of SCM systems that do not guarantee that what you get out of it again is the same thing you put in. The end result was I decided I can write something better than anything out there in two weeks. And I was right. Recently, hackers have been leveraging Git to exploit the Log4j vulnerability. The BSIMM project quantifies software security development best practices by interviewing commercial vendors who have mature development houses. One of BSIMM's best practices is managing software bill of materials, or SBOMs, for all the software packages running in your organization. I mention SBOMs because that concept has been bouncing around the industry for years as one way to reduce the risk of digital supply chains. But it hasn't really gained that much traction until last year. U.S. President Biden mandated that all federal civilian executive branch agencies and key players start using SBOMs by the spring of 2022. That's just coming up. He published that in his executive order 14028 last year. 

Rick Howard: An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. According to the NIST Cybersecurity Framework, quote, "If an organization does not know what its software contains, it should assume that the software is compromised and develop an appropriate risk management plan," end quote. SBOMs could help solve that issue for most organizations. Today, very little software is completely original. On average, 75% of a software product is open-source code, meaning developers are using existing and freely available software components written by somebody else to create their products. This presents a cyber risk management problem because customers typically receive software products without understanding the nested software contained within them. In September 2020, the U.S. Department of Defense published their initial vision of the Cybersecurity Maturity Model Certification program that mandates several SBOM milestones. The very next year, the specification by the Software Package Data Exchange, or SPDX for short, became the international open standard for security, license compliance and other software supply chain artifacts. In other words, they became the official XBOM standards body. 

Rick Howard: Despite only being internationally recognized for a short while, companies like Intel, Microsoft, Sony and VMware are already using the SPDX standards to communicate SBOM information. But it wasn't an overnight invention, though. It was the result of 10 years of collaboration from vendors across the software composition analysis space, or SCA for short. The SCA space represents tools that assess open source software, code libraries and containers to provide a unified view of risks and mediations and to offer strategies to keep this kind of software up to date. With the U.S. government mandating SBOM requirements, vendors that sell to the U.S. government will have to comply. It's tough to predict these things, but once government contractors routinely provide SBOM information, that capability becomes a discriminator against other software vendors. In the commercial space, why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do? If this works out, the presidential directive could fast track SBOMs as an existing standard to protect against supply chain vulnerabilities. 

Rick Howard: In the physical world, the supply chain is somewhat linear. Order parts, ship to a consolidation port, sale to a receiving port and transport goods to a final destination. Technologies like machine learning, the Internet of Things, automation and sensors are transforming the way companies manufacture, maintain and distribute new products and services. Businesses are calling it Industry 4.0, and it's totally built on the modernized supply chain. But it's still mostly linear. In the digital world, the supply chain isn't linear at all. According to one analyst at Oracle, quote, "It's a complex collection of disparate networks that can be accessed 24 hours a day. At the center of these networks are consumers expecting their orders to be fulfilled when they want them, the way they want them," end quote. In many cases, vendors deliver software and software updates right to the home or to the business. When you look at first principle strategies that will have the greatest impact on reducing the probability of material impact due to a digital supply chain attack, we all have to turn to zero trust. From the original John Kindervag whitepaper, we implement the zero-trust philosophy by reducing the attack surface as much as possible and allowing employees and contractors access to the data and workloads they need to do their jobs and nothing else. 

Rick Howard: For the digital supply chain, two tactics emerge that we have to get right. The first zero-trust tactic is that we must limit access to any application, vendor supplied or anything that you developed, that you have running on your network. For example, in the SolarWinds attack of last year, the main SolarWinds product is a network management platform called Orion. Hackers broke into the SolarWinds network and inserted a remote access trojan, or RAT, into the Orion software package. When SolarWinds customers downloaded the next update, they downloaded the RAT. After the install, victims were running the backdoor code on their Orion platform. Later, hackers leveraged the RAT to gain access to the multiple SolarWinds customer victims running that application. But damage didn't come from that initial beachhead. Once they were on the Orion platform, the hackers moved laterally, leveraging credentials and access granted to the SolarWinds application. In a zero-trust environment, Orion credentials shouldn't have access to anything important most of the time. In the cases where it does need administrator privileges, those escalations shouldn't be allowed without specific approval controls in place. That's reducing the attack surface. That's limiting access. That's zero trust. 

Rick Howard: The second zero-trust tactic is a robust deployment of SBOMs for every vendor product you deploy and for every open-source software component that you use. Now, SBOMs by themselves won't reduce the probability of material impact from your vendors and from these open-source libraries, but they are an essential building block to creating a zero-trust environment from the software that you deploy. In the same way that identity management helps network defenders have complete visibility of every person and every device that's running on your network, SBOMs provide that intelligence for the software that you're using. When issues arise, like the Log4j vulnerability, you'll know immediately if you're impacted because of your SBOM. Again, it doesn't solve the problem, but at least you have a starting point. 

Rick Howard: Digital supply chains are not a new vector. They are an old vector that has been around since at least the late 1990s and probably well before. Nation-state hacker groups have used them for decades. But the technique got noticed in 2021 because of the attacks against a couple of IT vendors - SolarWinds and Accellion - and the Log4j vulnerability stored in GitHub code repositories. To defend against that indirect attack vector, the zero-trust strategy is likely your best bet in reducing the probability of material impact. SBOMs can help, but they are at least five to 10 years away from universal acceptance by all software vendors and GitHub deployments. President Biden's executive order might speed that timeline up a bit, but I'm not holding my breath. There's a lot of work that needs to be done by everybody. In the meantime, the best way to reduce the threat of digital supply chains is to get an inventory of all applications running on your network and the people and machines that have to connect to them for business operations. Once that's in place, you can start implementing some roll-based rules about who has access to what. 

Rick Howard: And that's a wrap. Next week, I'll be talking to our subject matter experts at the CyberWire Hash Table to see how they handle the Log4j issue and how they are thinking about protecting the digital supply chain going forward. You don't want to miss that. And as always, if you agree or disagree with anything I've said or have any suggestions about what you would like us to cover on the show, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's C-S-O-P - the @ sign - the CyberWire - all one word - dot com. We would love to hear from you. 

Rick Howard: The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.