Software supply chain attacks are not new, although, as we have seen recently, if executed successfully, they can have huge payoffs for sophisticated attackers. Detecting malicious code inserted into a trusted vendor’s security updates is difficult to do at scale. For most organizations, it is impractical given the time required to analyze updates versus the increased risk of not applying security patches to vulnerable systems in a timely manner. This holds especially true if the software provider’s upstream update servers are compromised and used for command and control of infected victim systems, ruling out restricting egress connections only to the vendor from the customer’s update management system.
Most organizations take months to detect malicious actors within their network who manage to gain a foothold, compared to more common attack vectors, such as compromising vulnerable systems exposed to the internet or spearphishing. A more effective approach to combating software supply chain attacks is to focus on better prevention, detection and response to the actions a threat actor will take after they gain a foothold. These actions, commonly referred to as tactics, techniques and procedures (TTPs), are the activities that a threat actor performs to gather information about compromised systems and internal networks, laterally move between systems, elevate their permissions on the network and achieve their primary objectives in compromising the network, such as stealing sensitive data or funds, causing service disruptions, establishing long-term persistence or modifying important data.
Selecting, deploying, configuring and tuning an effective detection security stack, however, can be a major undertaking even for mature blue teams. With breach after breach, we have seen that the most effective attackers have the motivation and skill set to invest time in finding ways to evade and bypass security controls, including machine learning algorithms used b ..