Insights to Hunting for Software Supply Chain Threats

Written by Phillip Bonilla

Gleaning Lessons from Use Cases

By 2025, Gartner predicts, “45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021."* Organizations everywhere need to start creating playbooks to hunt for software supply chain attacks.

Fortunately, you needn’t go through the resource-intensive process of replicating a software supply chain attack to draft a playbook. Rather, you can look to use cases such as SolarWinds, Codecov, CCleaner, and NotPetya, all of which sparked the development of related security analytics.

By examining these use cases, your hunt team can start building analytics and putting them into action. GitHub is saturated with projects that have hunt-queries built out for each of these use cases. And vendors are more willing than ever to provide adversary detection analytics.

Creating and Contributing Datasets

Building, contributing, and studying large datasets around software supply chain attacks can help organizations elevate their defenses. Hunters and data scientists working together, or dual-hatted individuals, can scour the datasets to uncover new insights that enable better analytics for hunting emerging threats.

For example, in the research paper, "Backstabber’s Knife Collection: A Review of Open-Source Software Supply Chain Attacks," the authors discuss a dataset of 174 malicious software packages that were used in the wild from November 2015 to November 2019. To be clear, these software packages were not examples of coding errors or neglect that led to vulnerabilities being exploited. Rather, they were intentionally malicious and meant to exploit the trust that exists in package repositories.

More than half of the 174 malicious packages aimed to exfiltrate data, and about a third functioned as a dropper to download a second-stage payload. How malicious code is triggered depends on the code and the language. It could be unconditionally launched upon install or runtime; or it could be conditional and only run when certain parameters are met (e.g., not in a sandbox environment, only on certain operating systems, or only when certain hardware is present). Tools like Falco and Package Hunter can help defenders identify malicious packages by monitoring system calls executed during the installation. 

More broadly, network defenders need greater access to large datasets on software supply chain attacks—and they can help bring this about. For instance, Roberto Rodriguez and Jose Luis Rodriguez have created "an open-source initiative—Security Datasets project—that contributes malicious and benign datasets, from different platforms, to the infosec community to expedite data analysis and threat research." Their growing project would benefit greatly from datasets surrounding software supply chain attacks. Threat hunters, security researchers, and data scientists should seek opportunities to contribute such datasets.

Putting Insights into Action

An early definition of threat hunting came in 2017 during Rob Lee's, "Threat Hunting-Modernizing Detection Operations: The SANS 2017 Threat Hunting Survey Results," when he said that hunting, "incorporates intelligence that we learn about our adversaries and using that information to predictively interact with our environment to identify where a future attack might occur." That statement can be divided into three parts, two-thirds of which relate to gleaning lessons from use cases and leveraging datasets for predictive analysis. The final part—identifying where a future attack might occur—depends on putting insights into action.

In other words, hunters need to use historical data on software supply chain attacks to create a hypothesis to start the hunt. Based on the dataset analysis cited above, for instance, you might focus on the tactic of data exfiltration. You could start looking at NetFlow and examine Domain Name System (DNS) logging of request and response traffic, look for connections that don't use DNS, analyze certificate fields, and build a proper understanding of egress points for software.

All these steps would be in addition to monitoring lateral movement, which would include enabling share access auditing, process execution logging, command line argument logging; managing living-off-the-land binaries; and viewing blocked connections from access control lists.

Now, how many software supply chain threats can you uncover? It’s time to get hunting.

Disclaimer: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

 

To sign up for more technical content like this blog post

 

 

And to learn more about Booz Allen’s  comprehensive approach to effectively mitigating supply chain cyber risk

 

 

 

This blog series is brought to you by Booz Allen DarkLabs. Our DarkLabs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.

This article is for informational purposes only; its content may be based on employees’ independent research and does not represent the position or opinion of Booz Allen. Furthermore, Booz Allen disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader’s sole discretion and risk.

1 - 4 of 8