Systemic Software Risk in the Enterprise Supply Chain Part 2

In July 2020 the Atlantic Council, a highly-respected international affairs leadership institute based in Washington, DC, published a wide-ranging, evidence-based report titled “Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain” from its Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative. The report provides vital information on threats and priority focus areas for cybersecurity investments for both governments and businesses. This blog post series takes a detailed look at several specific implications of the report’s data and analysis.

 

Blog Post 2: The State of Prevention Today

The Introduction’s first sentence summarizes the research findings: “The state of security in the software supply chain is inadequate and, in some critical respects, getting worse… Attackers capitalizing on vulnerable software supply chains are able to compromise trusted software and important cybersecurity protections to impact large numbers of critical systems.” The recent shift to remote work due to the Coronavirus has dramatically escalated the size and exposure of this class of risk. The authors state, “The implication for national security policymakers and the cybersecurity community across the US and allies is that change is necessary to raise the cost, and lower the impact, of software supply chain attacks.”

Research into 115 documented attacks or reported vulnerabilities over the last 10 years, through Q2 2020, focused on vulnerabilities that enabled injection or distribution of malicious code across a full range of harmful payloads. Similarly, the dataset represents a wide array of codebases—in order of numbers of instances represented, most to least, third-party software, open-source software, attacker applications, first-party OS and applications, third-party firmware, first-party firmware, and unknown. As the report states, “there are as many potential target types in the supply chain as there are types of software.” It calls out software updates, firmware, third-party apps, mobile apps, and open-source libraries as, particularly attractive targets. Figures 4 and 5 (below) show the frequency within the dataset of each attack type overall and over time.

The data show that third-party and open-source code has been the targets of choice throughout the period. Third-party and first-party firmware are increasingly popular targets for attackers, which is particularly problematic because firmware is inherently difficult to patch and has the ability to make privileged edits that often avoid detection by anti-malware programs.

Two examples cited in the report illustrate how insidious these attacks can be:

  1. “The Equation Group demonstrated the potency of these attacks with its GrayFish attack on hard drive firmware, which allowed it to record system data in a nearly inaccessible portion of machine memory for remote extraction at a later point. Removing the data cache was nearly impossible short of destroying the physical system, and even detecting the infection was generally infeasible.”
  2. “In August 2019, McAfee researchers uncovered a vulnerability in Avaya firmware for the 9600 series desk phone, which could have been present at 90 percent of Fortune 500 companies. The bug resulted from the inclusion of unmaintained open-source code and would have allowed attackers to crash a system, run code with root access, and record or listen in on the phone’s audio.”

The authors conclude that “Compromising the software supply chain enables attackers to deliver malicious code in the guise of trusted programs. This can be a terribly effective technique to spread an attack widely and in targeting well-secured systems.” Figure 3 from the report shows how diverse and pervasive attacks are across the entire software supply chain lifecycle. This is a waterfall example, and the report notes that “Agile approaches and the philosophy of continuous integration create new opportunities to quickly propagate risk through a codebase.”

Despite the insecurity of the software supply chain’s having been a “hot-button issue” for both private and public sector organizations for several years, “the problem is not being addressed holistically and software has largely taken a back seat to 5G in public debate.” User vulnerability is rising, and the cross-border nature of the software supply chain means that US companies and agencies are also subject to collateral damage from attacks targeting non-US entities. PhantomLance and KingSlayer are examples of state-sponsored attacks that started in one country and spread easily to other states through overlapping software supply chains and shared software suppliers.

The threats to national security and industry targets are real, severe, and growing. “There are opportunities for improvement and a closing window in which to seize them,” according to the authors. “Despite the destructive potential of software supply chain attacks, little has been done to impose a cost on even the most basic…The sustained growth of software supply chain attacks is caused at a technical level by continued failure to secure code integrity…These are complex technical challenges with neither easy nor immediate solutions…The implication of this for the technology industry and cybersecurity policymaking community is a crisis in waiting.”