Organizations are constantly monitoring, detecting and trying to respond to alerts and potential threats to their environment from a broad number of sources. One source in particular that can be a bit elusive, and is much less discussed, is supply chain security. Organizations spend a lot of time trying to understand when unauthorized devices are added to their networks, and then how they are secured and monitored. As a general rule, we are not rigorously inspecting and analyzing the devices we receive from our trusted suppliers, which is understandable since the skills and tools to inspect these devices are not those of your typical security practitioner.
How the federal government secures supply chains
Suppliers themselves do spend a lot of time and effort understanding and securing their supply chains, and the government has rigorous programs, including DHS’s strategy and DARPA SHIELD. However, when you look beyond suppliers and the federal government, there appears to be a fairly significant drop off regarding capability and focus. As hardware consumers, we assume that the sources we’re buying from are trustworthy, and that the security of those devices is included in the cost of the hardware. But by making that assumption, we open ourselves up to, or at least disregard, a potential risk.
Potential threats in the supply chain are common
I’m not going to jump into a “the sky is falling and all your hardware is compromised” diatribe, but as you consider all the potential risks to your organization, it is good to keep potential threats in your supply chain on your radar. And it’s not like these risks are unprecedented. There are examples of vendors shipping new and refurbished hardware with spyware, as in the cases of Lenovo pre-installing spyware on its laptops and Dell warning of malware of server motherboards. There is also proof of concept software that has been built that, at the time of release, could be leveraged on over 100 different motherboards. And every year at Defcon, along with beard, beer cooling and car hacking contests, there is also a contest to specifically access anti-tamper (tamper evident) equipment and its packaging. This is not purely FUD (fear, uncertainty and doubt).
How to secure the supply chain
So, what can you do about it? Obviously researching how your suppliers protect their supply chain and holding them accountable is a good start, but that doesn’t help after the fact. As a rule, you should be cautious about refurbished equipment, especially when it is not coming directly from the OEM supplier. But if a device is compromised, regardless if it’s done using hardware, malware or something else, there will be some form of communication with an external source in order for these capabilities to exfiltration data or remotely execute actions. Protecting your network comes down to standard security operations and monitoring of network communications that occurs in the enterprise from the endpoint to the perimeter.
Challenges to supply chain security
However, there are two challenges with this approach. First, if your affected asset is a laptop or mobile device, there is the opportunity to leverage open Wi-Fi (as described by Jonathan Brossard in the previously cited whitepaper), which you can’t monitor. And your fixed infrastructure can also compromise your broader network as well. For example, a compromised server with restricted internet access may still be able to access your guest Wi-Fi to connect to an external site and download a malicious set of command and control instructions.
The second problem is the common issue of having way too much to monitor. How do you sift through all the traffic that is originating from internal sources? Although whitelisting and user agent strings are great ways to ensure that network traffic is only going to authorized locations, they don’t always enable you to identify the issue. Being able to detect an unusually large quantity of user agent failures or failed web requests might be one of your best methods to identify this type of communications, but because of the sheer volume of events, this is frequently infeasible.
How security automation enables supply chain security
This is where security automation can be your friend, by helping you model the identification of false positives, benign and ultimately malicious communication attempts at machine speeds. One thing you can do is be proactive about investigating network sessions that are going to new or unknown destinations and automatically notifying (via Slack, email, ticket, etc.) your security team. And if you’re having difficulty doing the investigation on the destinations address (IP/URL/domain), you can use automation to leverage investigations resources, like WhoIS, Domain, ASN, GeoIP, or threat intelligence information. These can be leveraged to automatically identify potentially malicious destination addresses and make the process of triaging massive amounts of network sessions more manageable.