Adam Louca: So what they did is, before that, they send their own spy in who added four lines of code to the software. So these four lines of code were then subsequently stolen by the KGB agent who came back to Russia, came back to the USSR at that point, and said, “I’ve done a great job, I’ve nicked this software, here we go, let's go and use it,” and then a few days later it blew up the pipeline. It was described as the most powerful non-nuclear explosion ever seen.
Michael Bird: Hello and welcome to Explain IT, brought to you by Softcat; the show for IT professionals by IT professionals that aims to simplify the complex and often overcomplicated bits of Enterprise IT without compromising on detail. I'm host Michael Bird and over the next 30 or so minutes I'll be challenging our panel of experts to take a different area of the IT ecosystem and, of course explain it. So in this episode we’re going to be taking a look at supply chain attacks, we're going to be exploring the history, understanding how they impact organisations today and understanding what's in store for the future. And with me to help is Adam Louca who is Softcat’s Chief Technologist for security - Adam welcome back to the show again, this is your second show in series two, so we’ve already had one interesting fact from you, have you brought another interesting fact with you today?
Adam Louca: I have dug through the archives and found an additional interesting fact about myself. So when I was about seven or eight I had to have surgery on my leg because I had a bone growth, so essentially on my knee – my knee was continuing growing and coming out the side, so they sliced me open and took basically a planer the side of my leg and shaved bone down.
Michael Bird: Wait so you had an extra bone growing out of your knee?
Adam Louca: Yeah basically. I use it as an excuse as to why I'm not very good at sport, but I'm not sure that's the truth.
Michael Bird: Fair enough. And with us to help we’ve also got Rob Hillier who is a Senior Security Consultant at XQ Cyber, Rob welcome to the show. What is your interesting fact?
Rob Hillier: In recent times one of the most silly things is that I managed to make the first headline on the RNLI website for a year when, out kitesurfing, someone mistook my orange and green kite for a flare and called out the RNLI, they launched the boat, a whole search for this flare, they came over to us in the boat and said, “Have you guys seen a flare?” “No,” we're on our way back in by this point. Ten minutes later they come back, “What colour is your kite?” Turns out someone on the beach had thought my bright orange kite was a flare and that made number one rescue of the year for January RNLI News website.
Michael Bird: That is an awesome story, I like that. Listeners, I'm going to try and dig out the article and put on the show notes because I think that's absolutely brilliant.
Let's start from the beginning then, what exactly is a supply chain attack?
Adam Louca: So a supply chain attack is any attack that aims to damage an organisation by targeting less secure elements in its network.
Michael Bird: So by definition the supply chain or other elements that maybe aren't in the central hub of the organisation?
Adam Louca: Yes 100% so anything that feeds into or feeds out from your organisation. It's really interesting, so supply chain attacks have been around for a long time in various different guises so I think when people think about supply chain attacks, they think about them as a very modern concept but actually they have a long drawn-out history, they were used in war to starve out enemies - why would you fight an army of people directly when you could go and attack their food source? If we think about sieges, sieges are one of the really obvious examples of the supply chain attack, if you can put your army around a castle and stop them getting their food in and keep them inside, you cut off their supply chain, all of a sudden people start to starve and very quickly they their will falters and they put the white flag out and surrender. So why would you knock down the castle, which you know is impossible, it's a very difficult task, actually it's very easy to attack that supply chain. If we sort of wind forward to more modern times, a really great example which I really like is in the height of the Cold War, in ’82, the KGB had gone to steal some management software for their new gas pipeline that they were building, the trans-Siberian gas pipeline, so they decided, ok we're going to do this really clever idea, we're going to send an agent, a Russian KGB agent, to this Canadian company and we're going to get him to get a job then we’re going to nick this software and we’re going to take it back to Russia and use it. So what happened was the CIA found out about this, that the KGB was going to Canada to implant a person, and they decided they would double cross them. So what they did is, before that, they sent their own spy in who added four lines of code to the software, so these four lines of codes were then subsequently stolen by the KGB agent who came back to Russia, came back to the USSR at that point and said, “I've done a great job, I’ve nicked this software, here we go, let's go and use it,” and then a few days later it blew up the pipeline. It was described as the most powerful explosion, non-nuclear explosion, ever seen.
Michael Bird: Oh my goodness!
Adam Louca: So it was pretty serious and it was achieved without a single missile or a bomb.
Michael Bird: This Canadian company, in the middle of nowhere, must have been like, “Why are all these people want to start joining our company?!”
Adam Louca: The people aspect of supply chain is a very weak element. What's really, for me, very interesting is even though it went pretty badly for the KGB they actually decided that this was a great thing to continue doing, so during the 70s and 80s there was a department called Line X, which had 200 agents working for it, and in 10 different KGB stations in western countries, so these are USSR KGB agents in western countries and what they were doing is they were stealing metal parts, software, blueprints, documents, radar systems, computer systems, semiconductors - stealing all this intellectual property and they were taking it back to the USSR and they were using it to advance their own technical prowess without having to do any of the work. So it is amazing to see the history in these types of attacks and I think when people think about this they generally see it as a pretty modern problem but it's something that's been going on for many years.
Rob Hillier: As an area of the digital world, it’s a quite a complex one. So when you look at supply chain, there are organisations which you take software from and you trust them. There are a few different branches to it I see - there are loads that you have no relationship with, in the supply chain quite often, as the historical supply chain goes, you've normally got a contractual relationship with an organisation, in the digital world you can download 7-Zip and it's all on your work stations, you don't have a contractual relationship with them, so you've got a lot less control over it. Actually there’s quite a lot more complexity to the digital supply chain than the actual physical one where you see the box. And then the other parts of the supply chain are, in the digital world quite often you give out your IP to a third party organisation, so we’ve seen supply chain attacks which are targeting organisations to steal their IP or their client database, like the Paradise attacks where it wasn't an attack against the organisation to try and get into the network, they wanted the data, and as that was being given out to a third party, that was actually a really key part of the supply chain, is where you’re storing your IP, rather that taking software off them, it’s what you’re giving to the organisation.
Adam Louca: I think that's what's really interesting. I guess when we consider the supply chain it's a bi-directional relationship now rather than just a supplier relationship. Even take Softcat for example, we use external agencies for various different functions, as you would expect, marketing, we have external agencies there, and you consider the types of data we potentially share with those organisations and the ability to need to understand actually the competence of those organisations to handle that data effectively, to process it effectively and to store it effectively, as ultimately there is a transfer of risk there and there is a transfer of responsibility and while the breach might not directly be yours, the perception from customers, markets and regulators could still see that actually fall back on your doors, rather than on the supplier itself.
Michael Bird: So why do attackers attack the supply chain, is it an easier thing to do?
Adam Louca: From my perspective there's two sides to this, there is the easiness side, so how difficult it is to attack, potentially, the intended recipient or intended target, so if you take a large organisation for example, actually very mature cyber security defences, process, policy, procedure and technology, it might actually be pretty difficult to attack that organisation. Now looking at who their suppliers are and looking at who they send data to and also who they receive data from, and services from, you might be able to identify weak links in the chain that enable you to have a much softer target that you can gain access to. So there's very much that side, which is the obvious one. The other site is also scale - a reason to attack a supply chain is that one single supplier will supply many, many hundreds or thousands or even millions of different organisations. So in the example of software libraries this is a really good way of getting, potentially, large amounts of malware or large amounts of access or potentially crypto mining, is another example, we’ve covered that last season. As a reminder, crypto mining is a small piece of software that allows you to generate cryptocurrencies by stealing the CPU cycles on your computer. Now if you imagine that scenario, you’re a bad guy sitting here going, “ok I really want to get lots of crypto miners out there,” well a really slow way of doing that would be trying to target each individual person individually. Yes, you'd be successful, but actually wouldn't get you to scale very quickly. You think about a much more effective way of doing that is taking something like 7-Zip or something like WinZip, or something that everyone uses, VLC, Media Player, and actually hacking VLC or hacking 7-Zip or hacking one of these types of companies, embedding your malware in their piece of technology and now you think about the millions of people every day who download VLC, who download those types of software, and all of a sudden from one single attack you've managed to pull off, you've managed to impact a far greater amount of targets. So that's very much an amplification effect of your effort versus your return.
Michael Bird: Let’s switch focus a little bit then to organisations, to many of our listeners. What can an organisation do to protect themselves against supply chain attacks?
Adam Louca: You need to understand who you are and who is likely to be attacking you and therefore you need to understand if you are likely to be a target or if you are probably more likely to be in the collateral damage phase or actually just being caught up in mass. If you're in the latter category, so you're non-targeted, you've got to conside,r number one, who you're getting your software from, are they reputable? Do you have any mechanisms to check that software? And your ability to check that will be dependent on your technical skill, but also the tooling you have in place, there are a number of tools out there that will allow you to perform static and dynamic analysis. So static code analysis is where you look at the source code, so where the technology, or whatever you're using is open source, so where that source is readable. You can use the static analysis tools to look at the source and actually look at it and go, “Is there anything in there, is there anything that potentially is malicious?” and identify that. Dynamic analysis is whereby you don't need the source code, it's already compiled so you’ve now got the executable, the end unit and you emulate it, you run that software and you look to see what it does, so sandboxing is an example of dynamic analysis. And what you're doing there is you're looking for behaviours that the executable or the application performs and you're looking to see, ok is that behaviour potentially malicious, so it's an indicator of compromise or an indicator of malicious intent. They’re your two main strategies for doing this and then the next thing is whether you're going to do it pre execution or post execution. What that means is whether you’re going to do your analysis before anything has actually tried to run it - that's where, typically, you'll be using signatures or you’ll be using various other techniques to identify known bads, or certain characteristics that can be seen before execution, so actually, file sizes, certain header information inside the executable header to say this looks like a bad executable, let’s detect that. On the other side you've got the post execution stuff, which is much more behavioral and heuristic, that is then looking to see, actually once this executable has done something, has it gone to speak out to a third party server, is it trying to pull my CPU cycles, has it started encrypting all my files, is it trying to escalate privileges, is it trying to do something that would be very unusual for a reasonable or authentic executable to do? That's that side, so that's very much testing and looking after the stuff that you're pulling in. The second side, I guess is much more to do with teaching your users about where they get their software from, so that security awareness piece, and also about where they put their data to. So this is now less of the inbound, more of the outbound, if you're going to be sharing with a third party, what validation have you done that they're going to treat your data securely? How do you understand the risk and their approach to cyber security? One of the things we're trying to get our customers to think about more regularly is testing their supply chain. So if you're going to be sending sensitive information out, how well do you understand the competence of that organisation?
Michael Bird: Surely, I mean GDPR must have an impact on that, that must have helped to spur that on a little bit?
Adam Louca: I think to some extent. As always, changes in regulation bring certain things the forefront of the mind and I think people are doing a much better job of identifying where data is flowing to, so they’re getting a better job of looking at how data is being processed and how it's being used. I don't always think that ties back to a technical security analysis. Rob Hillier: And that's an area where it's quite key. Also GDPR, as you touched on, is all focused on personal information, that is the whole aspect of it. An organisation holds more sensitive information than just personal information. Especially in the manufacturing industry, it has designs and various bits of IP which wouldn't be covered under GDPR because they're not a part of that concern. It's helped to highlight and bring that to mind, but by no means a silver bullet to try and help people. That’s one of the things that CyberScore, which is a tool from XQ Cyber, is looking to help address, is actually giving people visibility of the technical controls inside their supply chain. What it lets you do is have an organisation that is supplying to you run a scan of their network for common vulnerabilities, default credentials, things like that and it won't ever tell you their vulnerabilities, because that's quite sensitive to them as an organisation, but it will give you an overall score which you can then compare to the kind of market or sector equivalent. Or you can just decide any score that suits you for that supplier, so if they score between 1 and 10, and that gives you an unbiased technical review of their network. The real challenge still around that, is scope, so what do you class as scope for an organisation when you start to do technical audits of them? The same thing happens within more mature supplier relationships, where banks and other parts actually send pen tests in to test certain parts of the organisation where their data’s being held. It’s still a question of understanding scope on the network that it’s being held on and indeed the onward supply chain.
Adam Louca: The other thing, I guess, is also some of the real basics. Number one, do you know who your suppliers are and what your supply chain? It’s really hard, if I'm honest, to understand absolutely every part of your supply chain. Even if you are a very mature organisation and think you've got a handle over at, there's always always always little bits that you can't capture. It is an incredibly complex ecosystem out there. So I think you do have to be pragmatic, but you have to identify where the risks are, and take a risk based approach. Who are your critical and key suppliers, what data are you moving to them that is sensitive, and what onward access do these suppliers have? One of the areas I think a lot of people could improve on that I would love to see people take a bit of initiative around is around managing onward access for remote suppliers. So the number of customers I still go in to today who say, “ok we have this management services contract, we have this supply contract with this, this and that,” and the access controls they give those people are so broad that actually they can get onto their network and see everything, but yet they're only managing one single system. You think, you're exposing yourself to loads of risk for really minimal value. We’re trying to take customers towards a place whereby you have an identity driven security model so you’re taking the network back to being an untrusted zone and it's just a transit mechanism. So being able to identify where a supplier needs to access and only give them just enough access, is really going to help you mitigate potentially any issues that come from that particular angle. And I just think it's something we can all do relatively easily, that would give quite a significant amount of value back. If you were Target, and you’d done that, you’ve potentially saved yourself 76 million dollars, which was the cost to remediate that 40 million cards that were breached, and caused their share price to drop 46%, so something really simple can really have quite a big impact.
Rob Hillier: Yeah I completely agree with you. I think as with all elements of security, the basics - getting them right - is key. In all the places I see, actually I'm quite endlessly surprised at, not to the digital level of what's installed on systems, I’ve gone to places which have been large organisations with tens of thousands of devices and gone, “ok can you tell me what device this user has?” or, “can you actually tell me all of the devices that connect to your network, that you are meant to be in control of?” There's a big challenge there that we need to get over time and I think it is getting better, but in the digital ecosystem, understanding what is installed on our systems, where they update from, where all of the servers come from and where are network links go out to, I think there’s a base level of understanding about your environment which is sometimes missing in organisations and it's absolutely key. You can't build defence and depth unless you understand what you're trying to protect and where your threats are.
Michael Bird: So if you could give a top five things organisations should be considering and should do, what would be your top five?
Adam Louca: Number one, you've got to identify who is in your supply chain and what risk they pose to you, so understanding what data you’re pushing to those organisations but also understanding what you're receiving from those organisations, so just getting an inventory of where your data is flowing in and out to, is really important.
Rob Hiller: I'd say number two would probably be setting minimum standards, so understanding, especially for those you give out your IP to, a minimum standard for how they hold that data, how they look after it and the network they put that data into, but also if you're letting them connect back into your network, what standards have they got to prevent themselves been compromised and using that as a conduit into your organisation? So that will be a mixture of technical audit and also of process controls and documentation.
Adam Louca: I think number three expands on that point. So network segmentation - so slicing your network up into very small units that allows you to restrict the amount of access people are given to just the amount needed. Network segmentation is not a simple thing but it is something organisations can start to do to go from one big flat network, even just down to two or three segments can have a big impact on your risk.
Rob Hillier: Maybe number four would be around actually being able to detect malicious activity. So if you’ve got your network segmented, brilliant, you’ve actually got to notice someone jumping between the two trust segments to say, “Is that person meant to be doing it, is it not?” as well as other heuristic controls, so are they accessing known bad websites? A lot of lists are maintained about malware, commodity malware, where it calls back to, and having that detection - what are your users on your network actually talking to on the internet? - and being able to respond to that information.
Adam Louca: The last thing for me, if you perform development, whether that’s in-house development where you are maybe building parts on to your website or building full-blown applications, understanding where your libraries are coming from, so where you’re pulling code in from, but also the packages that you’re using, so you understand the legitimacy and authenticity of that information that’s coming in, but also I think where you don't run that internally, maintaining standards for third-party development companies to use a little bit like the second point we made, so maintaining that expectation of your supply chain to act in your best interest and to minimise risk, where possible.
Michael Bird: So let's talk about the future then, so where do we see this going?
Adam Louca: From my perspective, I can't see supply chain attacks going away, they are too effective for attackers, they give them too much scale or they allow them to hide the targets of their attack too effectively. What I do expect to see is organisations will become much more aware of these types of attacks and will take measures to identify them and to detect these attackers as they use this mechanism to obtain access on to their network. I think user awareness will increase and we will move to a less trusting position as users move away from expecting things that they get from the internet to be positive for them so actually people will perform more due diligence before they potentially download software onto their phone. And I expect to see the providers of those software increase the controls around stopping what applications can do by default. I think we've previously had a very open system and we’re now going to move to an environment where everything will much more closed and actually you will have to request access to do anything additional. I think we’re already seeing that with the permissions models that are coming in on Android phones. iOS already has a very strong sandboxed approached in terms of how applications can interact with each other. We’re seeing that very much come onto the Windows operating system with the Windows Store, but various other app white listing techniques and that's all due to supply chain attacks, that’s all due to the fact that attacks are coming down via these mechanisms.
Rob Hillier: I too think they're going to evolve and grow. I think actually what we might see is a slight change of who's able to and who’s targeting these attacks, in terms of doing them. So whilst historically it's been a high-level nation state, or very high level organised crime, the accessibility is going to carry on moving down and be more targeted towards the lower script, kiddie level of organisations, they’ll see if they can compromise one part, can they then spin it out to being more. So I think we’ve seen that historically, as attacks mature, the audience that can leverage them also changes. I don’t think the top-level actors are ever going to stop, because I think it’s such a key way of getting into organisations without those defences. I think there's a few bits organisations can do, so rather than just auditing supply chains based on questionnaires, actually having more apparent and technical controls so be that CyberScore or any other ways of looking at getting an unbiased review of the technical state of a network and its scope. Maybe we’ll even get something like an Experian for cyber security in your supply chain, where actually you have one audit that you do in detail in your organisation on a fairly regular basis, and other companies can request to see what is your cyber security status. That I think will be an ideal, I don’t know if we’ll ever get there, but I think there's definitely room for that level of approach within the supply chain, to give assurance that actually, it's not just a questionnaire, it's not just technical controls but it’s someone that’s come in, looked at the scope, looked at the technical controls and reviewed them. And as Adam touched on, the controls within the network, so I think operating systems are ever-evolving to have less trust in what's installed on them. There's a few different ways there that we're going to see some changes in the future and in terms of supply chain attacks, I don’t think they’re going away, it’s a case of defending against them and doing your best to make yourself the most expensive target for your attacker. I think when we talk about the attacker’s mentality, no matter what level of attack you’re talking about, you can make it as costly as possible to them by having a defence and depth, so auditing your supply chain, creating your network in the most secure way possible, making sure all of your software is up to date, each of these increases the cost for a skilled attacker, even a nation state, if they’ve got to use a zero day attack that they’ve developed, as soon as they’ve used it, they don't know if it’s then compromised, they don't know if you've sent it on to a third party, your own nation state or an AV vendor, so for them to actually consider using these attacks, there’s got to be a worthwhile prize at the end of game. The harder you make it to attack yourself, the better your position will be, and I think that's going to be very important around the whole supply chain side of things. So making yourself that higher level target so that hopefully the people who want your stuff are not going to be willing to pay the price for it, in terms of risk.
Michael Bird: Ok so to summarise?
Adam Louca: So a supply chain attack is any attack that damages an organisation by targeting a less protected part of it. Supply chain attacks aren't going away, they amplify the effect attackers have and the cost required to compromise a target and ultimately they’re going to drop from the tool bag of nation-state and high-level actors into more of your typical threat actors that most of us would expect to see day to day as businesses.
Rob Hillier: And as organisations, when we’re trying to look to defend against these, it’s all going to be about defence and depth. We’ve talked through five key elements that can add depth to, one is a really key part, identify what we've got, the second of them is setting some minimum standards for our supply chain - what we expect of them – third, network segmentation, making sure we split the network well, fourth one of these, detecting activity, so what's going on on your network - there's no point having the best controls if you don't actually notice when they’re alerting you, and then the fifth which is more if you’re development organisation, is really being cognizant of what makes up your development toolchain, where you’re pulling in software from and how trusted that is.
Michael Bird: Adam, Rob, thanks for coming in to the show and for giving up your time to talk to us about supply chain attacks. Listeners, if there's anything in this show that has been of interest, or if you'd like to talk to someone at Softcat about anything in this episode, do check out the show notes. We’ll also include some links to some of the stuff we talked about today. Please also make sure you click subscribe wherever you get your podcast and we’ll be delivering the next episode to your device as soon as it lands. So thank you very much for listening to Explain IT from Softcat.