Risks in the Software Supply Chain

Software is mostly others peoples’ work written to contribute to the greater good. But not all coders are equal in training, skill and intention. And even good guys make mistakes. Sound like a reasonable foundation on which to rest your organization?

XDR (Extended Detection and Response) Can Help

XDR Is Part of a Layered Security Approach

We all use software that is built on a foundation of strangers’ work. Even if you hire a developer to write a custom application, software calls trigger functions that were previously programmed by someone else. This means code weaknesses — put there either accidentally (like from mistyping) or maliciously by a criminal — end up in many different kinds of software. And these weaknesses can be exploited by criminals.

Eighty to ninety percent of modern application code is open source, Varun Badhwar of Endor Labs (used in code development by Bryley partner VMWare) told The Register¹. So when you’re using that much code from complete strangers on the internet that you know nothing about … historically there’s been this implicit trust in the open source ecosystem … [but now] attackers are looking at this and seeing a developer in a large enterprise [going] to the same place as a startup … to grab code that they just don’t know a lot about and bring it into their critical infrastructure, critical applications.

Infiltrating open source code is an example of certain criminals’ patience. Not all criminals email you to deposit an inheritance. Not all distribute ransomware. There are as many tactics as there are personalities. Inserting malicious code into open source code is an example of a supply chain attack. This effectively means that though you are the target, the way they get at you is through other people’s software innocently installed by your organization on your systems.

A Break-In

In a recent example of a supply-chain breach, criminals used a widely distributed software product to gain access to their real targets downstream: the organizations that used the software. The criminals got in at the software maker in the usual, mundane way, a weak password. With that password, the criminals altered a part of the software product’s code. In this case the malicious code was a so-called backdoor, which meant for them open access to the end users’ computers. Thousands of end-users willingly installed this legitimate-seeming software update. We know the resultant damage included, at the least, data stolen from these computers through the criminals’ backdoor².

It’s Getting Worse

The evidence shows more attacks hitting businesses via their supply chain. Statista shows these kinds of attacks jumping five-fold between 2021 and 2023³. And AI, like ChatGPT, is trained on open-source code, so the AI can only, therefore, pass that maybe-compromised code onto its non-coding users. What I believe, Badhwar said, … [with] AI-assisted coding … the numbers are going to go from eighty to ninety percent to maybe ninety-five, ninety-eight, ninety-nine percent of your code in an enterprise environment would be written from basically untrusted, unvetted sources. And with this shift in how we’re being attacked, we need a shift in how we answer.

XDR Watches and with Teeth

Extended Detection and Response (XDR) is software that has grown – as networks have changed – from its EDR (Endpoint Detection and Response) roots. XDR is a machine-learning program that comes to recognize unusual software behavior and suspicious network traffic.

XDR solutions extend beyond endpoints [the reach of EDR systems] and make decisions based on data from a variety of sources, per Bryley partner SentinelOne. They take action across an organization’s entire [environment] … and optimize threat detection, investigation, response, and hunting in real-time.⁴

XDR’s machine learning and automated threat detection can:

• analyze and identify all internal and external data to find vulnerabilities
• track threats detected in the system
• correlate and confirm alerts automatically
• utilize a centralized user interface so admins can investigate and respond to events
• perform comprehensive analytics across all threat sources
• offer proactive approaches to new threats
• respond without human intervention⁵

Bryley’s VP of Client Services Anna Darlagiannis-Livingstone put it well: before a bad guy gets in, XDR finds the unlocked window, so it can be locked. XDR is a powerful tool for eliminating some events before they transpire. And it is a powerful tool for slamming the window shut if the bad guy starts to make a move.

Evil Is Inevitable

And no defense is invulnerable. So also don’t neglect having an Incident Response Plan. As shown, above, threats keep evolving. An Incident Response Plan directs your people about what to do should an attack land, to get through it with the least damage possible.

In Florida, hurricanes happen, wrote Bryley partner Huntress about dealing with supply chain cyberattacks. Floridians aren’t measured on whether they can prevent a hurricane … they keep emergency supplies on hand and have a plan in place for surviving hurricane season. [There] will never be a foolproof way to prevent a cyberattack. Instead [be] prepared for when the worst does happen. That’s where an incident response plan comes in. Not only can an incident response plan bring you some peace of mind on how to respond to those worst-case scenarios, but it can also help you respond quickly and get you on the path to recovery faster.⁶

Bryley Can Help You Be Protected

Bryley has helped secure New England-region organizations since 1987. It is among the top-ranked independent IT companies. If you’d like to explore if an XDR solution or Incident Response Plan is a good solution for your organization, please contact Roy Pacitto at ITExperts@Bryley.com or 978.562.6077 x2 or book a complimentary 15-minute call with Roy.

^{1 https://www.youtube.com/watch?v=RepgvXhXG4k}

^{2 Bryley partner Fortinet provides a detailed analysis https://www.fortinet.com/resources/cyberglossary/solarwinds-cyber-attack}

^{3 https://www.statista.com/statistics/1367208/us-annual-number-of-entities-impacted-supply-chain-attacks/}

^{4 https://www.sentinelone.com/cybersecurity-101/xdr/what-is-extended-detection-response-xdr/}

^{5 SentinelOne}

^{6 https://www.huntress.com/blog/a-recap-of-events-and-lessons-learned-during-the-kaseya-vsa-supply-chain-attack}