Anatomy of a supply chain attack: how to accelerate incident response and threat hunting
Article by ThreatQuotient APJC regional director Anthony Stitt.
Over the past year, there has been a sharp rise in software supply chain attacks that infect legitimate applications to distribute malware to users. SolarWinds, Codecov, and Kesaya have all been victims of such attacks that went on to impact thousands of downstream businesses around the globe. Within minutes of these high-profile attacks making headline news, CEOs often ask: “Should we be concerned? How is it impacting us? What can we do to mitigate risk?”.
Chief information security officers (CISOs), and their teams on the front lines, need answers fast. But once details are released, it can be difficult and time-consuming to connect the dots and formulate answers.
A case in point — months after the SolarWinds Orion security breach:
- 63% of organisations surveyed remained highly concerned
- 60% of those directly impacted were still trying to determine if they were breached
- 16% of organisations were still wondering if they were even impacted.
Fortunately, some solutions can help teams understand the impact, take the right actions faster and even proactively mitigate risk.
A closer look at the Codecov breach
Using the Codecov security breach as an example, threat intelligence experts explained the timeline of events. This included how it took approximately two months for the breach to be discovered, another two weeks for the first indicator to be shared (an IP address), and two more weeks for a second round of indicators to be published.
However, integrating a threat intelligence platform with a threat reconnaissance platform can close the threat intelligence gap from weeks to minutes to accelerate investigations. The threat reconnaissance platform can also reveal additional indicators on day-one that security analysts can bring use to expand their threat hunting, incident response and mitigation activities.
Armed with these tools, security analysts can answer executives’ top questions, including:
Should we be concerned?
Threat intelligence platforms aggregate, normalise, deduplicate and correlate all the external intelligence sources an organisation subscribes to. But it is difficult to know what’s important to focus on without scoring and prioritising that intelligence.
Using parameters analysts set, as well as adversary attributes, the experts showed that the external threat intelligence received a score of 10 — making it a very high priority and confirming that there was reason to be concerned.
How is it impacting us?
Next, the experts formalised the investigation and threat hunt to discover additional information and determine if there was a sighting within the environment. Creating a campaign within threat intelligence platforms enables security teams to closely monitor developments.
The experts used information from within the platform and pivot points outside the platform to gather more details. For instance, adding the URL for the Covdecov website as an attribute, they identified the first IP address Codecov made public and brought that into the threat intelligence platform, allowing them to quickly see a sighting of that same IP address in the SIEM. They knew they were impacted.
How do we mitigate risk?
From there, the experts pivoted to a phased approach of threat hunting, adding information to the attributes within the investigation and linking it to the IP address that had been spotted. They assigned a task to an engineer for IPS/IDS blocking and marked the task as critical, requiring immediate action to remediate.
Meanwhile, the experts expanded the threat hunt by diving deeper into the signal telemetry to determine what was going on behind the Codecov attack. That’s where the threat reconnaissance platform comes into play and leverages an aggregation of internet traffic telemetry from an ecosystem of data sharing partners and CSIRT teams worldwide.
Running a query against all these data sets quickly revealed additional IP addresses that appeared to be managing the initial IP address. Other likely indicators were also discovered.
There was no need to wait two weeks for public disclosure of additional indicators. The integration of a threat intelligence platform and reconnaissance platform allowed the experts to pivot and conduct further reconnaissance on their own, turning a reactive situation into a proactive one. With the ability to expand and accelerate their hunt, they could assign additional tasks to the engineer to enable proactive protection.
Supply chain attacks show no sign of slowing down. But the right combination of platforms can help organisations get ahead of the threat.