The SolarWinds supply chain breach has shed light on the capability and reach achievable to a threat actor through a third-party compromise. Although the widely-publicized SolarWinds breach is unique in its target set and complexity, supply chain breaches are increasing in their frequency with 40% of cybersecurity attacks now occurring indirectly through the supply chain, cloud or managed service providers. The next supply chain breach is a question of when, not if; so what can your organization do now to help protect against these threats?

Accenture’s Cyber Threat Intelligence (ACTI) team and Application Security Advisory Services (AppSAS) team provide five possible recommendations to help organizations act now to sanitize networks and restore trust in their IT assets and processes.

  1. Implement hyper-segmentation and extended logging into network

Once the attacker gains access to a local network via a third-party vendor, their next steps will be to create redundant accesses—in the event the initial access point is discovered and remediated—and to start moving laterally through the network in search of the data or access needed to achieve their objective. Segmenting the network can limit the damage done if an attacker gets in the front door, stopping them from proliferating throughout the network.

Implementing network architecture security parameters to separate the local network, where data is stored, from internet-facing resources is not adequate protection from third-party compromises as objects within the network can be the source of an attack. It is important to redefine the network and employ application hypersegmentation within local networks to prevent lateral movements between trusted applications. Organizations should take immediate steps to increase the verbosity of auditing policies and network telemetry coming into and out of third-party software instances. This includes enabling access-list logging and flow collection.

<<< Start >>>

<<< End >>>

  1. Bolster anomalous activity detection and update endpoint detection and response (EDR) capabilities

By entering the network through a supply chain vendor, an attacker is able to sneak past network defenses, leaving the burden for identification on endpoint detection systems and processes. Early detection of anomalies in software can alert security response teams who can quickly mitigate and limit damage.

Organizations should bolster EDR capabilities to monitor for software changes.  First, configure EDR to detect the replacement of legitimate software binaries with malicious payloads and then restore legitimate binaries. Second, configure endpoint monitoring to look for suspicious modifications to legitimate Windows tasks, for example within scheduled tasks.  Configuring EDR, however, may not be enough to detect advanced threat actors who excel at sneaking past defenses and hiding within a network. In these cases, anomalous activity detection and thorough remediation are absolutely necessary. 

Anomalous activity detection can help identify malicious actors disguised as legitimate users. Implement user and entity behavior analytics (UEBA) to understand and identify anomalous or suspicious login attempts by actors leveraging legitimate credentials, particularly those with privileged access. Monitor for hostnames masquerading during remote sessions and cross-reference any masquerading activity with remote access logs to identify evidence of malicious remote access.

Sophisticated cyber-attacks necessitate defenders become even more intrusive and deliberate when remediating campaigns. The discovery of malware, particularly malware without an explanation of how it got there, should not conclude remediation efforts; rather, such a discovery should cue remediators to determine how a threat actor managed to download the malware to the compromised host. To make this determination, teams should interrogate the parental processes thoroughly to determine the process tree and identify binaries (even signed ones) for subsequent analysis.

  1. Reduce attack surface by sanitizing third-party software and strengthening permission management

An organization’s attack surface refers to the number of vulnerable entry points into the network a threat actor can exploit. Applying the concept of least privilege and assessing third-party software for known security issues can help reduce the attack surface.

Organizations can implement privileged access management (PAM) controls by:

    • Removing or disabling unnecessary or unused applications or service principals and reducing permissions on active applications and service principals.
    • Reducing the number of user accounts that are members of highly privileged directory roles
    • Protecting access to administrator accounts (vault the access and rotate passwords for each use)
    • Protecting access to ADFS, Azure AD, Active Directory, etc. using PAM processes to vault the administrator accounts.

To reduce risks associated with software supply chains, Accenture suggests critically evaluating supply chain software. Completely vetting all software may not be a realistic objective; however, there are some actions organizations can take to drastically improve their security posture. Organizations should review the privilege and access levels of externally developed software. In addition, service-level agreements with software suppliers should be evaluated to determine if the supplier is responsible for actively locating and fixing vulnerable software prior to deployment and immediately upon detection. For in-house development, analyze third party libraries for known issues at the repository level and ensure there is a library approval process as part of the secure development policy.

<<< Start >>>

<<< End >>>

  1. Implement and execute file integrity monitoring (FIM) to prevent and/or discover unauthorized software modifications

FIM is the process of verifying the operating system and application software have not been tampered with or moved by comparing the asset to a known “baseline”. To discover and prevent threat actors from replacing legitimate applications with malware, implement integrity checks for expected locations, hashes, or code certificates of executed binaries. Perform integrity checks on an application by comparing new versions to known clean versions. This helps to ensure unauthorized users have not made changes to the code.

FIM can include automated checks to alert on any anomalous or suspicious activity. Once a security team identifies malware, the team can hash the infected software to enhance virus signature databases. Automate all builds of software and include a high-level tracking and tracing ability.

  1. Infuse cyber threat intelligence

Threats evolve daily and threat intelligence keeps organizations apprised of the latest tactics and tools sophisticated threat actors are using. Indicators of compromise (IOCs) and signatures provided through cyber threat intelligence feeds can help detect and hunt for compromises. However, IOC feeds are only one pillar of a comprehensive threat intelligence program. Persistent threat hunting and remediation is necessary to identify advanced threats, including supply chain compromises. 

Due to the nature of third-party compromises, it is unlikely a victim organization will catch the threat prior to network compromise so consistent and updated monitoring is key to identifying an attack in its earliest stages. Threat intelligence ensures companies stay abreast of the most current novel threats.  It also provides cutting edge analysis and threat hunting analytics to find evidence of compromise. 

Threat intelligence providers maintain active mitigation recommendations designed to immediately help secure a company’s network.  Remediation efforts can include checking logins to third-party software to determine potentially compromised credentials, the presence of threat actor toolsets, searches for any non-standard software instances, and traffic to associated malicious network addresses. 

    <<< Start >>>

    <<< End >>>

      Conclusion

      The frequency of supply chain compromises will almost certainly increase because threat actors see that they work. These types of compromises are particularly difficult to guard against—pitting the trust a business should place in their suppliers against the inevitable increased attack surface. The recommendations provided here are a first step to help create an agile security program that can respond to advanced supply chain compromises.

      Our ACTI team provides actionable and relevant threat intelligence to support decision makers. The intelligence analysis and assessments in this report are grounded in verified facts; more information on this activity is available to subscription customers on ACTI IntelGraph. IntelGraph is a proprietary next generation security intelligence platform that allows users to search, visualize, and contextualize the relationships between malicious actors, their tools and the vulnerabilities they exploit.

       

      Accenture Security

      Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

      Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

      Copyright © 2021 Accenture. All rights reserved.

      Accenture Cyber Threat Intelligence

      Application Security Advisory Services


      Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
      Subscribe