Cybereason Exposed an Extensive Cyber Attack Most Likely Started in Software Supply Chain: The Case for Software Supply Chain Security to be a Top Security Priority in 2022

The recent evidence outlined by Cybereason via their extensive CuckooBees intel is exposing a massive IP breach and all arrows seem to point to a popular ERP system as the starting point. The breach went on for years allowing the Winnti group, a Chinese hacking group, to acquire IP from roughly 30 companies. It is still preliminary, but it appears to be a sophisticated attack that was multi-chain and multi-year and future IP value may be measure in the ‘trillions’ according to the report and CBS News.

This comes on the heels of the devastating and sophisticated 2020 SolarWinds attack. Depending on the industry or government source, software supply chain attacks will increase from 400% — 650% over the next few years. Furthermore, Gartner has it as one of their top seven security trends in 2022. It is easy to understand why the software supply chain seems to be an increasingly popular attack vector used by cyber criminals, hackers and state sponsored actors.

Of course, there are existing teams, resources and cyber security tools dedicated to application security. The big question that has arisen since the SolarWinds attack headlines is whether these teams have the right tools and focus to also protect against the new attack vector of the software supply chain? There are several arguments to say that they should.

For example, if you consider a COTS software vendor that has adopted DevOps; software is committed, scanned, tested, and released into a private or public cloud in an automated (or semi-automated) fashion. This is done via a pipeline containing code repositories, build servers, artifact repositories, and more. This process is your software supply chain.

If you do continuous application releases, this process is repeated several times a day. Many other COTS vendors only release their software after software sprints occurring every few weeks or on a periodic release cycle of monthly, quarterly etc.

Now think about how often developers are changing code in the SDLC — it is constant. Large teams may go to source code management tools 1000’s of times a day in large developer environments. There is far more risk of attacks due to nefarious activity or unintentional mistakes from developer communities who are working long hours to complete features for software sprints.

At Legit Security, we see these vulnerabilities and risks surprisingly often as we scan repositories and development tools. It’s not that developers don’t care about security — they do. However, their relative priorities and the prior lack of purpose-built automated platforms like Legit Security’s solution made this a neglected corner of application security that now needs to be addressed. A recent Stanford study states that 88% of security breaches are caused by human error.

As previously mentioned, the risk is rapidly growing and will continue to do so. So how do you protect yourself against attacks as an end user of COTS software when traditional Application Security tools are insufficient to protect the software supply chain?

First, if you develop software in house and have a complex software supply chain, make sure your own ‘software factory’ is in order. Look into solutions that protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people within it so that your business can stay safe while releasing software fast. Additionally, make sure this is continuous, that policies are applied and tracked against what is constantly happening in an ever changing development environment. This should also help you adhere to compliance requirements (SLSA specifically for supply chain).

Secondly, companies need to demand that COTS providers secure their supply chain practices with efficient and effective automated tools that scan development pipelines for gaps and leaks, the SDLC infrastructure and systems within those pipelines, their people, and their security hygiene. Is a SBOM enough? Probably not. Look for objective data that your COTS providers are following proper hygiene so that you reduce your risk of becoming a victim.

This attack in particular seems to stem from an ERP provider. Though the information is still vague, shouldn’t these software companies be showing you how they address risk in their SDLC? Is a point in time scan of the code in their development process sufficient? Recent history tells us ‘no.’ Securing the ‘factory’ itself and looking for adherence to policy such as always using MFA, not using mutable images, not moving a private repo to public etc. are all front and center to securing the software supply chain.

This is what is unique to Legit Security — we focus on the factory, not just on code. Request your COTS providers speak with Legit Security and we can help assess their SDLC for continuous compliance to this security hygiene with objective scoring and risks.

How can you get started at your own organization? Legit Software provides a free Rapid Risk Assessment so you can evaluate the risk associated with your own software development life cycle systems, infrastructure, pipeline, people and processes.

Contact us today to request your Rapid Risk Assessment or to speak with us about software supply chain management risks and solutions. If you have questions, you can reach me directly at johng@legitsecurity.com https://www.legitsecurity.com