Adrian gets some insight from Chris and Daniel on some recent supply chain attack events.
The conversation includes:
For more on supply chain attacks check out our episode The Human Element of Preventing Supply Chain Attacks
Adrian gets some insight from Chris and Daniel on some recent supply chain attack events.
The conversation includes:
For more on supply chain attacks check out our episode The Human Element of Preventing Supply Chain Attacks
Adrian: Well hi there everybody, welcome to another edition of the Ivanti Insights podcast. I believe, God if we're keeping track, I think is episode 18. I'm your host, Adrian, and I'm joined today by our usual guests, Chris and Daniel. Guys, great to have you here in the Ivanti Insights for yet another fun addition. So let's get to it.
This week we're talking about supply chain which is something we discussed back in July. So if you miss that episode folks, go back and check it out. I think it is the July timeframe if I'm not mistaken. Now Chris and Daniel, we talked about how supply chains can be attacked, making sure products and vendors are secure and also best practices around defending against supply chain attacks. Now, even though it wasn't that long ago that we covered these topics, supply chain attacks continue to drive media coverage. It's still a problem. So recent news reports just come out about resellers and service providers and global IT supply chains. They're being targeted by the same group that attacked solar winds and that big breach that turned out to be about 10 months ago last December. Tell us more about what's going on.
Chris: Yeah, so this group called Nobelium, they’re a Russian-based threat actor and they're nation state-funded. So unlike a lot of ransomware threat actors or other threat actors like that, their agenda is a little bit different. Last year when they did the solar winds attack, they were trying to get into and inject code to be able to get access to a variety of different environments. They were heavily targeting government agencies at that point. That's the difference in the type of threat actor we're dealing with. The nation-state agenda is different from just your typical threat actor who's out for revenue gain. In this case, Microsoft posted a blog in October here on the 24th, talking about how they had been monitoring over 140 cloud service providers that had been targeted by this group. So there are a lot of activity going on recently. 14 of those have been compromised according to what they release for details here. A lot of what the attackers are doing, in this case, are targeting cloud services, that's a part of what we're going to talk about here today. In this case, they're casting a very wide net. 609 customers had been attacked over 22,000 times. And this was a combination of different tactics that they were using in there to try to target and get into these organizations. Now the success rate is only in the single digits, percentage-wise. But it is a large number of attacks they're doing, and they're trying to get in as many places as possible for whatever this current agenda is that they're executing against.
Adrian: So let me ask you Chris, just a quick follow-up before we toss it over to Daniel. When you talk about the success rate being in the single digits or here where Microsoft said 14 have been compromised out of about 140, so it's kind of in that 9 to 10% range. Is that what we should expect? How concerned should we be about that kind of success rate?
Chris: Yeah absolutely. You know, it's hard to say exactly how much of a success rate there is in a variety of different attacks, but there are a lot more attacks going on that obviously that then reach headlines. Any of these types of threat actors are going to be casting very wide nuts. They're also going to be doing a number of attacks leading up to the larger events that we typically see grabbing headlines. In this case, these guys are doing a lot of the legwork, the initial work, and they may find a goldmine in that list of accounts that they compromised throughout here. If they don’t find what they're looking for, they're going to keep going. Now in a lot of cases, there are threat actors who are targeting things like just capturing credentials. There are others that are just trying to capture machines, and then those will be sold on the black market to other threat actors who are going to use them in larger campaigns. At all times, there's a lot of attacks going on and a lot of them end up failing. So single digits there, not surprising that it's a low number that actually succeeds. But they're going to keep trying, and they're going to keep casting wider and wider nets until they reach whatever goal it is they're executing on in their current agenda.
Adrian: Okay, let's toss it over to Daniel, our Chief Security Officer here at Ivanti. So Daniel, the million dollar question, how are these attackers getting in? Is it a matter of them exploiting vulnerabilities within these organizations? It sounds like the attackers have changed their tactics slightly, certainly dating back to the solar winds breach. Is that accurate?
Daniel: Yeah, so let's actually go back real quick and remind everyone what actually happened in the case of solar winds. So in that case, the threat actors were able to compromise the solar winds environment and use that access to insert malicious code into the legitimate system used to produce a solar winds product. And that product would then make it downstream to customers, and that provides the threat actor a huge number of potential targets, right? And this is why it's considered a supply chain attack. They didn't have to go and individually compromise every one of those targets, they compromised something upstream that got pushed down to many different customers of solar winds. So what we're seeing here is kind of a shift and it’s a little bit different, right? Rather than targeting a supplier that actually produces a product that goes into your network, they're targeting some of your resellers, your integrators, other technology service companies that manage cloud services for either their customers for you. Or help with small little projects here and there, kind of integrators to actually build some kind of project for you. And so there's a trust relationship there where those providers actually have to have access to your environment. And so by targeting those providers, it's not a technology, it's not a service, it's a bit more direct.
So it's very interesting in that way. It also talks a lot about how the attackers are thinking about this. You have a hyperscaler here who is reporting this news, right? Microsoft is one of the major hyperscaler. So one, we can assume that we're seeing similar attacks against the other ones, right? Google Cloud and AWS being the two big giants in the room. But shifting away because they realize that a lot of people have started putting control similar to what we talked about in July around the providers that are putting software into their systems. And maybe not focusing enough on the people who actually do the work to deploy that software or help you with like staff augmentation for your IT services. That's where the threat actor here may be seeing some weakness in our security program.
Adrian: Okay. So you mentioned Google and AWS, I just want to clarify there. Are you indicating that hey, Microsoft is reporting this right now, but just because Microsoft is the one in the news, that doesn't mean that it's more prevalent than just what we hear in the news? Now I'm a sports fan, it makes me think of the NCAA in college sports and how every year there's one or two programs that get put on probation for recruiting violations, yet everyone's doing it. You just don't always hear about it. Is that kinda the same thing going on here?
Daniel: That's exactly right. What Chris was just talking about casting a really wide net, right? We shouldn't assume that the only organizations getting targeted are those that are using Microsoft Azure and Microsoft's cloud services. We should assume that a similar attack is happening against the other hyperscalers. And specifically again, targeting those providers who help you migrate things to the cloud and build those services. That's kind of the attack path here rather than what we were talking about with solar winds, compromising a piece of software that pushes directly into your environment.
Adrian: All right. Now we touched upon this a bit last time, and when I say last time, referring back to what we talked about in July. So folks do go back and check out when we talked about supply chain earlier in the summertime on a previous Ivanti Insights episode. But it sounds like there are some new recommendations out from Microsoft for both service providers and their customers. Chris Goettl, what's new, what do our listeners need to know?
Chris: Microsoft was providing a number of steps in their blog posts recently about this. So the blog posts that were released on October 24th, new activity from Russian actor Nobelium. In there, you're going to see a few bullets of some of the things that they've already been doing. And they've got a link to some additional technical guidance, which gets pretty in-depth. They talked about the fact that back in September last year, they rolled out MFA capabilities to their access partner center, and gave the ability to use delegated administrative privileges or doubt to manage customer environments. So they've already been thinking ahead to providing more and more control over this type of ecosystem. On October 15th this year, they've now launched a program to provide a two year Azure active directory premium plan for free. To provide a number of additional security capabilities they've been working on to a wider group of customers to help them secure their environments. Now double-edged sword, you know, that's a two year subscription. They obviously want you to get addicted to those nice security features and then two years from now pay for them. Great, but the moral of the story is they've been beefing up security, they're providing these capabilities. So if you're up there, if you're taking advantage of these services, take advantage of these security capabilities as well.
If you get into the technical guidance, here they go into a lot more depth. They talk about a Nobelium and the two different ways that they're really getting into environments. There is the age-old “Hey, I'm going to social-engineer my way in, steal those credentials from on-premise users, use the Azure 80 trust relationship and get onto an on-premise system to get into that environment.” That's the one method that they're using to get in. The other is through those 140 service providers that were mentioned, basically targeting those managed service providers and using those remote access solutions built out in this ecosystem, getting into that target. So they're choosing to create multiple paths and they're counting on the fact that people aren't able to secure all things in their environment. You know, that it's the age-old challenge of an attack and defense, the attackers attack the castle, the defenders have to defend against everything. Well we have to get everything right, the attackers just have to find one way in. That's kind of explained in here, the different ways that they're coming in. They also go into a lot of mitigation and remediation, both from the service provider and from the downstream user environment. So things like multi-factor and conditional access policies. Absolutely necessary. We can't trust that users are ever going to use strong enough passwords or that they won't reuse passwords in many places. So I compromise an end-user's account on some other e-commerce site or something like that. I can now take that same credential, target their corporate account and have a good chance of getting through at some point. Because one of those users is going to reuse the same password in multiple places.
Things like adopting their secure application model framework. They get into more detail about how you should be securing APIs and applications that are running in these cloud environments. And also logging, they've beefed up a lot of logging in their partner center to give a better perspective of what activities are going on, both from the service provider and from the tenant themselves, that perspective. So there's a lot of guidance in there about how to then secure that delegated administrative privilege that you're giving out to this provider. Doing things like reviewing the logs regularly enough to identify bad activity and other things like that. So it's a pretty comprehensive list of guidance. Again, if you're the downstream customer, they give similar guidance of reviewing that tenant administrator account that you've got. And reviewing the permissions that are granted to your service providers and people that you might've granted remote access to because they pose a risk to your environment. Multi-factor again, absolutely necessary, whether you're the downstream consumer or customer, or if you're the provider themselves. So a lot of really good guidance in that write-up that Microsoft did. This does extend beyond just Microsoft environments though. You should be looking to do these things, as Daniel said, no matter what the service provider you're working with. Look into similar security measures in those areas.
Adrian: All right. So Chris, I asked Daniel earlier the $1 million question, now this is the $2 million question. With what you've laid out in the last couple of minutes, these recommendations from Microsoft, the $2 million question is, are these steps enough to keep attackers at bay? You talk about doing everything you can to fortify the castle, and you've got to think of all of these steps to be proactive in that regard, but the attackers only need to find one way in. So there's proactive versus reactive. And in what you laid out in the last couple of minutes, is that enough or is there anything missing?
Chris: There are a lot of proactive things that you can do. There are more things you should be doing. In this case, the vulnerability angle didn't come up at all, but I have yet to see a month go by this year that didn't have one of the top vendors that you've run in your environment, have an exploited vulnerability that they were resolving. They're happening left and right, threat actors can exploit a vulnerability very quickly. So you've got to make sure you're approaching vulnerability management from a risk-based perspective. You're never going to fix all of them. How do you get to the list that you need to act on first because those are the ones that are being exploited today. You need to look at access in general, not just to the cloud services like we've been talking about here, but access to your legacy environments. You've got this coexistence of your legacy connections or connectivity solutions like a VPN, along with your cloud services.
So adopting a zero-trust model, and adopting secure access technologies that can mingle that legacy access technology along with cloud access capabilities, is essential to securing your environment. General cyber-hygiene, also very important, not just on the clients and the servers, but also on mobile devices. Are you securing productivity apps on those devices? Are you running threat defense on those mobile devices? It gets difficult because we cross over into the user's personal devices in a lot of cases, but there's a lot of improvements to that. Things like Android enterprise where they now separate out partitions for business versus consumer part of the phone experience. We've got to cover a very broad base of proactive things to secure our environments. Now, again, we'll go back to how successful has Nobelium been, single digit percentage out of all the attacks they've done. But if they keep casting that wide net and start reaching thousands of tenants that they're trying to target, how long will it be before 14 becomes 50, becomes a 100, becomes a substantial number of tenants that they've successfully breached into. So it's important to keep up with these different proactive security features.
Adrian: Sure, it's a numbers game. You reach out to enough people and then what you actually latch onto, that's going to be a decent size bunch if as you say, cast your net wide enough. All right Daniel, let's turn it to you. So as much as you are proactive, as much as you try to plan for the worst, stuff happens, how do you react to that?
Daniel: Use my scout motto here which is ‘be prepared’. At some point you have to assume you're going to suffer a data breach, right? There are proactive and security controls that you can do there, but there's also proactive planning to be reactive. Some of that definitely still touches on things as Chris said, especially when you talk about your connectivity between your legacy environment and your cloud environment. Understanding those data flows and mapping that out is really important. But some other things around the logging and the security controls that you can actually implement in these cloud environments are simply different than the traditional server and laptops. So making sure you understand the controls, making sure that you have comparable controls in your cloud environment, as well as on your on-prem systems. And then basic incident response planning, run some tabletop exercises. See where you actually are in the process and make sure that you're educating the security team, your CIO and your team on the IT side. And then also make sure you're educating your executive leadership as well. If you're not doing that, people are going to panic and not be as prepared as they really need to because the breach will eventually come. And the more you're prepared for it, the easier of a time you're going to have being reactive about it, containing the situation and moving past it.
Adrian: Okay gentlemen, we're winding down here, we're in the home stretch. So it's our favorite part of the episode, and I know you guys love this. A little less structure, a little more of a blank canvas. Daniel, we're going to start with you, what's your final parting thought we may have not covered today?
Daniel: You just need to remember that this is not just targeted at government organizations or government contractors even. The whole challenge with the supply chain is you're going two and three vendors down to hit a target. A lot of people think nation is a state threat actor that doesn't affect me, I am just a small service provider, but at the end of the day, that's exactly what these threat actors are counting on. So really important to make sure that you understand how this filters down to your organization, even if you don't directly provide services to the federal government wherever you guys may be.
Adrian: I think that's a great call out. Chris, take us home. What do you want to leave us with?
Chris: Before, I mentioned that we've got to defend against everything, that can be frustrating, it can be an insurmountable challenge, it can feel like this Mount Everest that you can never climb effectively. There are a lot of tools out there, a lot of ways that you can tackle that. So my parting guidance today is to think about not just how do I defend against all these things, but to do it in terms of a roadmap. In the product management realm, we always plan out ahead what we are going to do next. In the security side as well, we should always have a cybersecurity roadmap. There are great frameworks out there, things like the NIST cybersecurity framework or the CIS controls. There's a lot of regionally based ones that you can find around the globe. So if you're not based in the US, they’re some other really good ones no matter where you're at. But look at those, compare them to the top threats that you know would threaten your environment. If you're in healthcare, ransomware is probably one of the top attack vectors for you. Daniel mentioned that this is not only governments, but the nation-state attacks that we're seeing here, definitely is targeting more government entities, but not necessarily the only thing that could be targeted at them.
If you understand these are the types of attacks that may target us more frequently, you can start to tailor your roadmap to target countermeasures to those first and then build out over time into that broader and broader set of proactive security measures. But it's not something you're going to do all at once, it's a journey. Plan that out, have that roadmap in mind and you'll find it's a lot easier to achieve it.
Adrian: All right. Well great conversation as always guys, appreciate you coming on as usual. And for Daniel, for Chris, I'm Adrian saying thank you for listening and tuning in today. Until next time everyone, stay safe, be secure and keep smiling.