Four steps enterprises need to take to prevent software supply chain attacks

2021 was the year that opened the world’s eyes towards a relatively unknown path of attack – using trusted software to compromise the applications that use them. SolarWinds was the first high profile attack, which showed the world how hackers could exploit a vulnerability in network monitoring software to install malware and gain privileged access. The malware was undetected for a long time, as no company thought of checking updates for traces of malicious code. As administrators continued installing updates from their trusted network monitoring software, they continued giving more privileges to hackers.

Since then, some major software supply chain attacks have happened. These include Kaseya, Codecov and the more recent, Log4j. One of the more attractive elements for hackers is the fact that a single breach or vulnerability in any software could lead to privileged access to thousands of networks. Analysts predict that by 2025, 45% of enterprises worldwide would have experienced attacks on their software supply chains – a three-fold increase from 2021. 

Within this context, let us look at some best practices that will help organisations take steps to better protect themselves against software supply chain attacks:

Enforce the principle of least privilege (PoLP) 

Many organisations still assign excessive access and permissions to their employees, partners and vendors without realising how dangerous this is. Organisations should apply role-based access control so that a developer, application or script only has access to the credentials needed. This will help prevent untrusted parties from stealing valuable credentials such as deployment tokens. PoLP limits access and ensures access to sensitive data only to users who are authorized to use it and require it to perform their tasks. 

PoLP should not only be applied to human access but should also be extended to devices or applications that require privileges to perform certain tasks. By implementing least privilege access controls, enterprises can help reduce privilege creep and ensure that human and non-human users only have the minimum levels of access required. By limiting super-user and administrator privileges, least privilege enforcement helps in reducing the overall attack surface.

Deploy a Privileged Access Management (PAM) solution 

Today, within most modern business environments, the attack surface is rapidly growing as a result of the increasing number of applications, IoT devices and cloud environments that have to be protected. As a result, it has become a huge challenge for the IT function to focus on manually intensive and error prone processes to keep a track of privileged identities and update them regularly.

Hackers recognise this window of opportunity and are using this to exploit privileged access. Implementing a PAM solution can protect against the threats posed by credential theft and privilege misuse by automatically discovering and onboarding privileged credentials used by humans, devices or applications. A centralized policy management feature can allow administrators to set policies for password complexity or the frequency of password rotations. Similarly, automated password rotation helps strengthen security while eliminating time-intensive, manual processes for IT teams.

Adopt secure coding principles 

Today, with DevOps principles being adopted and practiced in a big way, DevOps practitioners, tools, and applications are provided very high levels of access. The danger lies in the fact that if these credentials are compromised, a hacker can create huge damage. For example, as has been seen in the case of many high-profile breaches, an attacker can gain possession and own the cloud access keys to manage cloud resources. It is hence critical for the security team to take a proactive approach in integrating security with the DevOps process. Enterprises can also consider using code scanning tools that can prevent any malicious code from being incorporated into the application. Additionally, automated code testing can be used to immediately alert developers of any deviations from secure coding practices.

Adopt software bill of materials (SBOMs)

SBOMs are machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software. SBOMs will make it possible for organizations to identify the vulnerable components of applications they own and have deployed. Coupled with a solid asset-management and identification system, SBOMs will make it much easier for organisations to ensure they are protected and updated to protect themselves against threats. 

The US Government has already identified SBOM as a priority that will help reduce risks from software-based supply chains. Considering that the US often sets the standards and direction for the rest of the industry globally, we believe that Indian organisations too will follow suit. This is especially since a huge number of Indian technology service companies work extremely closely with some of the major technology OEMs in the US. It will be just a matter of time before these best practices percolate down to Indian enterprises as well.

In addition to these principles, enterprises must look at isolating sessions when privileged credentials are used. They must also establish normal behavior patterns of existing users and look at adopting stronger authentication methods automatically when deviations are detected. Enterprises must also look at using Multi-Factor Authentication whenever possible.

As the examples of numerous software supply chain attacks show, the hackers just need a small vulnerability to breach the biggest of defenses. However, by adopting some of the practices described above, enterprises can ensure secure access to sensitive data and applications and make it significantly more difficult for hackers to achieve their end goals. 

Rohan Vaidya

---

Rohan Vaidya is the regional director of sales, India at CyberArk.