Media throughout the world have reported on the SolarWinds manual supply chain attack which has created concern about cyber security and software vulnerabilities among businesses and government entities alike. What hasn’t been in the headlines outside of the cyber security world is the need to not only plan and test for external threats, but CISOs must also start prioritizing efforts around abating insider threats. In the case of the SolarWinds attack, malicious code was inserted somewhere within the supply chain as part of a software update, which then was made available to all SolarWinds customers. This insider attack has to-date impacted hundreds of private companies and government agencies. CISOs must lead their organizations in preventing both external and internal cyber security threats.
Thwarting External and Internal Threats – A Two-Pronged Approach
Protecting against internal threats should be the first prong in a threat detection program. The SolarWinds breach brings to light this under-discussed application security challenge: developers writing malicious code which can later be exploited. And while this isn’t the only means that inside threat actors can wreak havoc on an organization, the frequency and financial impacts of insider threats—defined as a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief—has grown dramatically in just the past two years. In a recent Ponemon Institute study, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are still a lingering and often under-addressed cyber security threat within organizations, compared to external threats.
Thwarting external threats is the second prong of a threat detection program. As explored in-depth in our whitepaper, How to Build the Best Penetration Testing and Vulnerability Management Program, the reality is that cyber security breaches today from outside the organization are inevitable and put companies at grave risk. One of the key cyber security weaknesses is the lack of continuous penetration testing and patching. This can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly. Organizations should think of pentesting as the final security gate. It ensures all other security controls and applications are working as designed from a security standpoint, an approach that is not often adopted by organizations with young or immature application security programs.
Further, organizations with a mature security program understand that point-in-time pentesting is not the best option for securing their applications and networks. You cannot test yourself to be more secure. New code and configurations are released every day; a continuous penetration testing approach can help test an entire system in totality and delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.
Now, let’s focus on the steps to take to prevent insider threats. To do so, I believe that CISOs need a shift in vision. Most companies prioritize external threats but give a blanket of trust to the people within the organization. Now, in large part because of SolarWinds, it is apparent that organizations have to change this mindset.
Changing Your Mindset Around Your Threat Landscape
Threat modeling needs to first be adopted more widely to understand the organization’s threat landscape. It is essential to identify who would want to attack a system, and where the assets are, in order to understand the appropriate attack vectors, and to best enable the appropriate security controls. In my opinion, this involves a mindset shift. The biggest change is in moving from only looking for vulnerabilities to also looking for suspicious or malicious code. Let’s define the two threats. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that he or she implements. Given that, threat modeling should study potential threat to both vulnerabilities and malicious code, as the harm from both could cost an organization millions. Doing one type of threat modeling without the other can set your organization up with a false sense of security.
Potential Insider Threat Exposure
|Job Responsibility||Possible exposure area for threat activity|
|Administration or Operations||Local area network, high access credentials, production systems|
|Developers||Design and source code; Application configurations; Third-party libraries and deployment descriptors|
|Control Management||Binaries (susceptible to repackaging); Code promotion from QA to production; Encryption keys|
Additionally, how you go about detecting a threat like the SolarWinds supply chain attack is vastly different from traditional pentesting, code review, or other vulnerability detection techniques. It not only requires a different type of lens on how you look at software to identify these issues, but it also requires a complete change in your organization’s internal threat detection governance process. Altogether, dealing with a threat issue once it’s identified is not as simple as going back to the developers asking them to fix them. Unfortunately, your developers could be the adversary.
Putting in Place a Proactive and Ongoing Internal Threat Detection Governance Program
To put in place a proactive and ongoing threat detection governance program you’ll first have to get buy-in from the leadership team. After all, at its core, malicious code review is a process where you theoretically treat those within your operations who have privileged access as threats. And secondly, you’ll need to educate the leadership team regularly on the scope of your malicious code review engagements. While finding malicious code is difficult and the probability is small, the risk of an insider threat is on the rise. In fact, Forrester research predicts that this year, 33% of data breaches will be caused by insider incidents.
Importantly, all of your malicious code review efforts have to be done in secrecy, involving only small teams you trust completely. It has to be a covert operation where you don’t notify or give knowledge to stakeholders in the software supply chain. They should never know that you are implementing a process to look through their code with a lens of trying to identify code that looks suspicious and potentially malicious.
Risk Scenarios and Escalation Steps to Take
Once your malicious code review regimen is in process and suspicious activity is detected, there are escalation steps that can be put in place to mitigate risk. Consider the following:
- Suspicious, But Not Malicious: You find something that looks suspicious or malicious but that can’t be exploited, and it may have even be left my mistake. Escalation Step: In this case, you may do nothing.
- Circle of Trust Invitation: You find something that looks suspicious, but you can’t get confirmation on whether it is malicious or not. Escalation Step: This is where you have to build a relationship with a trusted developer or someone from a developer organization who you can trust and can bring into your circle of trust to verify that suspicion.
- Passive Monitoring: You’ve found suspicious code but choose a monitoring stance. Escalation Step:This is where you do additional logging in production or potentially add some type of data layer protection that you can trigger so you can passively monitor if there’s a point in time when someone is trying to exploit the suspicious line of code.
- Active Suppression: You find suspicious or malicious code and work to suppress it. Escalation Step: This is where you actively either write a rule within your firewall, build a compensating function or do some type of dependency injection or weaving to actively stop that suspicious code from ever being executed.
- Commencement of an Executive Event: You find malicious code and have identified its source, whether it be a sole insider threat, a whole team of suspicious actors, or find threats that involve a particular department, country or line of business. Escalation Step: This step has nothing to do with software, but it has everything to do with safeguarding your organization. You will need to involve your organization’s leadership and execute some sort of severe executive level event which could include terminations of implicated employee(s) or contractors and may even involve law enforcement.
A Caveat: Another challenge with supply chain attacks: they may never happen at the code level—they may happen in the process of a piece of code being elevated from development to production. Therefore, analysis both at the code level and also at the binary level is warranted to get information in artifacts from operations themselves.
Looking holistically at supply chain attacks, the security industry does not yet have a complete solution. Long term, we need to examine how the industry approaches the evaluation and risk acceptance of third-party solutions, which could come in the form of changes to compliance requirements around least privilege, auditing, and integrity checks.
However, with many studies and news reports pointing to a continuing rise in both external and insider threats—in number of incidences, time to contain, and cost implications – it’s essential for us to begin taking immediate steps as a part of the holistic solution. It’s imperative that CISOs advance leadership support in the development and implementation of a two-pronged threat detection and governance program that involves both malicious code review and vulnerability management initiatives. With breaches often costing organizations millions of dollars, there’s no time to waste.