Supply chain security attacks have been becoming increasingly common and more sophisticated. Find out how to remain secure throughout the software supply chain.

Software supply chain attacks are becoming more frequent and introducing bigger consequences. This highlights the need for a structured response by policymakers and the security community, which is now in development. But organizations can implement their own software supply chain security strategies as well.

**What Is the Software Supply Chain?  
**The software supply chain consists of code and binaries, and the development teams, tools, and processes involved in building, packaging, and deploying applications. Modern software development has made the supply chain increasingly complex. Reasons for this include:

*   **Product innovation:** Consumers today expect cutting-edge products, which drives software vendors to deliver more innovation.

*   **External services**:**** Organizations now outsource elements that are not core to their business, such as payment, navigation, and translation.

*   **New technology**:**** New operating systems, processors, and graphic chips increase the complexity of software.

*   **Practices**:**** Modern practices like agile development, CI/CD, and DevOps have together accelerated the pace of product delivery.

*   **Code**:**** Code used to build an application contains many ingredients, including custom code, open source dependencies, build and packaging scripts, containers, and infrastructure.

These elements combined create complex software supply chains, which are an attractive attack vector and target for malicious actors.

**Software Supply Chain Attacks  
**Attackers use malicious code in an "upstream" component in the software supply chain with the goal of compromising the target of the attack: the "downstream component." Any link in the software supply chain can be compromised, but current research highlights three main targets: dependencies, pipelines, and the combination of both — pipeline dependencies.

**—Dependencies  
**Application dependencies — open source packages or container images — introduce vulnerability. Attackers insert malicious code into publicly accessible packages, and that code is automatically downloaded by unsuspecting developers.

**—Pipelines  
**Development pipelines used to build and release software can also be compromised. Attackers inject malicious code into the code itself defining the build process — such as CI scripts or build tooling configurations. Then attackers can use the build pipeline to distribute malicious code to downstream consumers.

**—Pipeline Dependencies  
**External dependencies within the build pipeline, such as third party plug-ins, tooling binaries, or the build environment itself, can also be targeted by attackers.

**Best Practices for Software Supply Chain Security  
**These best practices can improve security around your own software supply chain.

**—Use SCA and SAST  
**Software composition analysis (SCA) tools help you integrate security testing early and throughout the software development process to mitigate risk in open source packages being pulled into an application (including transitive dependencies). SCA tools also detect open source software licenses to help organizations ensure compliance with legal requirements.

Static application security testing (SAST) tools check custom code for security issues. Using a SAST tool can inform you of the risks resulting from the combination of supply chain components and your custom code.

**—Secure Your Containers  
**Base images from trusted providers should be free from malicious software, but still often have vulnerabilities in the Linux packages and developer tools they supply. A container security tool can help mitigate risk in a container image, and should also identify application components inside containers, especially in cases where direct access to the source code is not an option.

**—Utilize the SBOM  
**A software bill of materials (SBOM) provides details on all components included within a supplied product: open source dependencies, containers, and build tools. Generate and maintain SBOMs to track your third-party dependencies, tools, and sources. Always require an SBOM from third-party vendors before or during procurement of new software, and routinely scan it for security risks.

**—Manage Source Code Carefully  
**Source code management systems (SCM), like GitHub or Atlassian Bucket, are the central hub for an organization's software development. Modern SCMs provide specialized features and configuration settings, such as access policy controls and branch protection, that can be leveraged to harden security. These mechanisms are not always enabled by default and must be explicitly set.

**—Secrets and Credentials  
**Today's workflows use different types of credentials for access control, including encryption keys, SSH keys, and API tokens. When exposed, these credentials can be used by attackers. To mitigate risk, use a secret management tool to store and encrypt secrets and enforce access controls. Scan source code repositories to ensure secrets are not committed by mistake, automate service account rotation for credentials, and assign restrictive permissions to tokens.

**—Implement DevSecOps Practices  
**DevSecOps integrates security practices into a DevOps model. The key element of DevSecOps is to integrate security as early as possible, and throughout, the life cycle of software development. DevSecOps is a continuous cross-team effort and cannot be achieved without a deep change in organizational culture.

**Keep Your Software Supply Chain Secure  
**Software supply chain attacks will likely increase in both frequency and complexity, affecting more organizations and exacting a growing cost. However, with careful planning and implementation of best practices, organizations can move toward a much more secure software supply chain.

**About the Author**

    

Mic McCully is a Field Strategist at Snyk with a focus on modern application security. In his role as a Field Strategist, Mic spends his time sharing the Snyk vision and strategy while also gathering and collecting insight of security priorities from the market. His background spans over 27 years in the software industry with close to 17 years of that focused on the security space.

The Modern Software Supply Chain: How It's Evolved and What to Prepare For

Module enables apps to establish trust in new devices without adding user friction.

**Palo Alto, CA -- April 20, 2022 --** Mobile authentication pioneer Incognia, today announced the launch of a new location identity fraud detection module to support mobile app security for customers across finserv, crypto, social networks, online gaming and more. Incognia’s latest solution module is Location-based Device Authorization which prevents fraud following device change at login.

Authorization of new devices on mobile is one of the highest friction and highest risk points in the user journey. When new devices attempt a login, the challenge is determining whether this is the legitimate user, or a fraudster using social engineering to get access to the user's credentials. Traditional device fingerprinting solutions are useless in establishing trust in new devices, and as a result most organizations have been forced to employ multi-factor authentication (MFA), which increases user friction and ultimately creates a poor user experience. The Incognia Location-based Device Authorization solution is designed to address the challenges of establishing trust in new devices without adding user friction.

Incognia provides a highly accurate risk signal using anonymized location behavior and device intelligence to detect high risk devices attempting to login before fraud occurs. At login, Incognia delivers a risk assessment based on checking the device integrity and whether the current device location is consistent with the user’s historical location behavior pattern. In an internal study, Incognia identified that 89% of legitimate device authorizations occur at trusted locations, which are places that the user visits most frequently, such as home.

Key benefits and features include:

\- Reduced friction when legitimate good users change their mobile device

\- Reduction in account takeovers due to social engineering

\- Real-time validation of trusted devices with global geographic coverage

“The frequent use of one-time passwords over SMS for new device authorization in mobile apps is causing users unwanted friction and frustration, while also serving as an inadequate security measure to keep fraudsters out,” said André Ferraz, founder and CEO of Incognia. “We’re excited to expand Incognia’s fraud prevention capabilities with our new module, using anonymized location behavior and device intelligence to detect high risk devices attempting login and catch fraud before it happens. Leveraging trusted location behavior allows our customers to enable a frictionless authentication experience.”

Incognia fraud prevention modules are available now. To get started, visit www.incognia.com.

**About Incognia**

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 200 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Incognia Introduces New Location-Based Device Authorization Solution

Users can scan GitHub repositories and detect misconfigurations, exposed secrets and other security issues.

TEL AVIV, Israel , April 20, 2022 /PRNewswire/ -- Lightspin, the next-generation cloud security platform, today announced an integration with GitHub that will allow organizations to scan their Infrastructure as Code (IaC) files to proactively prevent code with misconfigurations from being deployed. By detecting and fixing security issues before they are deployed to the cloud, Lightspin helps organizations embrace a "shift left" approach to security.

Shifting security left is a growing trend that requires organizations to detect security issues earlier in the software development life cycle. Yet 77% security professionals think developers find too few vulnerabilities too late in the process, according to a 2021 study. Lightspin helps security and DevOps teams to better understand the security posture of their repositories while saving time and more efficiently using technical resources.

"As IaC adoption soars, it's increasingly important for organizations to understand the security risks and complexities that go along with it," said Or Azarzar, chief technology officer and co-founder of Lightspin. "Misconfigured code and over permissive identities introduced into production can prove to be costly for security teams. Scanning IaC files proactively to prevent these issues from ever being deployed gives organizations peace of mind that they have protected their cloud environment."

Lightspin integrates via a GitHub application to scan repositories for security issues, then prioritizes an organization's repositories based on detected security findings. Once complete, a security or DevOps team can easily view the findings of each file, folder, or repository. Additionally, Lightspin provides an impact log to help teams track changes to their repositories, scanning all pull requests and highlighting the changes that had the biggest impact on their security posture. Security teams can review the details of the pull request to better understand the context.

The GitHub integration is available globally to Lightspin customers at no additional cost. To scan IaC files, users simply install the GitHub app on their repositories.

**Follow Lightspin  
**LinkedIn: https://www.linkedin.com/company/lightspin/  
Twitter: @lightspintech  
Blog: https://blog.lightspin.io/

**About Lightspin  
**Lightspin's next-generation cloud security posture management (CSPM) solution secures cloud and Kubernetes environments from build to runtime and simplifies cloud security for Security and DevOps teams. Using advanced graph-based technology, Lightspin empowers cloud and security teams to eliminate risks and reduce effort by proactively and automatically detecting all vulnerabilities, smartly prioritizing the most critical issues, and easily remediating them. For more information, visit https://www.lightspin.io.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lightspin Secures Infrastructure as Code Files with New GitHub Integration

Sanctions imposed by the Biden administration, coupled with Russia's proposed initiative to cut itself off from the global Internet, is causing cybercriminals to ponder their future.

Russian cybercriminals dominate the threat landscape, aided largely by a government that has heretofore turned a blind eye to their illicit dealings — as long as their attacks target organizations and individuals outside of Mother Russia. However, since Russia's invasion of Ukraine on Feb. 24, the Kremlin has made a series of moves that threatens to disrupt the delicate balance that exists between them.

Without an extradition treaty with the United States, most of these cybercriminals operate with impunity or are nabbed when traveling outside of the United States. But in recent months this has not been the case. Several administrators and hosting providers were arrested in Russia in the past year for allegedly breaking the unspoken agreement between the government and cybercriminals. On Jan. 14, the Federal Security Service of the Russian Federation (FSB), in concert with US authorities, arrested members of the REvil ransomware-as-a-service (RaaS) collective that was responsible for the Kaseya attack. About a week later, the FSB detained four members of the Infraud Organization, including the group's founder, Andrey Novak, who was also wanted by the FBI. Though Russia is responsible for detaining these cybercriminals, these arrests and illicit marketplace takedowns have been few and far between and seem to signal more of a public relations ploy than a formal desire to stop cybercrime that affects its Western counterparts; there is no formal cyber alliance between Russia and the United States.

In some ways, Russian cybercrime has always been different, even in the underground. Russian cybercriminals, often young men, have had the autonomy to target foreign victims and establish various Dark Web-based marketplaces, card shops, and forums that attract like-minded threat actors. Wanted posters for these cybercriminals may very well be accompanied by images that showcase their Instagrammable lifestyles — poses that include expensive luxury automobiles, exotic cats, and stacks on stacks of US dollars.

**Connection to Cybercrime  
**There is a demonstrable connection between the Russian government and cybercrime. Public records show that Alyona Eduardovna Benderskaya is the wife of "Evil Corp" ringleader Maxim Yakubets and daughter of FSB agent Eduard Bendersky. The exotic cat-wielding Bogachev has also been associated with Yakubets regarding money laundering for various malware schemes. Former cybercriminal-cum-FSB officer Dmitry Dokuchaev sought the services of Shaltai-Boltai ringleader Vladimir Anikeyev and Yahoo breachers Alexsey Alexseyevich Belan and Karim Baratov. Dokuchaev was also sentenced to six years in prison for treason, so perhaps there is no love lost there. Aleksei Burkov, founder of cybercrime forum "DirectConnection" and co-administrator of "MazaFaka," was recently released from the United States and returned to Russia short of his nine-year sentence. Despite these indictments, all of these Russia cybercriminals remain at large, housed and protected in Russia.

But Russia may unconsciously be eating its own: Russia's war with Ukraine has resulted in a global effort to isolate Putin and, as a result, Russian cybercriminals are feeling the pressure.

For one, Russia has taken an aggressive stance on Internet blocking, which has increased since the start of the war and is affecting the ways in which cybercriminals operate. News and social media websites are actively being censored to create a filter bubble within Russia's borders. Previous reports indicate that Russia has attempted to block Internet protocols such as DNS over HTTPs (DoH) and DNS over TLS (DoT), threatening the security and privacy of Internet communications. Russia is also blocking access to the Tor network, which is having an effect on freedom of speech and the landscape through which cybercriminals can communicate. While dissidents are downloading VPNs in greater numbers, threat actors are actively seeking workarounds that bypass Russia's deep packet inspection (DPI) capability. Threat actor recommendations include "anti-DPI" technology, Tor bridges, and VPN-to-VPN services, though the effectiveness of these countermeasures remains to be seen.

Secondly, Russia previously faltered in implementing its "sovereign Internet," finding difficulty in going from an open global Internet to a closed one. Cybercriminals may be able to gamble on Russia unsuccessfully disconnecting from the Internet. While countries like China have been more successful in closing their borders to disinformation, dissent, and foreign influence, it has come at the cost of vast human, technical, and financial resources. Other examples, such as Iran's walled garden and North Korea's restricted Internet, have demonstrated that cybercrime can persist, though usually it is at the behest of the government.

Thirdly, foreign governments are also making it difficult for Russian cybercriminals to cash out and launder the proceeds of their criminal campaigns. On April 5, German law enforcement, in concert with the US Justice Department, shut down Hydra, Russia's largest cybercrime marketplace. The Treasury Department's Office of Foreign Assets Control (OFAC) followed by sanctioning over 100 cryptocurrency addresses and virtual currency exchange Garantex. The sanctions followed a September 2021 initiative to disrupt ransomware payments by sanctioning Suex, and then Chatex, which have helped facilitate ransomware payments to threat actors. All three were tied to the "Moscow tower," which has been a hub of money laundering and cash-out activity. These sanctions are affecting cybercriminals' ability, in combination with sanctions against Russian financial institutions, to move cryptocurrencies from illicit activities (such as ransomware payouts) into fiat currencies.

**Changing Face of Cybercrime  
**Cybercrime has a way of transforming. When one threat actor group is taken offline, another one takes its spot. There has never been a shortage of victims, and despite increased cybersecurity, there are always loopholes that can be exploited. Russian cybercriminals will have a difficult time overcoming the recent sanctions, although they are not a panacea. Russia has benefited from an overly permissive stance on cybercrime, and cybercriminals have acted with impunity. However, the increased restrictions on protocols, illicit services, and cybercrime marketplaces will make it increasingly difficult to financially benefit from conducting cyberattacks within Russia's borders. The implicit treaty between Russia and cybercriminals has been broken, and it is yet to be seen how they respond.

How Russia Is Isolating Its Own Cybercriminals

When a quantum computer can decipher the asymmetric encryption protecting our vital systems, Q-Day will arrive.

Our current encryption standards protect our bank accounts, financial markets, and most of our infrastructure, not to mention the logistics/supply-chain management system in the US Defense Department. But what happens when quantum computers can decipher the current asymmetric encryption that protects our vital systems? "Quantum-Day," or Q-Day, may happen sooner than scientists predict, and it will act like a "dirty bomb" on information architecture.

For standard encryption, Q-Day will occur when a 4,099 coherent qubit machine can complete the nonpolynomial hard factoring on which today's encryption relies. A quantum computer of this magnitude is not available yet, so the world's encrypted data is relatively safe for now. However, a global race is underway to get there.

Most computing experts agree our world is already in the "Quantum Decade," during which governments, businesses, and entrepreneurs will gain value from quantum advances. The opportunities are dizzying as tech companies race to bring quantum computing to commercial products. In late 2021, IBM trumpeted its plan to complete a 1,000-qubit computer by 2023. Numerous others have made subsequent announcements about even larger quantum processors.

All of these advances push for quantum advantage, meaning the time when a quantum computer exceeds the computing power of today's supercomputers. However, most projects are closer to quantum practicality, as computer scientists acknowledge. Quantum practicality (sometimes called quantum utility) is when a quantum machine is able to outperform traditional computers of comparable power under similar conditions. Regardless of what this Quantum Decade brings, it will force changes to existing systems and break several stable information paradigms that lack resilience.

Because of this, the United States — and indeed, every nation — needs backward-compatible quantum resilience now. The US Defense Department hands out awards to contractors that develop or maintain backward compatibility of system hardware and software interfaces. These contracts bring new capabilities to older systems or remedy known limitations for legacy systems (for example, hardening them for continued use). Any post-quantum communication solution that isn't deeply backward compatible cannot scale in deployment quickly enough and will leave the US vulnerable on Q-Day.

**Legacy Systems Open up Vulnerabilities**  
With this requirement in mind, it's worth asking how we're doing. Is the US ready for Q-Day? Can we get there from here? The easiest answer comes from following the money. Since 1990, each US government executive branch department has been required to produce an annual financial statement. For the Defense Department, the details of its most recent audit point to these new systems and legacy systems being material weaknesses, although the audit does not mention which systems those are. This is mainly because we rush to advocate for innovation, but pay for it slowly and reluctantly.

In both the commercial and government worlds, the financial and time cost of updating old software is significant. For the US Government, each fiscal year these obligated stable (sunk) costs are lagging, according to the audit agency; that means they are inadequately funded and falling further behind the innovation curve. This is a big drawback for warfighters. Of the 28 material weaknesses identified in the "Fiscal Year 2021 DoD Agency Financial Report" (up from 26 in the prior year's report), the top two were legacy systems and configuration management.

We can "get there from here" and must do so for the good financial stewardship and national security standards US citizens expect. Perhaps more important than increasing domestic spending to keep up with innovation, we need to keep in mind our adversaries have a vote. Those seeking to damage the US know that legacy systems are particularly vulnerable. The nine legacy systems the DoD extended beyond their expected retirement and the numerous systems (more than 140) that are out of compliance make for a juicy target. Quantum computing advances only increase threat complexity and limit the time legacy systems are useful without breathing new security protocols into them via backward compatibility.

**Backward Compatibility Is Key**  
The recent Fiscal Year 2022 Omnibus directs funding and policy conditions on most US government agencies' IT infrastructure and cybersecurity practices. Most of these comprehensive provisions will require the modernization of legacy systems. Even if funding does not allow new systems to replace these legacy systems, a newly developed post-quantum communication protocol can limit threat vulnerability in our legacy systems. These new protocols will help protect our security environment after Q-Day.

In every war the United States has fought, we've used legacy systems mixed with newer systems. A natural stepping stone to efficiency is purchasing products proven to be backward compatible. This allows warfighters to develop new tactics, techniques, and procedures by blending new and old systems when countering adversary advances.

However, normal technological development timelines are a bigger hurdle than most admit. This lack of understanding slows innovative products in US government markets, as leaders spend on advanced development without demanding these new products have backward compatibility built in. Backward compatibility is the foundation on which our resilience must be built to survive Q-Day. Buying and training US forces with this truth in mind means we will be ready.

Backward-Compatible Post-Quantum Communications Is a Matter of National Security

This is the shift that companies need to make after a cyberattack.

My team recently received a call from a company in Europe that had received warnings from law enforcement that it might be targeted by hackers. We found evidence through our data forensics that an attacker had entered the company's network, taken credentials, and then left. From what we found, the attacker had just as much access and knowledge as the CISO — maybe even more.

And this was likely not the end of the story; attackers usually spend weeks or months inside networks (known as dwell time) before actually doing anything. There was a good chance the attacker would come back. That should be top of mind for any company that's dealing with the aftermath of an attack or intrusion, and the response requires a holistic, active approach even if an incident appears to be over. Often referred to as the "recovery" period, the hours, days, and weeks after a detected intrusion or attack are anything but passive. This period demands action; in fact, it should be called "post-incident response," not "recovery." Not only is this a crucial period of every cyber incident, but it can also be an important growth opportunity for cybersecurity posture and the company in general.

**Attackers** **Return, So Victims Should Study Their Enemies  
**Often when we see an intrusion like the one at this European company, organizations aren't focused enough or don't spend the required budget to make recommended changes, and the attacker comes back with something worse, such as a ransomware attack that can cause great financial and reputational harm. Many companies also fail to see the unique opportunity that is hidden in the fact that attackers often come back: The post-attack or post-intrusion phase can serve as a valuable time to learn about the enemy — where they came from, how they entered, which assets they spent the most time checking out.

Although much time is spent trying to determine who the enemy could be when preparing for possible attacks, the post-attack period offers actual evidence on who the enemy is. This improved understanding of current and possible future enemies allows for a better allocation of resources in order to protect the assets that not only matter most to business value and continuity but are also most likely to be targeted. Knowing from which geographic area an attacker originates and if there is a chance they're connected to state-backed efforts also allows companies to hire cybersecurity teams that bring the necessary talent to deal with the sorts of threats an organization is facing.

**Stopping an** **Attack Is Only the Beginning  
**Just because an attack path was blocked, or attackers may have left all the data accessible (declining to put ransomware on it, for example), they still could have obtained intellectual property and proprietary or personal data. And this could then be leaked for purposes of sabotaging a business, obtaining intelligence, or for making money on the Dark Web. Attacks with multiple stages or objectives are growing; what may initially manifest as a ransomware attack to extract money from victim organization could turn into a smear campaign when that information is leaked or used to influence public opinion. Just because one organization is able to detect or stop an attack with little obvious damage, the attacker could later target other organizations that are connected, either directly through the software supply chain or through phishing campaigns aimed at email addresses taken from the original, relatively unscathed, target. Even though an incident appears over, it probably isn't; more victims are likely to emerge.

**Deal** **With the Last Mile of an Attack on a Managerial Level  
**After an attack or signs of a security breach, companies must make sure they meet a checklist of demands, including informing the right parties, such as government and regulatory bodies, customers, clients, and business partners. All of these obligations should be an integral part of the post-incident response and involve multiple departments.

But the involvement of multiple departments and the entire C-suite should not end with these obligations. The post-incident period is one of the most important times for a holistic managerial approach; after all, if an attacker decides to leak sensitive corporate information to the public, or sell it on the Dark Web, that is not just the CISO's problem; it is also something that executives across departments must deal with. This includes public relations; in today's world, where everyone, everywhere is vulnerable to cyberattacks, an organization's reaction to an attack and how it handles it is paramount to preserving its brand integrity.

Post-incident activity is, and should be, intense. But it should not — as it unfortunately often is — be left to the CISO. We often see that while an attack or security breach is in progress, most of the company's leadership is involved, including the CEO, COO, and human resources and legal teams. It is essential that these executives and teams continue to lead the post-attack phase.

The entire company should also be involved in reviewing not just what went wrong technically, leading to a cyberattack, but how it was handled, pinpointing lessons for the future, and updating its cybersecurity response plan. Now more than ever, cybersecurity can make or break a company; this reality requires a full-fledged team effort at every stage of an attack, even when some may mistake it for being over.

If done well, a response to an attack will not only close vulnerabilities but protect the brand's reputation, operations, and customers and leave a company better prepared to ward off the next attack.

From Passive Recovery to Active Readiness

Fortress Information Security will expand its Asset to Vendor Library to include hardware bill of materials and software bill of materials information.

One of the biggest challenges in supply chain security is being able to understand the security practices of suppliers and vendors and to assess the risks of granting them access to internal networks and client data. Organizations address this by having suppliers and vendors fill out questionnaires or complete security assessments, but items can be missed. And one of those missteps could result in an outage or a data breach.

Fortress Information Security is trying to solve this challenge by providing critical industry operators with up-to-date information about all the partners and suppliers they already work with or would potentially work with. The Asset to Vendor Library Trust Center is a central library of information from vendors and original equipment manufacturers (OEMs), such as security attestations, completed North American Transmission Forum (NATF) questionnaires, and third-party certifications. The platform helps critical industry organizations assess, manage, and address risks associated with vendors, assets, and software in their supply chains.

The idea is to give organizations access to this information without having to send over a questionnaire, and it allows vendors to provide their information once, instead of filling out the assessments over and over again for each partner relationship, says Betsy Soehren-Jones, chief operating officer at Fortress. Asset owners and suppliers can access information of over 40,000 companies and assess the impact of new cyberthreats.

There is interest in this kind of a centralized repository operated by a private entity: Fortress announced a $125 million investment from Goldman Sachs Asset Management on Tuesday to expand its archive of vendor information to include hardware and software bill of materials. The company previously raised $40 million across multiple funding rounds between 2015 and 2020.

“When we put our program together, it dawned on us that the relationships we had, other companies had as well,” Soehren-Jones says of her time at Exelon, one of the largest utility companies in the United States, before joining Fortress earlier this year. “How can we build a central library about the vendors and devices that we are all using?”

**Supply Chain Attacks in Critical Industries  
**Supply chain attacks have been on the rise in recent years, with high-profile incidents such as the SolarWinds breach and the Kaseya attack. The dangers go beyond just IT systems when the supply chain attacks affect critical industries, such as power, energy, oil, gas, and water. The ransomware attack on Colonial Pipeline was not a supply chain attack – but the resulting disruption on gas delivery and supply highlighted just how susceptible critical industries are to attack.

Attackers are increasingly shifting their attention to suppliers instead of targeting organizations directly, the European Union Agency for Cybersecurity said in a report analyzing 24 supply chain attacks last year. Attackers focused on the suppliers’ code in 66% of the reported incidents, and 62% of the attacks exploited the trust of the organization in their suppliers and vendors, the report found. Additionally, 58% of the attacks targeted the suppliers to access customer data – the organization’s data.

“An organisation could be vulnerable to a supply chain attack even when its own defences are quite good,” ENISA said in the report.

Federal authorities and regulators are scrutinizing critical supply chains. The Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines in the past year. However, relying on regulators is not enough because some critical industries – such as solar – are not regulated, Soehren-Jones says. And there is no overlap between different sectors; the rules and standards from electric are different from gas, for example, even though the two sectors depend on each other and likely share the same vendors.

“There are only a few meter companies – we are all probably using the same ones,” Soehren-Jones says.

The Fortress platform bridges the different industry sectors – oil, energy, water, power, and gas -- and gives organizations access to a more comprehensive set of data, Soehren-Jones says. The platform secures 40% of the U.S. power grid, substantial national defense-related assets, and critical manufacturing industries.

**Expanding Risk Assessments  
**With the new investment, Fortress plans to increase the hardware bill of materials and software bill of materials information available in the library. One way is to encourage vendors to provide their own information. Another is to expand in-house lab capabilities to “tear down” each product and generating the bill of materials, Soehren-Jones says. Having the internal service is critical to having a complete set of information about the devices in use, especially since many of the devices critical industries rely on “have already been in the field for 10 years” or longer, she notes. Many of those manufacturers may not even be in business anymore.

Consider the case of a transformer. The in-house lab will look at all of the components that make up the transformer and log them in one place. If the unit has a communicative device inside, the teardown will find it, log it, and share the information with all the industry organizations using the platform. The hardware bill of materials will also be useful for finding out if the same component is being used across other devices.

"If we find out that there's a bad chip somewhere in one device, that chip most likely has been used in a lot of other devices. So not only are we going to be able to identify the manufacturer that it originally came from, but then we're going to also be able to understand the full scope of all of the devices that may have it," says Soehren-Jones.

“The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities,” said Will Chen, managing director within Goldman Sachs Asset Management, in a statement.

The ability to share the information will benefit organizations in two ways: to be able to make purchase decisions as well as to guide incident response activities, Soehren-Jones says. When an issue is identified, organizations have the daunting task of examining every possibility to assess their exposure. Having the bill of materials already in the library means organizations can just work down a list.

The platform will also focus on workflow orchestration, allowing organizations to get information about things that need to be fixed, provide a way to log the changes that were made, and generate an audit trail that can be shown to regulators to prove that the necessary steps were taken, Soehren-Jones says.

“Log4j is the quintessential business case \[for software bill of materials\],” Soehren-Jones says. “We are still scanning, and it can take up to a year to figure out all places we are impacted.”

Fortress Tackles Supply Chain Security, One Asset at a Time

The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and \[have\] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

**Understanding the Data**  
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

**Governance to the Forefront**  
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

  

    

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.

Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data

Three flaws present in consumer laptops can give attackers a way to drop highly persistent malware capable of evading methods to remove it, security vendor says.

**_\[Editor's Note: This article was updated on 4/20/2022 at 12:28pmET with comments from Lenovo\]_**

More than 100 different Lenovo consumer laptop computers, used by millions of people worldwide, contain firmware-level vulnerabilities that give attackers a way to drop malware that can persist on a system even after a hard-drive replacement or operating system re-install.

Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) involve Unified Extensible Firmware Interface (UEFI) drivers that were meant for use only during the manufacturing process but inadvertently ended up being part of the BIOS image that shipped with the computers. The third (CVE-2021-3970) is a memory corruption bug in a function for detecting and logging system errors.

ESET discovered the vulnerabilities and reported them to Lenovo in October 2021. The hardware maker this week released BIOS updates addressing the flaws in all impacted models. However, users will have to install the updates manually unless they have Lenovo's automated tools to assist with the update.

UEFI firmware ensures system security and integrity when a computer is booting up. The firmware contains information that the computer implicitly trusts and uses while it boots up. So, any malicious code embedded in the firmware would execute before the computer even boots up and before security tools have had a chance to inspect the system for potential threats and vulnerabilities.

In recent years, a handful of malware tools have emerged that were designed to modify UEFI firmware to install malware during the supposedly secure boot-up process. One example is LoJax, a highly persistent firmware-level rootkit that ESET and others observed being deployed as part of a broader malware campaign by Russia's Sednit group. Another example is MoonBounce, a firmware level malware dropper that researchers from Kaspersky recently observed being used as part of a cyber espionage campaign.

Martin Smolár, malware analyst at ESET, says the two Lenovo drivers that were mistakenly included in the production BIOS without being properly deactivated give attackers a way to deploy similar malware on vulnerable Lenovo consumer devices.

"Exploitation of these vulnerabilities would allow attackers to directly disable crucial system security protections," Smolár says. Attackers with privileged access on a vulnerable system can simply activate the old firmware drivers and use them to turn off protections such as BIOS control register bits, protected range registers, and UEFI Secure Boot that prevent privileged users from making changes to system firmware. As a result, exploitation of these vulnerabilities would allow attackers to flash or modify firmware and execute malicious code, he says.

Meanwhile, CVE-2021-3970, the third vulnerability that ESET researchers discovered, allows arbitrary reads and writes from and into System Management RAM (SM RAM) — or memory that stores code with system management privileges. This gives attackers an opportunity to execute code with system management privileges on vulnerable systems, ESET said.

In an emailed statement, Lenovo thanked ESET for alerting the company about the vulnerabilities. "The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected," the statement said. "Lenovo welcomes collaboration with BIOS researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards." 

The company's advisory described the flaws as being of medium severity and enabling privilege escalation for attackers that exploited them. The company said CVE-2021-3970 resulted from insufficient validation in some Lenovo models. Lenovo attributed the other two vulnerabilities to its failure to deactivate and remove drivers that were used in older manufacturing processes.

The advisory also includes instructions on where users with impacted devices can find the appropriate BIOS update and how they should install it.

Millions of Lenovo Laptops Contain Firmware-Level Vulnerabilities

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

Source

DARKReading