advertisement
advertisement

More SolarWinds-style attacks are coming. Here’s how to stop them

Hacks that target the software-management supply chain are a scary new tool for cybercriminals. These steps could make them tougher to pull off.

More SolarWinds-style attacks are coming. Here’s how to stop them
[Source images: solarseven/iStock; GeorgePeters/iStock]
advertisement
advertisement
advertisement

Supply-chain hacks are an information-security problem we probably had coming. In retrospect, these hacks—which target the mechanisms companies employ to manage and update their software and systems—seem as inevitable as a virus evolving to infect more people.

advertisement
advertisement

And as the scope of the SolarWinds supply-chain hack shows, this problem is nearing pandemic proportions.

“These things are happening at a much bigger scale,” said Matt Tait, chief operating officer at the security firm Corellium, in a keynote last Wednesday that opened the Black Hat information-security conference with a concise description of this issue and some suggested bug fixes for it.

Tait, who tweets about information security issues as Pwn All the Things and whose career includes work at Google’s Project Zero vulnerability-research operation and the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, began by noting the business-model problems with traditional attacks that target a particular institution or individual.

advertisement
advertisement

Researching and selecting a target, finding a way into the target’s system, and exploiting that initial access to get data or extort money all impose real costs that limit an attacker’s ability to operate at scale.

A successful supply-chain attack flips the script on all of those factors, Tait said.

First, once an attacker selects a software provider to target, the attacker may intrude into too many targets and must screen out companies or organizations to keep things manageable.

advertisement

“They needed to down sample the intrusion to 100 or so,” Tait said of the SolarWinds attackers, who exploited an IT-management platform used by some 30,000 customers to hit only 100 and change.

The usual next steps after an attacker’s initial entry into a targeted system—”privilege escalation” hacks to increase the reach of malware and “lateral movement” to get it implanted in other systems—also become irrelevant, since software supply chains already operate at high privileges and can go everywhere.

As Tait put it: “The update system will just automatically route my implant, my malware, past all of the cybersecurity defenses the organization might have.”

advertisement

A variety of fixes

So what to do about supply-chain attacks? “The government is not going to fix this,” Tait warned. “The only way to tackle supply chain intrusions at the scale that is needed is to fix the underlying technology. And this requires platform vendors to step in.”

(In a Black Hat keynote Thursday, Cybersecurity and Infrastructure Security Agency director Jen Easterly emphasized how the government needed industry’s help: “We can’t do this alone, because over 80% of critical infrastructure is in private hands.”)

Tait offered a set of recommendations for different actors in the security ecosystem—all of which ought to make non-supply-chain attacks a little harder as well, and one of which might also complicate everyday computing.

advertisement

You create this perverse incentive for security researchers not to publicize, not to report their vulnerabilities earlier.”

Corellium COO Matt Tait
First, he advised security researchers who discover “zero-day” vulnerabilities (so called because their novel status means they can be used against targets that have zero warning that they exist) to lock down those discoveries and avoid documenting them in such detail that an attacker could easily implement them.

Second, he urged companies running bug-bounty programs to stop requiring researchers to document complete exploits before getting paid for finding vulnerabilities.

By insisting on complete documentation, “you create this perverse incentive for security researchers not to publicize, not to report their vulnerabilities earlier,” Tait said. There’s also this bonus to not requiring full documentation: “The security researcher doesn’t have fully working chains on their laptop that can get stolen.”

advertisement

Tait’s more challenging prescriptions applied to desktop and mobile operating system developers.

On the desktop, he’d retire the traditional system of having a few broad tiers of application privileges—which can set a fairly high floor for a program’s access—and replace it with far more limited “entitlements” that grant it permission to particular pieces of the system.

This would require Windows to become much more like Apple’s MacOS, which has already moved far enough in a locked-down direction to draw unflattering comparisons to the security-warning laden Windows Vista. But the Mac would itself have to operate more like iOS.

advertisement

Such a transformation, Tait added, would still leave an “irreducible set of highly-permissioned apps” that need extensive access to do such sensitive chores as handling software updates. He urged extensive and regular auditing of those critical programs.

As for mobile platforms, Tait wants Apple and Google to provide ways for security researchers to audit apps on their iOS and Android stores at scale: “We should be able to scan all applications in a given app store.” He called that difficult in Android and essentially impossible in iOS.

Tait did not mention that his employer has tangled with Apple at length over Apple’s allegation that Corellium’s recreation of iOS in a desktop virtual-machine environment infringes on its copyright.

advertisement

But he did acknowledge early on in the talk that this is a hard problem that requires hard work. As he put it: “All of the easy answers are bad, and the harder answers are really difficult.”

About the author

Rob Pegoraro writes about computers, gadgets, telecom, social media, apps, and other things that beep or blink. He has met most of the founders of the Internet and once received a single-word e-mail reply from Steve Jobs.

More