If your company uses computers, one of many applications you depend on might be susceptible to an unknown threat that your existing cybersecurity solutions cannot detect before it’s too late. This can be an exploit (Log4j) or an otherwise legitimate and even digitally signed software that was maliciously modified during an update (SolarWinds, Asus, Kaseya).
Mainstream cybersecurity solutions are not designed to effectively address unknown threats or provide efficient constant monitoring without flooding your systems with false positives. Therefore, such attacks often go unnoticed for months or even years. When activated, they cause severe reputational, financial, and operational damage.
Spurious Communication Detection and Response (SCDR) is a new cybersecurity approach to such threats. We have been testing its practical implementation and found it promising as it was able to produce quick and precise alerts of unexpected application activity. In other words, it can tell you if your freshly updated music streaming application started to send your company data to shady corners of the internet.
If you are concerned about supply chain or other unknown cybersecurity risks, we would love to get in touch and hear your thoughts.
In your everyday work, whether you like it, or not, you rely on computers either directly — you might be sitting in front of one right now, reading this — or indirectly — your company emails that you “only read on your phone” can be stored on company servers. Every computer needs software and the software comes from external sources. Even if your company develops some applications internally, it will be “some”, not “all”, and to develop applications you’d need… other applications, so — there’s no escape.
From the point of view of the user, a software application is a black box that happens to edit photos, play music, edit text, serve files etc. You trust that it does that and nothing more. What if the application has an error in its logic that allows someone from outside to take it over — that’s what an exploit is and if the exploit is brand new, unknown to the world, it’s called a 0-day exploit. Exploits and especially 0-days are hard to catch in traditional ways, because they are not similar to “known bad things”, but more on that later.
There’s also another possibility — your company has state of the art, multilayered security, all software updates are applied quickly to limit possibility of exploitation, but how do you know if the updates that are installed are not malicious? Multiple times in the past attackers managed to enter computer systems of application vendors and insert their malicious code. What happens next, is that the vendor, unknowingly, builds a new, malicious version of the application and delivers it to you. It’s digitally signed, it comes from a trusted source, it even can be automatically installed by the application without any approvals from your side.
To name a few incidents that were widely discussed in public:
CCLeaner in 2017 — a version modified with malicious code was distributed as an update to over 2 million customers.
Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users
Asus in 2019 — Live Update software was maliciously modified and delivered to computers produced by Asus through official update servers. Before it was detected it was installed on, an estimated, 500 millions computers.
Operation ShadowHammer | Securelist
SolarWinds in 2020 — IT management software Orion was infected during production and later sent out to all customers as an update. Malicious code affected 100 private sector companies and 9 federal agencies.
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | Mandiant
Kaseya in 2021 — customers received an official update that downloaded ransomware and encrypted their systems. Over 1000 companies worldwide were affected.
Rapid Response: Mass MSP Ransomware Incident
Log4j exploit in 2021 — a recent, famous vulnerability in Log4j library that is a common building block of many applications. The ease of exploitation made this 0-day widely used in attacks and although it is a new vulnerability now, it existed in the code since 2013.
What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what’s at stake
As you can see, victims in those cases didn’t belong to a special group, rather to a common one — computer users. Only one attack was discovered quite quickly, because encrypting all the data of all the customers is a very visible action, all other attacks were silently ongoing for a long time. The Log4j vulnerability existed since 2013 and got famous in 2021, because it was publicly disclosed. Was it exploited silently before? That we don’t know.
That’s true, security guidelines and best practices are out there, but when we start to talk about supply chain attacks and exploits, the answers become more fuzzy and generic.
If you read recent reports from European Union Agency for Cybersecurity (ENISA) (Understanding the increase in Supply Chain Security Attacks — ENISA), or Cybersecurity and Infrastructure Security Agency (CISA) (Defending Against Software Supply Chain Attacks) you’ll see that advised preventive measures are:
You can also ask your current security software vendors, but they won’t give you any specific solution, instead pointing at a multilayered security approach that should catch anomalies at some point.
All of the above is great to have and gives a solid security, but real life examples show that there’s nothing that would allow you to detect and mitigate such attacks the moment they happen.
Yes, there are and there is a lot of them. Do they solve all the problems — no, there’s no silver bullet when it comes to security solutions. That’s why if you follow any “best practices” you already know that the protections should be multilayered — if the first line of defense won’t detect something, there’s second, third and so on.
The common security products companies use are:
Classic antivirus software — they excel at detecting known and similar to known threats, problem begins when attack is new, like a 0-day exploit, or comes from trusted, digitally signed application. In case of SolarWinds and Asus the malicious update came from legitimate source and had all the digital signatures in place.
EDR/XDR — excels at collecting data about everything that happens in the system, the amount of data makes it sometimes hard to correlate and extract important parts from all the noise. Information filtering looks for anomalies and is based on artificial intelligence verdicts, or a set of hand made rules. In case of SolarWinds the malicious element was a part of official software and to communicate with attackers it was mimicking legitimate network traffic patterns.
Firewalls — often based on blocklists plus anomaly detection, which means they can have similar problems when application is trusted and pretends to operate in a standard way.
Sandboxes — they are great at detecting threats that can be missed by firewall, or antivirus alone. They pretend to be a normal computer and quietly observe if the analyzed application doesn’t behave in suspicious ways. The problem is that they can’t run analysis forever, so if nothing happens during the first 1, or 2 minutes, they’ll move on. In the case of SolarWinds, the malicious part activated itself only after many days from installation, before that it would stay invisible. Another problem is that the sandbox is not really your computer and for example malicious part in Asus Live Update would activate only on computers with particular hardware identifier, so it would be invisible for sandbox.
Yes, there is a clear gap in the current security software. Moreover, all of the non-software procedures, like checking the security posture of all your vendors and their supply chains are only periodic and in some cases might not be possible at all.
If you read through cybersecurity predictions for 2022 (The Top 22 Security Predictions for 2022),
“rise of supply chain attacks”
is present in most of them, it’s also mentioned on multiple occasions, that this kind of attack is in its infancy. If the infant can infect millions of computers and cause a company to lose 11% of its annual revenue (New Research Finds the SolarWinds Cyber Attack Cost Affected Companies in Key Sectors 11% of Total Annual Revenue on Average — Bloomberg) then imagine what will come next.
What if you could continuously monitor communication as it happens, in place, where it happens (directly on computer, or a server) and know immediately if it should be happening at all. We propose a new category for cybersecurity products — Spurious Communication Detection and Response (SCDR) — you can think of it as a specialized set of functionality somewhere between XDR and a firewall.
This specialization allows it to solve particular shortcomings of current solutions while avoiding the information and alert noise that haunts other solutions. The goal is to reduce reaction time from months to seconds, which is important if you want to quickly detect and stop malware stealing your customers’ data, or ransomware encrypting your databases.
Currently we are working on first in the market, patent pending SCDR solution. If you are concerned about supply chain or other unknown cybersecurity risks, we would love to get in touch and hear your thoughts.
© 2023 Forelens