Safeguarding Against Cyber Supply Chain Compromises: Lessons from the XZ Utils Attack
The recent cyber-attack on XZ Utils, a popular software used for file compression, underscores the escalating threat landscape targeting software supply chains. The breach, which involved malicious code inserted into the software’s updates, exposed numerous systems to potential data breaches and malware infections. This event highlights the critical need for robust cyber security solutions to protect against supply chain vulnerabilities.
What is a Supply Chain Compromise?
A supply chain compromise involves the manipulation of products or product delivery mechanisms prior to receipt by the end user. In the digital context, this often means embedding malicious code or software in legitimate applications, which then infiltrates customer systems upon installation. The XZ Utils attack is a stark reminder of how adversaries can exploit trust within software distribution networks. This sophistication of this attack suggests it has been conducted by a state-sponsored actor.
What can Government Agencies do to defend against Supply Chain Attacks?
To defend against these sophisticated attacks, organisations need to implement a multi-layered security approach that not only enhances their defensive posture but also ensures the resilience of their supply chain. This article presents a few ideas for agencies to consider when developing or reviewing their cyber security strategy.
- Thorough Vetting of Third-Party Components.
Security with third parties starts with vetting who you are working with. Organisations must rigorously assess third-party software and components before integration into their systems. This includes conducting security audits, reviewing source code when available, and verifying the security practices of third-party vendors. For smaller agencies, the work required to achieve this might not be feasible therefore necessitating the outsourcing of this to a single trusted provider. - Develop a Software Bill of Materials.
A Software Bill of Materials (SBOM) is an essential component in enhancing the security and integrity of your software supply chain. By completing an SBOM, you are creating a comprehensive inventory of every component, both open source and proprietary, that makes up your software products. This transparency not only facilitates better management of your software components but also significantly mitigates the risks associated with supply chain compromises. With a SBOM, you can effectively track vulnerabilities, comply with regulatory requirements, and ensure that any problematic components can be quickly identified and rectified. For Australian Government agencies this is also an ISM requirement under Control: ISM-1730; A software bill of materials is produced and made available to consumers of software. - Continuous Monitoring and Updating.
Regularly updating software is crucial; however, these updates themselves can be vectors for an attack, as seen in the XZ Utils incident. Continuous monitoring of both the software and the behaviour of updates within network environments can detect anomalies that may indicate a compromise. The XZ Utils breach was discovered because an engineer investigated usual errors and performance issues within the software. - Use a Security Operations Centre (SOC).
Partnering with external SOCs can enhance threat detection and response capabilities. These centres specialise in monitoring vast amounts of data and utilise advanced analytics to identify potential threats more efficiently than in-house resources alone. One major benefit is that customers gain the insights drawn from incidents against other customers. When there is an attack or exploit attempt against one, the SOC can proactively mitigate across all customers. - Incident Response Planning.
Developing and regularly updating an incident response plan is vital. This plan should include procedures for isolating compromised components, assessing the scope of damage, and communicating with stakeholders. Swift response not only limits damage but also aids in quicker recovery. When issues such as the XZ Utils compromise arise, having a plan ready to go is vital to ensure the rapid triage and response. - Ensure Sovereign Data Storage and Management.
Maintaining control over where and how data is stored and managed helps mitigate risks associated with jurisdictional exposures and foreign surveillance laws. Sovereign data storage ensures that data laws applicable to the country of origin are strictly followed, providing an additional layer of security. While some providers maintain that they ensure data sovereignty, their foreign ownership presents an opaque reality where they may be forced to comply with foreign Government requests. - Secure Configuration and Access Controls.
Implementing least privilege access controls and securing configurations can significantly reduce the attack surface available to malicious actors. This includes using strong authentication methods and limiting administrative privileges to only those who need them. This prevents lateral movement and makes it more difficult for a threat actor to operate undetected. - Build a Resilient Supply Chain.
The complexity of modern supply chains requires a proactive approach to cyber security, particularly given the increasing reliance on software solutions that may themselves become targets. The XZ Utils attack serves as a reminder that security is not just about direct defences against attacks but also about ensuring the integrity of the components that make up an organisation’s infrastructure through defence-in-depth.
Conclusion.
Securing against supply chain compromises requires vigilance, sophisticated cyber security solutions, and a comprehensive strategy that includes collaboration with specialised partners. By integrating continuous monitoring, enforcing strict access controls, and maintaining sovereign control over data, organisations can protect themselves from the potentially devastating effects of these cyber-attacks. As the digital landscape evolves, so too should the strategies to defend it, ensuring that trust in technology can be maintained in an increasingly interconnected world.
