Maintaining Best-practice Strategy Against Supply Chain Attacks
Why businesses need to improve code signing security to defend against supply chain attacks
By Professor Yehuda Lindell, CEO at Unbound Security
A supply chain attack is a specific type of attack which works by infiltrating a vendor of a targeted organization in order to gain access via the vendor’s software. To best understand the concept, it’s the equivalent of avoiding the gung-ho approach of breaching the front entrance of a bank with weapons in hand and instead infiltrating the armored-car company in order to make off with the cash.
Worryingly, the number and intricacy of attacks are rising – evidenced by the breaches of SolarWinds, Mimecast and much more. In a recent report by ENISA (the European Union Agency for Cyber Security), it is predicted that there will be four times the number of supply-chain attacks in 2021 than there were in 2020. The report also includes an analysis of recent supply-chain attacks, depicted in the figure below.
As a result of this trend, and the major impact that supply-chain attacks have, organizations can no longer afford to be complacent and must wake up to the threat to avoid falling victim. However, for IT professionals to address the risks, it’s crucial to understand how attacks are initiated.
The role of code-signing
One of the most significant ways of carrying out a supply chain attack is by breaking the code-signing process. Code-signing system breaches are particularly detrimental since signed code is considered trusted. This means that it is easily distributed, and organizations using that software will install it under the assumption that it is valid.
For example, should an attacker be able to steal or even just misuse the code-signing key of a commonly used accounting software company, they could then construct a seemingly legitimate update that is hiding malware within it. This then has implications for any customer of that company, as the malware will then infect their machine if they choose to update their software. One example is the malicious firmware pushed to customers worldwide to update ASUS computers with malicious software in 2019, estimated to have affected 500,000 Windows machines. This is also what makes such attacks so damaging – the attackers don’t obtain access to a single vendor, but rather they use access to a single vendor in order to gain access to potentially the hundreds or thousands of that vendor’s customers.
Of course, the problem is not with the code-signing itself. Code signing is a mission-critical process that is essential to enable users to verify the validity of software before initiating installation or an update, providing confidence in the software. Rather, the problem lies with the ad hoc approaches many organizations are taking that prove ineffective in preventing the theft or misuse of code-signing keys. In many instances, private code-signing keys are managed manually and independently by different development teams. Managing keys in this manner is a complex, inefficient and dangerous undertaking, providing no central oversight of how keys are used and no ability to enforce company-wide policies. Furthermore, the poor audit process associated with this method means that the ability to detect an attack is significantly lessened, and after-the-fact forensics can take a very long time.
Best-practice protection
To mitigate the threat of supply chain attacks, there are a number of best practice steps organizations can take. First, with third-party vendors being the weakest link, organizations must ensure all software vendors provide security assurances that demonstrate best-practice strategies for detection, response and mitigation, with a secure code-signing system in place.
Second, organizations must prevent a single point of failure. This is a strategy increasingly used to ensure resilience in IT, such as removing the reliance on one firewall so an effective backup is in place. In the context of code signing, it is crucial that there is no single machine that can be breached that will provide the ability to an attacker to generate a valid signature on malware. This means that code signing keys clearly cannot be left in the clear on developer machines, but also that build machines must not be able to request signatures on any code artifacts without additional checks.
Third, a unified key management solution is crucial for providing visibility into all code-signing operations, and for setting policies regarding who can sign, when and using what. Such methods can significantly reduce risk.
Fourth, unfortunately many attackers are sophisticated in their methods and will explore other points of entry to ensure access. Businesses therefore must take steps to limit their ability to move around networks once inside, by implementing zero-trust security policies and sufficient vendor access controls.
Finally, forming an incident response plan is crucial in battling against supply chain attacks, which will involve the consideration of key areas in terms of risk level and impact. Suppliers need to do the same to ensure they can respond quickly and help mitigate any risks posed to the organization.
Modernizing key management
Supply chain attacks have been around for some time, however, organizations are only now becoming waking up to the threat. Any business developing and using software must take precautions to protect the cryptographic keys used for code signing – both from theft and from misuse. This means implementing a strong security strategy that includes code signing, lock-down of the cryptographic keys used for authentication and elimination of single points of failure related to key management and prevention of misuse.
An extremely important factor is to achieve visibility into data, software, devices and activity around code-signing keys. A centralized key management system can bring greater clarity into usage, allow better enforcement of security policies, and enable an effective audit trail to be maintained.
Cryptographic keys also need to be protected, with careful audit and control at all times. One technology that is very useful for achieving this is MPC (Multi-Party Computation). MPC eliminates single points of failure in management operations and runtime transactions by enabling the use of cryptographic keys without ever having them in a single place. Organizations can split the secret key into two or more pieces and place them on different servers and devices to ensure that no single machine holds a cryptographic key that can be stolen. Code can be verified (e.g., scanned using a malware scanner) before any machine will agree to participate in generating the required digital signature on the code. This makes it much harder for an attacker to obtain the fraudulent signatures it needs for the supply-chain attack.
By adopting the mindset of always assuming a breach, IT departments and the wider organization can be better prepared in the event of the worst-case scenario.
About Professor Yehuda Lindell, CEO, Unbound Security
Professor Yehuda Lindell is the CEO and co-founder of Unbound Security. Yehuda is also a professor of Computer Science at Bar-Ilan University in Israel, and a cryptographer with expertise in secure multiparty computation (MPC) that forms the technological core of Unbound’s solutions. He has published over 100 scientific articles and authored one of the most widely used textbooks on modern cryptography. Yehuda served as the Chief Scientist of Unbound from its inception until February 2019, when he took over the role as CEO.
Follow Yehuda and Unbound Security on Twitter at:
For more information visit: https://www.unboundsecurity.com/