The enemy is at the gates. The enemy is inside our computer networks. The enemy is within our very code, training its sights on the technology that runs the world.
In recent years, geopolitical tension has been escalating in cyberspace, with the war in Ukraine spawning systemic cyberattacks against Western critical infrastructure. The enemy is waging cyber-war, with nation states having already launched or readying cyberattacks against critical infrastructure. Countries such as Russia and North Korea have been implicated in attempts meant to cripple their adversaries’ infrastructure, be it power grids, healthcare facilities, transportation and utility companies, semiconductor companies, state and county governments, and even domestic violence shelters.
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an ominous advisory on imminent Russian cyberattack campaigns launched by Russian cyber-militias.
Given these stark realities, we need a paradigm shift. The cybersecurity industry’s perimeter based defensive posture can no longer sufficiently protect us. The enemy is tunneling under the castle walls, and the arrow slits and moats we’ve been hiding behind are no longer enough to hold cyberattackers at bay.
It’s time we awaken to the stark reality that 100% prevention is impossible. We need to embrace the construct of intrusion suppression.
Waging a counter cyber-insurgency
In the earlier days of this insurgency, adversaries launched cyberattacks against single targets. But warfare has evolved: An increasingly common tactic is for attackers to island hop instead. In island hopping, malicious cyber actors go after organizations’ third-party partners, using them as access points from which to worm their way into a primary target’s network. It’s a cunning strategy: Island hopping enables attackers to circumvent their primary target’s defenses by exploiting the networks of partners that are already trusted enough by the company that it’s granted them network access.
A prime example is the SolarWinds breach: a 2020 supply-chain attack attributed to Russian government hackers that compromised U.S. agencies, including the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign. In that attack, the government agencies were breached through SolarWinds's Orion software. Microsoft reported that the hackers acquired superuser access to SAML token-signing certificates, then used the certificate to forge new tokens that gave the hackers trusted and highly privileged access to networks.
This is today’s reality: Adversaries island-hop through software supply chains as they did with SolarWinds’ Orion software — an attack that Microsoft President Brad Smith said was "the largest and most sophisticated attack the world has ever seen."
Specifically, threat actors are laying siege to the software development, integration and delivery infrastructure of the supply chain via a myriad of attack classes, such as:
- Command injection
- Cross-site scripting (XSS)
- Expression language injection
- Method tampering
- Path traversal/local file inclusion (LFI)
- SQL and NoSQL injection
- Untrusted deserialization
- XML external entity processing
Research shows that a typical application in production is assailed by more than 13,000 attacks each month.
We must accept that malicious actors will get into the environment. To prevent escalation, we must act. We must suppress these campaigns. We must treat each vulnerability as a potential attack. Continuous monitoring must extend to development, as context is paramount.
The recent memorandum from the White House on “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” underscores the national security implications of inaction. The necessity to make our technology resilient and secure, to ensure “the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” is “not theoretical,” the White House advised. “Foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”
The malicious code slipped into the SolarWinds software was a “small change” that created a backdoor into the digital infrastructure of both private sector companies and federal agencies, and it was only one of what the government called “a string of cyber intrusions and significant software vulnerabilities” that over the last two years “have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector.”
It’s war, in other words. But we can, and must, fight back.
How to suppress code intrusions
Given that nation-state attack campaigns hijack digital transformation and subsequently leverage integrity attacks, we must embrace intrusion suppression to combat advanced cyberthreat adversaries.
Best practices include:
- Detect and prevent run-time attacks on known and unknown code app exploits in production with intelligent runtime protection. This will shield organizations against emerging zero-day vulnerabilities and entire classes of application security attacks.
- Automate/Instrument the identification of vulnerabilities. This provides actionable remediation guidance that enables developers to remediate as they code — during functional testing — to find unknown vulnerabilities.
- The velocity of change requires that we discover zero days in libraries and frameworks. This requires testing and protecting third-party open-source code moving through your supply chain with continuous monitoring in production with Software Composition Analysis (SCA) tools, This will provide insight into known Common Vulnerabilities and Exposures (CVEs) or issues with the libraries they produce, automating visibility into the use of open-source software for risk management, security and license compliance.
- Employ security for application programming interfaces (APIs) before the adversary hijacks them. For this, you need an integrated, modern API security platform, which provides an up-to-date inventory of APIs that are relevant, in-development and exposed; conducts runtime analysis during functional testing that enables you to remediate as you code; enables you to find known vulnerabilities in active third-party libraries, frameworks and services; identifies probes and attacks on both known and unknown vulnerabilities; and prevents exploits.
In 2023, defending from within will be paramount. We must accept that supply chain attacks will increase. Therefore, we must invert the security paradigm to defend from within. Application security must be viewed as a functionality of conducting business, not an expense.
To paraphrase the great French literary figure Charles Baudelaire, “The greatest trick the devil ever pulled was to convince the world he didn’t exist, and that devil is in your code.”