Supply Chain Cyber Security

I’ve noted that cyber security news has been inundating my inbox. As well, media relations people have identified me as a supply chain writer/analyst. It’s one of those indications of the broadening of the market I serve. This news concerns the first product of a new company–Chainguard.

We’re announcing our first product, Chainguard Enforce–a software supply chain solution that is native for Kubernetes workloads. Chainguard Enforce enables you to define, observe, distribute, and enact policies that ensure only trusted container images are deployed and run in your clusters. The goals of Chainguard Enforce are to deliver a seamless developer experience with security built in, and a platform for CISOs to manage organization-wide security controls. 

After speaking with over 50 organizations about their software supply chain challenges, it was clear security leaders share a similar concern: it’s impossible to be confident about the code running in production environments. There are limited options for production supply chain security policy management today, yet emerging frameworks like SLSA and NIST’s SSDF require it. 

“Insider risks are top of mind for us. The capabilities Chainguard Enforce provides are filling critical gaps across our organization.” said Jim Higgins, CISO for Block.

Component Breakdown

Chainguard Enforce consists of four main components as well as a developer-friendly CLI and UI: a Policy Agent, Build System Integrations, Continuous Verification, and an Evidence Lake. 

The read-only Policy Agent provides support for per-cluster policy and webhook configurations that can all be centrally managed and administered across multi-cluster environments. The Agent integrates with many Kubernetes platforms like EKS, AKS, and GKE today. It comes with a curated set of policy definitions based on the open-source SLSA and NIST SSDF standards, and also supports a full policy language for defining custom policies.

Chainguard Enforce includes Build System Integrations for most popular CI platforms like GitHub Actions, CircleCI, BuildKite, and GitLab to establish a record of what source code was used to build each container. In most cases, it takes less than a day for DevOps teams to install and configure these build system integrations.

Continuous Verification ensures that deployed container images stay in compliance with your defined policies and any deviations will trigger an alert.

Last but not least, the Evidence Lake is a real-time asset inventory that provides visibility into the security posture across an organization. The data can be used to power developer tooling, incident recovery, debugging, and audit automation. There are also integrations available for popular alerting and ticketing platforms such as Slack and Jira.

HPE Blog Discusses Zero Trust on IoT Devices

I was invited into the HPE Influencer group through its development of an IoT group. I wrote a couple of times about the Texmark refinery in Houston that was a cool IoT application. The IoT thing cooled there like everywhere–morphing into “edge-to-cloud” technology and architecture. However, here is a new blog post regarding IoT and Zero-Trust security from HPE and writer David Rand.

LESSONS FOR LEADERS 

  • There are fewer zero trust approaches for IoT than desktops, but you can still make a strong zero trust defense.
  • As on other platforms, zero trust for IoT means IT must do extra work and take extra care. That’s just the world we live in.
  • Enterprise IoT devices are a juicy target for attackers looking for a toehold in your network.

And here, from the blog:

Last March, a 21-year-old Swiss hacker successfully accessed and seized control of 150,000 smart industrial cameras developed by Verkada, a little known security-as-a-service company in Silicon Valley.

As hackers often do, the antagonist, still on the run from authorities, attacked security cameras in hospitals, factories, police departments, prisons, gyms, schools, and offices just to prove he could. In doing so, he also demonstrated how hard it has become to fully trust the cyberdefenses of those millions of internet of things (IoT) devices attaching to corporate networks around the world.

“Organizations are slowly waking up to the reality that their IT environments are not limited to the data center, office, or laptops their employees use to work from home,” says Craig Robinson, program director for worldwide security services at IDC. “IoT devices are increasingly on corporate networks, and traditional IT cybersecurity methods alone aren’t up to the task of ensuring they do not turn into major vulnerabilities.”

I’m receiving more news regarding cybersecurity than any other topic presently. Obviously hackers have noticed the pervasive networking throughout industrial and manufacturing plants and can’t avoid the temptation to see what they can do. Especially given Russian attacks on Ukrainian power plants in the current war. We all need to tap into as many ideas as feasible.

Another Cyber Threat Detected

Claroty’s Team 82 researchers have uncovered another cyber threat.

  • Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. 
  • The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite while-loop.
  • A successful exploit keeps Snort from processing new packets and generating alerts. 
  • The vulnerability, which can be attacked remotely, has been patched by Cisco and the Snort team.
  • All open source Snort project releases earlier than 2.9.19 and release 3.1.11.0 are vulnerable.
  • Read Cisco’s advisory here for commercial product patching and mitigation information. 

Rockwell Automation Security Discovery

Cybersecurity continues to be the main news source coming through my inbox. Claroty, through its research arm called Team82, last week released a vulnerability disclosure regarding Rockwell Automation’s programmable logic controllers (PLCs) and highlighting findings from the team’s research, including the discovery of two new Stuxnet-type threats, vulnerabilities CVE-2022-1161 and CVE-2022-1159.

These vulnerabilities exposed Rockwell’s Logix Controllers and Logix Designer applications to attacks that can modify automation processes, allowing the attacker to fully damage systems without the user ever knowing.

Key findings in Team82’s vulnerability disclosure include:

CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality.

CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity.

Modified code could be downloaded to a PLC, while an engineer at their workstation would see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.

Rockwell has provided users with a tool that detects such hidden code. 

Users are urged to upgrade affected products to leverage these detection capabilities.

CISA has published an advisory warning users about the severity of these issues.

Rockwell Automation has also published advisories here and here.

Red Canary Annual Cybersecurity Threat Detection Report

Cybersecurity is such a big topic right now. For the past few months, many companies founded to take on cyber threats have sent news of many kinds. Most seem to be doing studies and issuing annual reports. This is news of research and a report form a managed detection and response provider called Red Canary.

This report analyzes 30,000 threats in customer environments to uncover trends, threats, and techniques from the 2021 threat landscape. Its fourth annual Threat Detection Report, an extensive report that’s based on analysis of more than 30,000 confirmed threats detected across customers’ environments in the past year.

The findings reveal that ransomware dominated the threat landscape in 2021, with groups adopting new techniques such as double extortion and “as-a-service” models to evade detection and maximize their earnings. The report explores the top 10 threats impacting the majority of Red Canary customers – from adversary favorites like Cobalt Strike to new activity clusters like Rose Flamingo – and the most common techniques that adversaries use to carry out these attacks, including guidance for companies to strengthen their ability to detect these threats.

“These threats are less sensational than you might find elsewhere, but they’re the ones that will impact the majority of organizations,” said Keith McCammon at Red Canary. “This report addresses highly prevalent threats and the tried-and-true techniques that are wreaking havoc on organizations. We take it a step further to explore in depth the adversarial techniques that continue to evade preventative controls, and that can be challenging to detect. We hope that this report serves as a valuable tool for everyone from executives to practitioners, providing the information that’s needed to detect and respond to cybersecurity threats before they negatively impact organizations.”

Red Canary found that adversaries have continued to carry out attacks using legitimate tools. As security tools increase in sophistication, adversaries are finding it more difficult to develop and deploy their own malware that evades defenses. As a result, adversaries rely on administrative tools — like remote management software — and native operating system utilities out of necessity, co-opting tools that are guaranteed or likely to be installed on a device rather than introducing non-native software.

Several of the top 10 threats and techniques highlighted in the report are used by adversaries and administrators or security teams alike, including command and control (C2) tool Cobalt Strike, testing tool Impacket, and open source tool Bloodhound. Cobalt Strike, in particular, has never been more popular, impacting 8% of Red Canary’s customers in 2021. Some of the most notorious ransomware operators, including Conti, Ryuk and REvil, are known to rely heavily on Cobalt Strike. Coming in at the No. 5 ranking, Impacket is a collection of Python libraries that is used legitimately for testing but is abused by ransomware operators. This is another favorite among adversaries, as it’s known to evade detection due to its difficulty to be differentiated as malicious or benign.

Ransomware was top billing for some of last year’s most destructive cyberattacks. The report describes the new tactics that ransomware groups used in 2021, such as double extortion, which applies pressure to victims in more than one way to coerce them to pay a ransom. Last year also brought the rise of the affiliate model, which made tracking malicious activity more difficult because intrusions can often result from an array of different affiliates providing access to different ransomware groups. Examples of this include the Bazar and Qbot trojans, used by adversaries to gain initial access into environments before passing off access to ransomware or other threat groups.

Download Red Canary’s full Threat Detection Report here (you’ll have to part with some personal contact information).

Tenable CEO Testimony To Congress on Cyber Security

Getting a spot at the table before a US Congressional Committee where you’re not getting raked over the coals for nefarious practices probably sounds like a great thing. Perhaps a chance to influence legislation. Although getting a bill through Congress over the past 40 years more or less has been a trip harder than a trek across Antarctica.

That obstacle did not deter Tenable CEO Amit Yoran from giving characteristically blunt assessments of the state of cybersecurity before the House Committee on Homeland Security about the need to protect OT and critical infrastructure against Russian cyber threats and how it should happen.

Take a look at some of his talking points:

  • IT and OT sides of infrastructure move at different paces. OT needs to be more deliberate to avoid outages or other service disruptions.
  • Mandating air-gapping of IT and OT systems is dangerous from both a business and operational standpoint.
  • We need legislation that requires reporting of incidents and reporting of ransomware payments to CISA.
  • It should be illegal for private industry and private citizens to hack back.

And a few quotes from his testimony today:

Unless we make a stand, unless we show our resolve, unless we demonstrate our commitment to a more secure future, there will be a hearing like this one, decades from now, wondering why responsible action wasn’t taken.

LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices. Consider Russia — with much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.

Government policy should not allow for “learned helplessness” by government agencies or private industry. There is too much at stake for individuals and organizations to remain negligent, not taking even the basic steps to improve their cyber posture and manage cyber risk proactively.

CISA has already recommended best practices that organizations can implement to prepare themselves from a cyber perspective through its Shields Up Initiative. These recommendations align strongly with the best practice recommendations of numerous security advocacy groups, industry associations, working groups and regulatory bodies. Organizations that fail to implement these basic steps should be held accountable.

The SEC’s Proposed Cybersecurity Risk Management, Strategy, Governance and Disclosure and the recently passed Cyber Incident Reporting legislation for timely and transparent notification of cyber breaches are the two actions that would most dramatically improve our cybersecurity preparedness as a nation. Requiring greater transparency of cyber risk practices and oversight forces companies to treat cybersecurity risk as business risk, and will lead to stronger cybersecurity governance and accountability among corporate leaders and boards. This results in more effective cybersecurity. Period.