After Shadow Brokers, US CERT warns on Supply Chain Security

Trend Micro describes some of the most common supply chain attack techniques in a blog post.
US CERT is urging companies to pay more attention to supply chain security following a string of attacks on networking infrastructure in recent months.

In-brief: The Department of Homeland Security is warning companies to pay closer attention to supply chain security in the wake of attacks on networking infrastructure. 

In the wake of a string of attacks on networking infrastructure, the Department of Homeland Security’s US CERT is warning companies to be on the lookout and work to improve the security of their network equipment and to devote resources to examining and securing their technology supply chain.

The organization issued an Alert on Tuesday citing a string of attacks in recent months, including attacks on Cisco Adaptive Security Appliances (ASAs) in June, and the release of a clutch of sophisticated attack tools by the group calling itself Shadow Brokers, which included features for compromising Cisco ASAs as well as other security and networking hardware.

“For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors,” DHS said in its alert. “In this environment, there has never been a greater need to improve network infrastructure security.”

Compromises of network appliances often go unnoticed in forensic investigations following hacks, allowing attackers to remain undetected and even survive a “clean up” attempt. “After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can attack the recently cleaned hosts,” CERT said.

Administrators are encouraged to “ensure proper configuration and control of network devices.”

[Read more Security Ledger coverage of supply chain security.]

Among the recommendations: organizations should physically (air gap) or logically separate sensitive data from non-sensitive data and tighten access to network devices using concepts like user least privilege as well as technologies like two factor authentication.

More significant: US CERT calls for much more scrutiny of technology supply chains to make sure “counterfeit,” “secondary,” or “grey market” devices don’t make it onto a network.

“There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace,” US CERT warned. “Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment.”

Organizations are asked to “maintain strict control of the supply chain” and to “purchase only from authorized resellers.” Resellers are encouraged to implement a supply chain integrity check to validate hardware and software authenticity and customers are told to look for signs of device tampering.

Source: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

One Comment

  1. Paul, great report on supply chain security. Trusted Computing Group and its members are looking at this as part of how to apply the trust and security concepts. More coming on that soon; we have a presentation this week on the topic at an IoT security event in San Diego, http://www.trustedcomputinggroup.org/event/peggy-smedley-institute/.