Cloud Computing Supply Chain Attacks – The Open-Source Effect
By Harish Kumar GS, Head, Enterprise & Government, Check Point Software Technologies, India & SAARC
Over the course of the accelerated digital transformation over the past few years, the urgent need for remotely administered, agile, and scalable networks has accelerated moves to the cloud, which allows flexibility in scale and resource management, while enabling accessibility from anywhere. The dynamic nature of cloud-based infrastructure breaks traditional network boundaries but also introduces a variety of new challenges, making traditional security approaches ineffective.
While cloud infrastructure continues to be adopted by more organizations, businesses are not the only ones who have recognized the potential of the cloud. In recent years, there has been an unprecedented rise in the scale and sophistication of software supply chain attacks. From the SolarWinds software supply-chain attack to the exposed Apache Log4j vulnerability, threat actors have trained their sights on this space, targeting critical vulnerabilities in both cloud providers and supply chains.
Cloud computing in itself has seen multiple vulnerabilities in recent times – and as organizations continue to adopt the cloud, with 35% running more than 50% of their workloads on the likes of Azure, AWS and GCP, they struggle to manage the complexity of securing their cloud infrastructures across multiple cloud platforms, while also suffering a cyber-skills and knowledge shortage according to the Check Point 2022 Cloud Security Report.
The global report, based on a survey of 775 cyber security professionals, also revealed that cloud security incidents were up 10% from the previous year with 27% of organizations now citing misconfiguration, way ahead of issues like exposed data or account compromise. Here in India, according to the Check Point Threat Intelligence Report, an organization in India is being attacked on average 1798 times per week in the last 6 months, compared to 1126 attacks per organization globally, a worrying trend of increased cyberattacks.
The evolution of this, it seems, has seen cybercriminals take supply chain attacks to the cloud arena. We saw evidence of this in March when the notorious ransomware gang Lapsus$ released a statement claiming to have gained access to Okta, an identity management platform, by obtaining access to an administrative account. Okta is a cloud-based software used by thousands of companies to manage and secure user authentication processes. It is also used by developers to build identity controls. This means that hundreds of thousands of users worldwide could have been compromised by the Lapsus$ attack.
Exactly how many, however, is open to discussion. The hackers themselves claimed to have gained access to 95% of Okta’s clients, while Okta suggested just 2.5% of user details were compromised. Either way, the incident should serve as a warning sign for the potential risks posed by supply chain attacks.
What puts a supply chain at risk?
The industry has seen an increasing number of cyber-attacks that leverage weak supply chain methodologies. Currently, the most prominent supply chain risk that organizations are exposed to comes from open-source software. The open-source community provides many modules and packages that are regularly adopted by businesses across the world, including those within your supply chain.
The problem with open-source, however, is that it is inherently insecure. That is in part because it is written by individuals who may lack the expertise or budget to make them completely safe. The other issue with open-source code comes down to ownership. After all, once a package is released to the community, it is impossible to determine who owns it and who is responsible for maintaining it.
This creates a chink in your security architecture because the open-source packages that you import may have dependencies that you are simply not aware of. That is exactly what happened with NotPetya: an evolution of a pretty standard string of malware, NotPetya managed to infiltrate systems across the globe by relying on a piece of widely used open-source accounting software. This meant that it spread like wildfire, causing chaos in Ukraine as well as several major countries, including the U.K., France, Germany, Russia and the U.S.
The ubiquity of open-source software and code means that it can be hard for organizations to know if either they or their suppliers are vulnerable to this kind of attack. This makes supply chains an attractive target for cybercriminals who will invest time and resources into these attacks on the understanding that by breaching one system, they can quickly access many more.
How can you prevent potential attacks?
So far, in 2022, we have seen a seismic shift in the cloud threat landscape as more and more threat actors target critical vulnerabilities in both cloud providers and supply chains. What does this mean for your business, and how can you avoid this growing threat?
Unfortunately, when it comes to your cloud provider, no matter who you choose, their platform will have vulnerabilities. You could conduct all the research in the world and call on the know-how of the industry’s best experts, but you cannot control the security of your chosen provider’s platform.
So, if we are not able to prevent a breach within cloud providers themselves, what can organizations do to protect themselves? We help provide some salient steps to take :
Multi-Layered Security: The answer lies in creating multiple overlapping layers of security that help to reduce your exposure to risk. Organizations tend to build security mitigations as a single protection-control point, and attackers will try to evade such. Security implementation that assumes the first tier may fail and enforces multiple layers will have a greater chance of surviving a sophisticated cyber attack. This means that even if a vulnerability in your cloud provider were to be exploited, you have a robust enough security ecosystem to ward off attacks and mitigate any potential fallout.
Adopting a zero-trust security mindset: A starting point to help organizations protect themselves is to adopt a zero-trust security mindset. That way, even if there is a breach, your business data is protected, containing any threat posed by a cloud-based attack and ensuring that it cannot spread within your own systems
Automate DevSecOps: Automation in the cloud is key – it is important to ensure the ease of use and support for automation at every stage of the security and development process. The earlier organizations enable security in the development cycle the more they can reduce the risk and cost of mistakes. Another way businesses can ensure the virtual doors to their network remain firmly locked is to automate their DevSecOps, ensuring that security operations can be deployed in real time and in full alignment with other business objectives. For example, Check Point CloudGuard includes automated security tools for developers in order to ensure that all code is secured from the outset before being deployed. It scans infrastructure-as-code and source code to eliminate threats at the earliest phase.
With the sheer velocity of malware and ransomware variants, the widespread growth of enterprise connected and personal devices, and the hybrid work model, it is nearly impossible for traditional human-created models to provide holistic and up-to-date security that would detect threats such as the Apache Log4j vulnerability exploit and supply chain attacks.
Check Point Software proposes the need for a broad and deep multi-layer security to protect customers at all stages of their cloud journey. At Check Point, through a unified platform – Check Point CloudGuard – we offer a broad range of different cloud security capabilities, so that organizations can minimize inefficiencies and maximize TCO when using different cloud providers. Organizations should consider a cybersecurity approach that focuses on threat-prevention and provides 360-degree visibility of their entire network, regardless of how far and wide it has been distributed.