Supply Chain Attacks | Identify Indicators of compromise | Riverbed

These days we’re hearing more and more about ‘supply chain attacks’. That’s when a component of an application has a weakness with the potential to make the entire system or service vulnerable.

Obviously, the first thing for any organization using the relevant releases is to close this dangerous breach with a patch. But, given it took the extensive Open-Source community seven years to spot, how can you know if and when it was exploited on your own systems?

Lurking in Linux in plain sight

On 10 June 2021, a security specialist reported a serious bug that had been sitting in Linux code for seven years. Located in polkit, an ‘under the hood’ system service used by default in many Linux distributions, it effectively allows an unprivileged user to assume administration rights. It’s also quite easy to execute with just a few command lines.

The security community is well aware of the risks. So-called White Hatters have been deliberately introducing duplicate software with typos in the name of software components which alert the developers to the fact they have included the similarly named albeit benign software package. The intent is to alert developers to the problems and risks of supply chain vulnerabilities.

It’s just one example of potential vulnerabilities you may not be aware of within your application infrastructure—and it won’t be the last. Many applications encompass a thousand or more components, and you can’t possibly test them all against your own security posture. Products are built by product managers and developers of varying quality; there is plenty of scope for human error, or someone deliberately creating a back door for attacking a service or software product made up of multiple components. Until a new zero-day is announced, there won’t be patches available. So until then, you’re running blind.

Because Unified NPM records all data flows, all of the time and maintains historical records, it makes it easy to go back and see whether any data was breached after an event. It does this by recording ‘indicators of compromise,’ which may be IP addresses associated with an attack, or command and control mode activities indicating where attacks are coming from.

How does Unified NPM help?

Riverbed’s Unified Network Performance Monitoring (NPM) platform is typically used by NetOps and application teams to troubleshoot, pinpoint, identify then resolve performance issues, whatever their cause. But it is also proving invaluable to an increasing number of SecOps teams by enabling them to go back and collect empirical evidence of data breaches in order to deal with any consequences.

Making unknown unknowns known

Another vulnerability resulting from supply chain attacks is endpoint software. Unless you only allow users to access corporate applications via strictly controlled SOEs (standard operating environments), you have no way of managing what people are using—devices, services or applications—and potentially bringing into your environment. In the current ‘from-any-device, from-anywhere’ world and considering the prevalence of Shadow IT, it is extremely difficult to know your level of risk.

Essentially, Unified NPM retains comprehensive flight data that enables you to discover in the future both if and how your security has been impacted.

If you’d like to know more about the security potentials of Network Performance Monitoring, our recent webinar Why Network and Security Monitoring are Merging is available on demand.

At least with Unified NPM deployed, you will have the ability to identify indicators of compromise, enabling you to spot and investigate external reconnaissance of your systems or illegitimate data exfiltration. In addition to proactively reducing the impact of performance issues across your environment—on-premises or in the cloud—it’s another extremely useful weapon in your cybersecurity armory.