‘Nefarious,’ ‘Malicious’ and Ready to Exploit Your Supply Chain’s Vulnerabilities
Look for cybercriminals to continue to exploit cloud-based development environments to cause mischief to and via supply chains. The threat is severe enough that Booz Allen Hamilton included it in its new list of “Eight Cyber Security Threats to Watch Out for in 2021.”
“The widespread adoption of cloud computing services has been the source of significant benefits and high-profile missteps and abuses,” Booz Allen noted in its report. “As organizations have migrated from in-house servers to infrastructure-as-a-service (IaaS) hosting, misconfigured access controls have exposed millions of database records or left the door open for attack by threat actors deploying ransomware or cryptominers. Further, threat actors of all stripes make use of software-as-a-service (SaaS) solutions to help evade detection by hosting malware payloads on cloud-storage service or exfiltrating data from compromised hosts via messages to accounts on widely used webmail.”
The report predicted that those trends will continue, with platform-as-a-service (PaaS) growing as a particular target for criminals. “PaaS solutions have been abused by threat actors to achieve several nefarious objectives,” the report said. “Some of the most recent incidents have used PaaS services to obfuscate command and control infrastructure or redirect users of a targeted service to malicious infrastructure.”
Booz Allen listed several steps you can take to protect your supply chain:
- Deploy endpoint detection and response (EDR) tools to detect anomalous or suspicious behavior by applications.
- Emply controls such as application allowlisting to limit the applications available in a corporate environment to those developed by trusted vendors that have a specific business use.
- Make extensive use of code signing to secure software components and check digital signatures of imported libraries or updates.
- Secure development environments by applying strict access controls and ensuring prompt deployment of patches.
- Consider a private-cloud deployment model to provide additional control over the environment.
“We recommend that organizations combine a top-down and bottom-up approach to building a culture that is constantly aware of security threats,” Booz Allen said. “This starts at the board level, but it is crucial that the practitioners of your organization adopt this culture to truly remain resilient. However, organizations do not operate in a vacuum; they need to have a cohesive security strategy with third-party vendors and suppliers, as well as cloud security providers, to trulymcreate a blanket of security upstream and downstream of their operations.”
The full report, which also concerns threats to parcel and delivery services, can be downloaded here.