Anatomy of a Supply Chain Attack: How to Accelerate Incident Response and Threat Hunting
Threat Quotient and Team Cymru
In recent months, we’ve seen a sharp rise in software supply chain attacks that infect legitimate applications to distribute malware to users. SolarWinds, Codecov and Kesaya have all been victims of such attacks that went on to impact thousands of downstream businesses around the globe. Within minutes of these high-profile attacks making headline news, CEOs often ask: “Should we be concerned? How is it impacting us? What can we do to mitigate risk?”.
CISOs, and their teams on the front lines, need answers fast. But when attacks like these happen, access to the details they need to understand if they are impacted and how to mitigate risk is never soon enough. And once details are released it can be difficult and time-consuming to connect the dots and formulate answers. A case in point: months after the SolarWinds Orion security breach, 63% of organizations surveyed remained highly concerned, 60% of those directly impacted were still trying to determine if they were breached, and 16% of organizations were still wondering if they were even impacted. Fortunately, there are solutions that can help you understand the impact, take the right actions faster and even proactively mitigate risk. In a recent webinar, “Uncovering a Supply Chain Attack: Leveraging Threat Intelligence for Incident Response and Threat Hunting,” Team Cymru and ThreatQuotient experts, joined forces to educate security analysts on how to leverage our integrated solutions to accelerate understanding and proactively mitigate risk when attacks happen.
A closer look at the Codecov breach
Using the Codecov security breach as an example, our threat Intelligence experts explained the timeline of events including how it took approximately two months for the breach to be discovered (thanks to a customer), another two weeks for the first indicator to be shared (an IP address), and two more weeks for a second round of indicators to be published.
Our team then rolled up their sleeves and demoed how the integration of the ThreatQ Platform with Team Cymru’s Pure Signal™ Recon threat reconnaissance platform closed the threat intel gap from weeks to minutes to accelerate investigations. Furthermore, Team Cymru’s solution revealed additional indicators on Day-One that security analysts could pivot to and bring into the ThreatQ Platform to expand their threat hunting, incident response and mitigation activities.
When armed with these tools, security analysts can answer executives’ top questions, including:
Should we be concerned?
The TheatQ Platform aggregates, normalizes, deduplicates and correlates all the external intelligence sources an organization subscribes to. But it is difficult to know what’s important to focus on without being able to score and prioritize that intelligence. Using parameters analysts set, based on indicator source, type, attributes and context, as well as adversary attributes, ThreatQ showed that the external threat intelligence received a score of 10, making it a very high priority and confirming that there was reason to be concerned.
How is it impacting us?
Next, our experts formalized the investigation and threat hunt to discover additional information and determine if there was a sighting within the environment. Creating a campaign within ThreatQ enables security teams to closely monitor developments and collaborate. They used information in the platform and pivot points outside of the platform to gather more details. For instance, adding the URL for the Covdecov website as an attribute, they identified the first IP address Codecov made public as part of the initial security update and brought that into the ThreatQ Platform. Because ThreatQ also aggregates internal threat and event data from various systems and tools within the organization, they were able to quickly see a sighting of that same IP address in the SIEM. They knew they were impacted.
What can we do to mitigate risk?
From there, they pivoted to the MITRE ATT&CK framework mitigation recommendations, added that information to the attributes within the investigation and linked it to the IP address that had been spotted. They assigned a task to an engineer for IPS/IDS blocking and marked the task as critical, requiring immediate action to remediate.
Meanwhile, our experts expanded the threat hunt by diving even deeper into the signal telemetry to determine what’s going on behind the Codecov attack. That’s where Team Cymru’s massive amount of data that they ingest comes into play. The Team Cymru threat reconnaissance platform, Pure Signal™ Recon, leverages an aggregation of Internet traffic telemetry from an ecosystem of data sharing partners and CSIRT teams around the world. Running a query against all these data sets quickly revealed additional IP addresses that appeared to be managing the initial IP address. Other likely indicators were also discovered. There was no need to wait two weeks for public disclosure of additional indicators. The ThreatQ/Team Cymru integration allowed our experts to pivot and conduct additional reconnaissance on their own, turning a reactive situation into a proactive one. With the ability to expand and accelerate their hunt, they were able to assign additional tasks to the engineer to enable proactive protection. They also pointed out that, when compared to the information made public in Codecov’s second disclosure, the Team Cymru platform results included even greater detail than Codecov was able to confirm.
Supply chain attacks show no sign of slowing down. But the combination of the ThreatQ Platform and Team Cymru’s Pure Signal™ Recon can help you get ahead of the threat. To see the demo and hear directly from our experts, watch the webinar now.