Federal agencies and private businesses alike are grappling with an evolving set of cyber supply chain threats.

The 2020 cyberattack that leveraged widely used SolarWinds software was a wakeup call for agencies and companies. In response, the Biden administration kicked off a flurry of actions aimed at strengthening software supply chain security.

But hackers are continuing to find new and novel ways to infiltrate organizations, said Erin Joe, senior executive for cybersecurity and readiness at Google Cloud.

“I like to think about these in two buckets: One is the threat actors’ use of exploits against things in our everyday digital supply chain. And then the second is when threat actors actually implant malicious code into the products themselves,” Joe explained during Federal News Network’s Cyber Leaders Exchange 2024.

Joe pointed to how China-connected hackers recently compromised organizations using vulnerabilities in Barracuda Email Security Gateway appliances. The hackers were able to use email with malicious attachments to gain initial access to organizations, before injecting malicious code into those networks.

And once they were detected, Joe said the hackers began to change their tactics, delete evidence and shield their movement within networks.

“So no longer is incident response a game of cat and mouse. It’s a game of chess,” she said. “These threat actors, they didn’t just run away when incident responders came in. Instead, they had prepared for it. So when incident response began, they were already aware of it. They were ready for it.”

SBOMs and zero trust in government

President Joe Biden’s May 2021 cybersecurity executive order directed agencies to adopt secure software development environments and explore the use of emerging tools, like software bills of materials (SBOMs).

Joe said the importance of those techniques became apparent last year after North Korea-linked hackers targeted desktop software vendor 3CX in a novel “cascading software supply chain compromise.”

In that attack, the hackers embedded malware in a separate piece of otherwise legitimate software. A 3CX employee then downloaded the compromised program.

The threat actors subsequently stole the employee’s corporate credentials and used them to access 3CX’s software build environment. The hackers then spread malware to 3CX’s customers through one of the company’s legitimate applications.

“It really highlights why we’re going to things like SBOMs, why we’re starting to scrutinize the products themselves, and how we need to — just like in the SolarWinds case — make sure that we’re continually validating everything that’s happening, not just at the time of production, not just at the time of installation, but on an ongoing basis,” Joe said. “And then it just really emphasizes the need for a zero trust environment.”

Cyber aggression, product security and AI

Cyber actors continue to get more aggressive, with hackers deploying more than 90 zero day vulnerabilities last year alone, she said. Ransomware actors target sectors ranging from health care and education to transportation, using extortion to shut down critical services.

With attackers often taking advantage of routine cyber vulnerabilities in technology products, the Cybersecurity and Infrastructure Security Agency is leading a Secure by Design push. The initiative aims to raise the bar for security across the technology industry, so the burden of security doesn’t only fall on the customer using those products.

Joe compared it to the requirements for seat belts and other safety features in the automobile industry.

“There’s been a huge evolution, both from legal and policy practice, as well as just individual consumer expectation of safety and security in our auto industry,” she said. “I think we will start to see that even more with increasing demand for security in products.”

The push for improved product security also comes as organizations across the world aim to leverage artificial intelligence. Government and industry are exploring how AI can improve cybersecurity.

Joe pointed to how AI can be used to help detect vulnerabilities in open source software and other code packages.

“Hopefully, we’re detecting those vulnerabilities before the threat actors are. But the bad news is that it is accessible and in use by the threat actors, and it will accelerate their ability to use their tactics, techniques and procedures to create more credible information operations, social engineering personas, foster code creation, vulnerability detection and the like. So it’s going to cut both ways.”

Discover more articles and videos now on Federal News Network’s Cyber Leaders Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.