Operational technology (OT) security poses one of the most serious challenges in cyber today (see more about why in this post). A huge piece of this security puzzle lies in the manufacturing supply chain.
According to MITRE, a supply chain compromise is an Initial Access Tactic (T0862) affecting a number of assets like Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay.
What this means is that adversaries may perform supply chain compromise to gain control or systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, which is achieved once infected products are introduced to the target environment.
Supply chain compromise can occur at all stages of the supply chain, so the attack surface is very wide. Here is a list of all the potential ways a typical supply chain can be compromised:
- – Manipulation of development tools
- – Manipulation of a development environment
- – Manipulation of source code repositories (public or private)
- – Manipulation of source code in open-source dependencies
- – Manipulation of software update/distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites.
- – Compromised/infected system images (multiple cases of removable media infected at the factory)
- – Replacement of legitimate software with modified versions
- – Sales of modified/counterfeit products to legitimate distributors
- – Shipment interdiction
Targeting of a supply chain is often an attempt to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment.
Deception Technology and the Supply Chain
Deception technology has several use cases on the supply chain.
Strategy is key, especially when determining how cyber deception can work on the supply chain. To approach the problem from a deception perspective, keep in mind that this is an Initial access tactic. This means an external-facing deception campaign is ideal, as it can serve the purpose of interception and deflection of the attacks as well be used to collect contextualized threat intelligence from the deception environment that will need to be logically related to the organization. Some specific use cases can be oriented to an internal deception campaign in cases where an attempt to compromise a third party web page accessible by employees would result in a supply chain attack, as can happen from HR departments’ internal web pages, scheduling and reservation apps, or something similar.
Let’s add some context to the different external use cases mentioned previously by exploring three scenarios.
A Loading Dock for Suppliers
Let’s use a loading dock as an example, since it is a key component of many supply chains. In this scenario, there is a Wi-Fi access point in the vicinity of a loading dock from which authorized suppliers can access a captive portal to the intranet service of the organization they supply in order to register their deliveries. This can be an attractive attack vector to attackers trying to obtain initial access by scanning the wifi network and attempting to breach it.
Here’s where deception comes in. We are going to place an instrumented WIFI router in the same vicinity with a similar SSID, offering what looks like an opportunity but what actually redirects the attacker to a highly instrumented Deception Host that can simulate the intranet for suppliers. This Deception Host will report the adversarial activity to the Deception Director, including any kind of manipulation associated with techniques T0817 (Drive by compromise) or T1195 sub-techniques.
A Continuous Integration Server
These servers, sometimes known as build servers, are used by the majority of teams building software today. Teams that use continuous integration often rely on a CI server, such as Jenkins, to automate builds.
In this case, we are going to plan the deception engagement environment according to technique T1195.001 (Compromise Software Dependencies and Development Tools): adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.
Here’s how we deal with this: a vulnerable or non-vulnerable version of Jenkins is used to deflect adversaries by creating a GitHub repository with the name of the organization to protect, and the Jenkins configuration will be in that repository.
The deception story can be improved by creating a fake company pretending to be the official supplier of the organization to protect. All actions and manipulations performed by adversaries will be observed and analyzed. By hosting the server in the organization’s IP address range or using an organization DNS entry, credibility can also be augmented.
A RESTful API
As in the prior example we are preparing a plan for technique T1195.002 (Compromise Software Supply Chain): Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
We are exposing a RESTful API with different endpoints authentication command execution, and we will create an S3 Bucket with the organization name that will contain instructions on how to connect to the RESTful API, leaving it out to be discovered.
Like before, once accessed, all actions and manipulations performed by adversaries will be observed and analyzed. By hosting the server in the organization’s IP address range or using an organization DNS entry credibility, can also be augmented.
Supply chains are often a nightmare for cybersecurity professionals in the manufacturing sector. These were just three of the possible solutions deception has to offer. These unique solutions that are not only incredibly effective—they also enable organizations to watch an adversary’s steps in real time in a deception environment. This gives organizations time to react and the tools and knowledge needed to respond to cyber threats targeting them specifically. For more information on security solutions for supply chain security, contact us.
Conrado Crespo is the Senior Sales Engineer for Countercraft, with expertise in IAM, EDR, and cyber security integration and is on LinkedIn.