This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.
The idea that users might accidentally trust software that has been secretly compromised is over 30 years old, dating back to Ken Thompson’s Reflections on Trusting Trust published in 1984. When we choose to execute programs on computers of all types, we’re choosing to trust that none of the people who played a role in creating, packaging and delivering that software either have malicious intent or have been compromised themselves.
In the past two years, we’ve seen multiple cases of compromises in the “Software Supply Chain,” which delivers trusted software and updates to our systems for execution; and the impact of those compromises has continued to escalate. Here are a few examples we’ve noted in that time:
In each case, rather than targeting an organization directly through phishing or exploitation of vulnerabilities, the attackers chose to compromise software developers directly and use the trust we place in them to access other networks. This can be effective at evading certain prevention and detection controls that have been tuned to trust well-known programs. I predict that, in 2018, both the frequency and severity of these attacks will increase.
Software supply-chain attacks remind us how important it is to create a well-defended network with visibility at every point in the attack lifecycle, and the ability to identify and stop activity that has strayed from the norm. I suggest organizations prepare for this new era of attacks by investigating how their people, process and technology would defend them if their trusted software suddenly turned into malware through an automated update.