Companies that don’t shore up their entire estate, including their third-party suppliers, are opening themselves up to attacks like MOVEit, according to Imperva CTO and CISO Kunal Anand.
Many firms still take too lax an attitude when it comes to third-party risks, he explained, citing a recent conversation with chief information security officers (CISOs) who’d written off security concerns around third-party software as “just third-party risk”.
“You are taking a foreign thing and putting it into your world, you are responsible for how that thing behaves, so you better have the right controls in front of or within to observe, monitor, and protect that asset,” Anand said.
The threat group Cl0p claimed responsibility for a string of attacks in which critical flaws in Progress MOVEit Transfer, a secure file transfer program, were used to steal sensitive data. Third-party suppliers affected include Zellis which handles payroll and HR for firms such as the BBC, Boots, and British Airways, as well as insurance giant Genworth Financial which experienced a breach of up to 2.7 million customers' data.
“It doesn’t matter if it's MOVEit or if it's Atlassian's products, or if it's Microsoft's products, what you're deploying in your environment, you have to secure all of it. And it's absolutely mind-blowing that we are still in this mindset, where CISOs are saying, “it is a third-party risk”.
“They just think of it as business as usual which is really disgusting, I'm not going to lie, I think it’s borderline irresponsible frankly.”
He’s urged firms to pressure their vendors to produce vulnerability reports, particularly an unredacted software bill of materials (SBOM) which would demonstrate compliance and allow supply chain threats to be identified.
Information security experts called for a standardized information sharing framework at the recent Infosecurity Europe 2023 conference, which would help firms compare notes to mitigate threats without fear of revealing proprietary information.
At present, Anand stated there’s a worrying lack of visibility around software, with the example of recent attacks facilitated by a critical flaw in MOVEit Transfer.
He said he was “impressed” by the sophistication of the attacks against MOVEit, and that companies could take them as a demonstration of the hacking skills present in today’s threat environment.
“This is not a run-of-the-mill attack. This is not a ‘spray and pray’ attack,” he told ITPro.
“MOVEit is closed-source software. It's not like you can read the source code, it's not like Log4j or any of those things, someone actually probed this thing and found this unique vulnerability.
“So there's a level of effort that was spent that is probably at an order of magnitude, if not multiple orders of magnitude higher than some of these other things.”
Anand suggested if firms were more committed to research such as static and dynamic analysis or internal penetration testing, they could discover flaws such as those that led to the MOVEit attacks far sooner.
Changing threat landscape
Recent LockBit arrests have set a proactive tone for international efforts against cyber criminals, but Anand warned efforts to pin down groups are progressing slowly, with much left to answer about even the most notorious groups such as Anonymous Sudan.
More than a number: Your risk score explained
Understanding risk score calculations
“The US government, as an example, is offering someone $10 million to tell them who Cl0p is. We don't even know who or what Cl0p is, we don't know how many people are involved, and we don't know, you know which nation-states are involved.”
Anand warned, down the line, security teams need to prepare for the fact artificial intelligence (AI) will overhaul the threat landscape and invalidate simple tests like CAPTCHAs.
“These Turing tests that we're running are going to be obsolete very soon,” he said, and noted CAPTCHA tests can be solved with AI image classifiers that can easily be automated. He suggested alternative methods such as analysis of webpage or peripheral use could help identify humans instead.
Anand also proposed the OWASP Top 10 – a regularly-updated industry list of the most critical risks for web applications – will need to be redesigned for generative AI as attackers use automated systems to perform business logic attacks. Tools such as CrowdStrike’s Charlotte AI and Microsoft’s Security Copilot use generative AI to provide security insights and recommendations to IT teams.
AI security could be relied on to an increasing degree in the future, with large language models (LLMs) capable of being trained on proprietary code at a granular level to detect existing vulnerabilities and suggest effective fixes.
“I think the big vendors also should work together, and start to stratify LLMs for specific areas,” Anand suggested.
“They could be for malware, web application attacks, data attacks, etc. I think we should stratify a model, and then all of us should contribute to that model as defenders and we could figure out how to monetize that stuff separately.”
