The Importance of an NDR Solution to Early Detect Supply Chain Attacks in Corporate Networks

Digital transformation has witnessed a boost in recent years, especially in the wake of the COVID19 pandemic, which accelerated the adoption of digital technologies by several years in just a few months. Integrating digital technology in business has brought significant benefits. However, it also opened the door wide for new security risks and vulnerabilities.

Key takeaways of this article:

  • The digital transformation results in increasing dependence on third-party providers.
  • Vulnerabilities at these third-party providers open doors into corporate networks (so called supply chain attacks).
  • Recent cyberattacks worldwide showed clearly the significant risk imposed by exploiting supply chain networks by cybercriminals.
  • NDR solutions use advanced technologies such as AI, machine learning, and deep learning to detect and stop supply chain attacks.

The most apparent risk was expanding enterprises supply chain networks to include large numbers of third-party partners. Such as suppliers, contractors, sub-contractors, IT service providers (cloud, MSSP, MSP), payment processing providers, co-manufacturers, carriers, and distributors. Enterprises worldwide are outsourcing many of their work, including core business functions, at an increasing rate. According to a Ponemon Institute study, the average company shares sensitive information with approximately 583 third parties. The increased number of external third-party providers will lead to losing visibility over enterprises' IT environments, making managing external parties access permission and tracking their activities across the network more complex.

To counter the ever-increasing number of cyberattacks, enterprises utilise a number of security solutions to enhance their cyber defences and to prevent cybercriminals from exploiting any gap to gain an entry point into the corporate network. However, traditional security solutions such as firewalls, IDS/IPS, and SIEM are no longer enough to prevent sophisticated attacks, such as those backed by nation-state actors or conducted by organised criminals groups. Recent data breaches show clearly that such solutions cannot keep threat actors outside. Moreover, traditional security solutions suffer from many blind spots, and most of them cannot run in IoT devices, leaving a significant gap for cybercriminals to exploit.

What is Network Detection and Response (NDR)?

Network detection and response (NDR) is a modern security technology that detects suspicious activities by analysing network traffic. An NDR solution will continually scan network traffic and monitor everything that passes between all entities (e.g., users, devices, or containers) across the network. By doing so, the NDR will create a baseline of normal network activity; when anomalous activity passes through the network, the NDR solution will fire an alert informing the security team to investigate the suspicious activity.

After deploying an NDR solution on the network (which in ExeonTrace’s case is a pure Software-based solution with no need for additional hardware sensors), the security team will no longer monitor network devices individually. The NDR solution will provide complete visibility over all devices connected across the network. A modern NDR as ExeonTrace can also monitor traffic between on-premises devices and the cloud environment (including public cloud such as - AWS, Azure, and Google), IoT, and industrial control systems to gain complete visibility across the entire enterprise digital ecosystem.

Unlike traditional security solutions that still utilise signature technique to detect malware, NDR employs advanced technologies to detect malicious traffic such as machine learning, deep learning, AI, and heuristic analysis. Future-proof NDR solutions can decrypt encrypted traffic, such as traffic protected with TLS and SSL, which help in circumventing advanced cyberattacks (e.g., ransomware and APT) that need to open a C&C channel with the attacking server to receive instructions.

Recent supply chain cyberattacks

A supply chain attack resulting from using compromising services, applications, or devices from a third-party vendor, can be detected by utilising an NDR solution. For example, the attack against SolarWinds that resulted in infecting 18’000 public and private organisations worldwide, was due to an advanced supply chain attack. In this attack, the adversaries used a signed malware version in one supplier software to spread the infections to all connected clients. Other security solutions cannot notice such advanced attacks, making installing an NDR solution a must have to survive in today's complex IT landscape.

Another recent attack spread by exploiting the supply chain attack surface was the attack against the American IT management software company named Kaseya. The adversaries infiltrated Kaseya’s IT systems and infected it with ransomware that spread to all connected clients. According to security experts, hundreds of companies worldwide were affected, from Sweden reaching New Zealand. The attackers demand $70 million to decrypt the hostage files.

These two attacks clearly show the risks of a supply chain attack and how any enterprise worldwide can fall victim to it. Despite all security measures implemented locally, stopping such attacks is very challenging, because it is originated from third-party contractors who have legitimate access to target enterprises' networks.

Why is NDR important to protect enterprise networks in the light of supply chain attacks?

An NDR solution provides a mean to detect hidden malicious activities such as APT, ransomware and in this case especially also advanced supply chain attacks (such as SUNBURST), by having real-time insights into your network. Suppose adversaries succeed in infiltrating your defenses and gained an entry point into your network through third-party applications. In that case, they will not have enough time to begin their lateral movement and infection to other network places, as the NDR solution will detect them and inform the security team to respond immediately.

Conclusion

NDR is considered an integral component of Gartner's SOC Visibility Triad, composed of the following three elements: SIEM, NDR, and EDR. These three elements prevent the attackers from gaining enough time within the target network to execute their attack, which can significantly reduce successful attacks.

This article shed light on the NDR technology and how it can help to stop the very sophisticated cyberattacks (such as supply chain attacks) that traditional security solutions cannot.

csm_sunburst-dga-1_ebecad0208.png ExeonTrace detecting Sunburst’s DGA.

Gregor Erismann

Author:

Gregor Erismann

Co-CEO

email:

gregor.erismann@exeon.com

Share:

Published on:

08.07.2021