CrowdStrike Lessons: Securing Federal Supply Chains

By Robert Bruce, TCG Deputy CTO

Recent CrowdStrike Incident: A Key Lesson in Supply Chain Security

On Friday July 19th, 2024, the cybersecurity community was alerted to a significant incident involving CrowdStrike, affecting an estimated 8.5 million Windows devices. The incident was caused when a problematic file, identified as “csagent.sys,” was included in a flawed update to the company’s Falcon Sensor, a key component of their security suite. This file led to widespread system crashes, commonly known as the Blue Screen of Death (BSOD), on Windows devices globally. Even 5 days later, Delta airlines experienced significant delays and cancellations from ongoing scheduling issues that started with critical system outages.

Unverified Updates in Trusted Environments

This incident reveals a common issue: flawed updates to trusted products within customer organizations. These updates were deployed without sufficient verification, instead relying on inherent trust in the vendor’s update process. This approach allowed updates to bypass standard security checks, leading to substantial risks. The challenge, therefore, lies in reevaluating the security assumptions that underpin current practices around software updates in trusted environments.

This problem can be seen in other recent, high-profile security breaches.

Proprietary Software Risks and Open-Source Diligence

This event parallels a highly sophisticated cyberattack that recently targeted the SolarWinds Orion software platform. The attackers, identified as a state-sponsored group linked to the Russian Foreign Intelligence Service, initially injected test code into SolarWinds’ systems in September 2019. By February 2020, they embedded a malicious backdoor, known as “Sunburst,” into the Orion software updates. When customers installed these compromised updates, the attackers gained unauthorized access to their networks.

In contrast, the Java XZ backdoor attack showcases the proactive potential within open source frameworks. Here, a researcher’s vigilance in noticing unusual ssh connection delays led to the early detection of malicious code in the XZ library, preventing its wider distribution. This incident illustrates the broader responsibility that all developers, whether working on open source or proprietary projects, bear in actively vetting the supply chains of the libraries and components they use to safeguard their projects from similar vulnerabilities that affected CrowdStrike and SolarWinds.

The Importance of Library Management

To address these challenges, it is essential to implement rigorous practices for managing updates and third-party components:

  • Thorough Vetting: Conduct detailed security assessments of third-party libraries and components before integration. Evaluate their source, update history, and any reported vulnerabilities.
  • Access Control and Segregation: Implement strict access controls for modifying or updating libraries. Maintain a segregated environment for testing updates to minimize risk before they are introduced into production.
  • Continuous Monitoring: Monitor libraries and dependencies for new vulnerabilities and threats. Use automated tools to scan for and alert on security issues related to third-party components.

Integrating these practices helps strengthen defenses against supply chain attacks and ensures a more secure software environment.

The Role of Real-Time Monitoring and Observation

Real-time monitoring and observation are also crucial for early detection and response of vulnerabilities. Continuous monitoring can identify anomalies early, allowing for timely intervention and minimizing the impact of incidents. This approach helps detect suspicious behavior that may indicate a compromise, even when the initial vector is a trusted update.

  • Early Detection
    • Effective real-time monitoring tools are key for early threat detection. Anomaly Detection can identify unusual patterns or behaviors, such as unexpected changes in system processes or unauthorized access attempts. Early detection enables prompt response to mitigate the effects of a breach.
    • Behavioral Analytics is also important. By analyzing normal application and system behavior, these tools can flag deviations as potential threats. This method is useful for identifying malicious activities that may be disguised as legitimate processes.
  • Incident Response and Forensics
    • Real-time monitoring enhances incident response and forensic analysis. Incident Response Plans can be improved by integrating real-time monitoring tools by automating responses, such as isolating compromised systems, to limit the spread of an attack and reduce damage.
    • Forensic Analysis relies on data collected by monitoring tools to determine the extent of a breach. Understanding how a breach occurred, its impact, and the attackers’ goals is essential for developing strategies to prevent future incidents.

Conclusion

The incidents involving CrowdStrike, SolarWinds, and Java XZ, highlight the vulnerabilities in software supply chains. Trusting vendor updates without adequate verification poses significant risks. By implementing library management principles, and employing real-time monitoring, organizations can defend against external threats and ensure the integrity and security of the trusted environment.