Eradicate Software Supply Chain Attacks with RevealX

If an attacker entered your network through your supply chain, how would you know?

Supply chain attacks exploit privileged relationships between suppliers or vendors and their customers. In this type of cyberattack, threat actors gain access to a victim’s network by first compromising a third party (usually a software company, device manufacturer, or a service provider) that has privileged access to the victim’s environment, rather than trying to gain access directly. This tactic is effective because the downstream victim organizations don’t have control over the code in third party software or devices, nor do they have visibility into their inner workings.

Several recent, high-profile supply-chain attacks have underscored just how necessary it is for organizations to be prepared for this kind of cyberattack. Supply chain attackers are looking for ways to evade existing security tools so they can remain hidden while they work towards their objectives.

SIEM and EDR solutions don’t lend themselves to early detection of supply chain attacks. Threat hunting with a SIEM is a manual, labor intensive process where meaningful alerts can be buried under noise and false positives. Moreover, legacy SIEM logs are not built for detecting live attacks, as they are based on indexed data. The challenge with EDR solutions is that not every device can support an endpoint agent, like internet of medical things (IoMT) or operational technology (OT) devices. Additionally, sophisticated attackers may be able to disable the agent to avoid detection. In fact, ExtraHop research shows that only 30-60% of endpoints are covered by EDR.

One security control that supply chain attackers can’t evade is an out-of-band network monitoring tool that’s capturing full packets, decrypting encrypted traffic, and applying cloud-scale machine learning to perform behavior-based analysis in real time. Why? Because attackers need to use the network to achieve their objectives, and everything that interacts with the network leaves a record of activity. Even if you don’t know everything about a device, you can still control what happens with it by controlling the network.

How RevealX Detects Supply Chain Attacks

Organizations frequently invest in security tools focused on initial intrusion detection, but tend to underinvest in solutions that offer visibility into post-compromise tactics where defenders have the greatest advantage. That’s where RevealX can help.

RevealX provides detection and response capabilities across the full attack chain. The next-generation intrusion detection (IDS) module of RevealX provides exceptional prevention and signature-based detection capabilities during the initial intrusion stage. Meanwhile, the network detection and response (NDR) and network forensics capabilities shine a light on ongoing attacker activities. RevealX uncovers malicious behavior, even when it’s hidden in encrypted traffic. And AI- and machine learning-powered detections use millions of predictive models to expose both known and unknown attacks.

RevealX combines IDS, NDR, network forensics, and network performance monitoring (NPM) to harness the full potential of network intelligence. Even if an attack is successful with the initial compromise, every attacker action leaves a trace on the network, which means the odds of detection are in your favor—if you can see what’s happening. RevealX provides coverage across the core, cloud, and edge and from initial intrusion to post-compromise activity, which means you have complete visibility across your entire network and the entire attack chain.

How RevealX Thwarted a Real Software Supply Chain Attack

When an ExtraHop customer was targeted by the DarkSide ransomware group, RevealX stopped the attackers before they could encrypt customer data. Here’s how.

The ransomware group gained access to the customer environment by obtaining legitimate credentials through a password leak, then used these credentials to establish a compromised session on the customer’s virtual desktop infrastructure (VDI). Soon thereafter, RevealX detected unusual behavior from the compromised user: interactive traffic communicating via SSH with an endpoint on the internet. What made this activity even more suspicious was the fact that this user had never interacted with this endpoint before. These were the first red flags, and the first opportunity for network defenders to stop the attack.

A day later, the same user was seen enumerating files and staging them under the VDI profile—something a legitimate user had no reason to do. RevealX alerted the security team to this behavior, enabling defenders to delete the VDI profile before encryption could begin and stop attackers in their tracks.

Most of the suspicious behavior in this attack was internal to the customer’s network. Without visibility into internal, East-West network traffic, the organization would have only seen one indicator of compromise—the initial communication with an external endpoint—and likely would have fallen victim to ransomware. But with RevealX, they could see every trace the attackers left on the network and stopped them before they could achieve their objective.

Watch the video below to learn more about how RevealX detects and stops supply chain attacks.