We’ve
been
hearing
a
lot
about
software
supply
chain
attacks
over
the
past
two
years,
and
with
good
reason.
The
cybersecurity
ecosystem
and
industry
at
large
have
been
inundated
with
warnings
about
this
attack
vector,
with
high-profile
attacks
leading
to
a
stark
increase
in
vendor
solutions,
as
government
regulations
keep
trying
to
catch
up.
Yet
despite
the
popularity
of
AppSec-related
incidents,
Enso
Security’s
research
has
shown
that
most
organizations
do
not
have
an
incident
response
plan
in
place
specific
to
these
attacks.
Others
that
do
have
an
IR
playbook
often
prepare
to
respond
to
infrastructure-related
attacks
such
as
ransomware,
rather
than
attacks
based
on
application
channels.
Given
the
prevalence
of
these
attacks,
this
post
will
focus
on
software
supply
chain
incident
response
and
will
include
a
quick
response
playbook
as
well
as
trends
and
characteristics
that
make
AppSec
incident
response
deserving
of
its
own
plan.
Before
we
dive
in,
it’s
important
to
remember
that
incident
response
is
a
profession
and
involves
a
fair
amount
of
resources
and
strategy.
Designing
a
proper
incident
response
plan
for
AppSec
threats
doesn’t
happen
overnight,
and
each
response
plan
is
uniquely
suited
to
a
specific
organization.
With
that
being
said,
we
hope
our
quick
tips
will
be
able
to
help
organizations
get
a
strong
head
start.
A
Quick,
AppSec
Incident
Response
Checklist
Below
is
a
basic
AppSec
incident
response
checklist
for
a
malicious
package
incident,
such
as
the
ESLint
attack,
which,
for
me,
was
the
first
time
I
had
to
respond
in
real-time
to
a
malicious
dependency
potentially
running
in
the
continuous
integration
(CI)
pipeline.
Here
is
an
example
of
a
basic
incident
response
playbook
for
a
public
popular
dependency
gone
malicious:
1.
Check
CI
logs
for
the
specific
usage
of
the
malicious
packages.
2.
Identify
the
assets
to
which
the
malicious
code
gains
access.
3.
Identify
all
possible
compromised
credentials
and
rotate
all
credentials
in
the
relevant
environments.
4.
Identify
all
associated
developers
who
have
committed
the
malicious
package,
rotate
the
relevant
credentials,
and
have
security
or
IT
begin
an
investigation
of
their
workstations.
5.
Notify
R&D
that
there
is
a
malicious
package
suspicion
and
relevant
keys
may
be
rotated
shortly.
6.
Audit
all
access
to
organization
assets.
Identify
any
anomalies
that
indicate
breached
credentials
usage.
Continue
this
step
beyond
the
initial
incident
response.
While
these
steps
are
being
taken,
the
company’s
executive
management
team
should
consider
and
draft
both
an
internal
and
a
public
response
to
a
potential
incident,
and
involve
the
required
departments,
such
as
customer
success,
external
affairs,
legal,
etc.
Why
Do
We
Need
a
Dedicated
AppSec
Incident
Response
Playbook?
R&D
as
the
attack
surface:
As
the
rate
of
production
is
faster
than
ever,
developers
are
the
largest
growing
moving
targets
for
attacks.
Security
must
get
in
front
of
this
attack
vector
by
having
the
security
controls
in
place
and
continuously
collecting
the
relevant
data
from
R&D
—
not
just
when
there’s
an
emergency.
The
nature
of
supply
chain
attacks
requires
security
to
have
a
much
deeper
understanding
of
the
business,
and
they
must
be
able
to
show
leadership
that
they
are
able
to
manage
and
assess
security
issues
based
on
their
own
data,
without
burdening
R&D
during
an
incident.
Mass-casualty
event:
Unlike
traditional
ransomware
attacks
that
target
one
organization
at
a
time,
supply
chain
attacks
are
often
mass-casualty
events,
potentially
affecting
thousands
of
organizations
in
one
“hit.”
A
standard
incident
response
plan
will
not
be
suited
for
massive
security
events
in
which
external
consultations
are
needed.
Experts
will
be
overwhelmed
and
trying
to
assist
dozens
of
customers
in
such
an
attack,
and
the
organization
cannot
run
the
risk
of
a
delayed
response.
AppSec
is
an
immature
discipline:
The
importance
of
AppSec
has
only
recently
been
acknowledged,
evident
by
the
current
and
expected
increases
in
spending,
market
growth,
and
regulatory
activity.
Software
supply
chain
attacks
are
also
a
relatively
new
phenomenon
that
security
teams
must
deal
with,
as
they
were
not
prioritizing
this
kind
of
threat
only
five
years
ago.
Today,
security
teams
face
these
challenges
on
a
daily
basis.
As
the
application
attack
surface
continues
to
expand
and
has
become
globally
intertwined,
the
available
solutions
and
know-how
are
still
playing
catch-up.
Attacker
sophistication
not
(always)
required:
Attackers
are
lucky
enough
to
leverage
the
fact
that
there
is
still
a
concerning
lack
of
adequate
tools
to
defend
the
industry
from
supply
chain
risks,
and
the
security
tools
that
do
exist
are
still
quite
new.
Supply
chain
attacks
are
extremely
lucrative
and
a
small
crime
brings
attackers
a
disproportionate
amount
of
treasure.
If
an
attacker
succeeds,
they
can
get
access
to
important
data
from
not
one
organization
but
thousands.
On
the
defense
side,
organizations
have
little
visibility
into
CI
builds
and
even
less
visibility
into
developer
stations,
making
it
extremely
difficult
to
secure
this
attack
surface.
Despite
this
seemingly
unbalanced
match
between
malicious
actors
and
AppSec
teams,
we
shouldn’t
feel
defeated.
As
these
threats
grow
more
prevalent,
security
teams
are
getting
better
at
incident
response,
and
vendors
are
building
innovative
tools
to
better
serve
security
professionals.
With
a
little
rearranging
of
priorities
and
updating
of
the
incident
response
manual
to
better
suit
threats
of
an
AppSec
nature,
organizations
can
be
ready
to
face
the
future
of
software
attacks.
About Author
