From the NotPetya attacks last year to the recent hijack of the MEGA browser plugin, it’s obvious that supply chain compromise isn’t just a theoretical risk anymore. But how do you threat hunt in an environment that isn’t your own? This is a difficult task, but we really focus on looking for the few indicators that are legally visible from outside the network.
A few visible things you can (and should) look for when threat hunting in your supply chain:
- DNS server IP address changes
- Passive DNS to monitor for new subdomains
- Look for leaked emails in dumps, especially when the dumps come from sites that are not related to core business
- Examine threat data feeds for domains and IPs
- Watch for defaced website
You can download slides here. If there’s enough interest, we might do a webcast in the coming weeks.
While you’re thinking about supply chain security, check out our Supply Chain Risk Framework (SCREATH) here. It’s a 65 question worksheet that can help you quantify risks between vendors, allowing you to perform apples to apples comparisons.
If you think your network might be compromised and need with Threat Hunting, Adversary Emulation, Incident Response, or other security needs, please contact Rendition Infosec.