by Bob Flores, President and CEO of Applicology, and Former CTO of the Central Intelligence Agency
In the world of cyber espionage and nation-state hacking, backdoor software vulnerabilities are often thought of as a cloak and dagger tactic. But the reality is that backdoors continue to grow in popularity and present very real threats to organizations and governments around the world. As a matter of fact, for industrial automation systems alone, Kaspersky recently reported that in the second half of 2018, 3.1 percent of all attacks blocked by its distributed antivirus network were backdoor attacks (double the number from the first half of 2017). And, Malwarebytes reported a 173 percent increase in backdoor detections in business between 2017 and 2018.
What is a backdoor? In the most traditional sense, a software backdoor is a way to bypass normal authentication or encryption to gain access into a closed system. These can be created as a special credential backdoor (for example, to give legitimate admin access), as an intentionally hidden backdoor for a threat actor (for example, created by an insider to enable others to infiltrate an electric grid or steal IP), or can be the result of sloppy software coding. Regardless, backdoors are security vulnerabilities that can be used to access computer systems and the data they contain.
Unfortunately, we see these types of vulnerabilities and attacks littering today’s headlines. For example, hackers (supposedly state-sponsored and tied to China) recently compromised ASUS and created backdoor access to thousands of computers (dubbed ShadowHammer). Then there’s the WordPress SMTP vulnerability that allowed hackers to create backdoor admin accounts, and the ongoing debate over whether security risks in Huawei code was intentionally designed to create backdoors. And these are just the vulnerabilities that are publicly disclosed (for example, what about the alleged Russia hack that brought down electrical grids in Ukraine?).
Cyber security has always been hard, but in the past, there were limits to how you could insert backdoor vulnerabilities into programs – initially you had to have some sort of insider. The investment this required often meant nation states only went after high-profile targets. For example, Backdoor Regin, which was an advanced malware believed to be used by nation-states back in 2014 for spying.
Unfortunately, as the complexity and scale of application development has advanced, and the components and dependencies have expanded (open-source, software development kits (SDKs), and more) the attack surface is significantly broader. What used to be an intensive, complex and highly targeted exploit can now be done with much less effort. Couple this with the dramatic reduction in compute and storage costs, and we’re seeing a rise in the “spray and pray” approach to backdoor vulnerabilities. Or, to use another term: the “sit and wait” hack of third-party systems.
Federal agencies and banks are no longer alone as targets for nation-state attacks. Every business is a potential target now, and depending on the type of backdoor, it’s no longer just state-sponsored hackers that pose a threat.
To demonstrate just how prolific third-party source code is, a recent report from Synopsys scanned IoT applications. On average, 77 percent of the codebase was shown to comprise open source components (with an average of 677 vulnerabilities per application). This example highlights the trend of increased reliance on third-party code from open-source library SDKs. As software evolves into an increasingly complex mashup of code from siloed sources, as it relies more and more on microservices and cloud, and as it is constantly updated by developers via continuous delivery models, it becomes harder and harder to protect. When not audited properly, it can allow threat actors to more easily insert backdoors or exploit hidden flaws in code.
Traditionally, reviewing code was a heavily manual one-dimensional process. But this approach is nearly impossible today given the scale and complexity of software development. For example, you inherit the dependencies of your dependencies. So, when a common open source library, such as Jackson-databind, repeatedly has deserialization vulnerabilities in it, you are at the mercy of your SDK vendors to update and release as fast as possible to minimize your own exposure.
As a result, application development security solutions have emerged that allow teams to identify code vulnerabilities. This capability is an invaluable first step in helping reduce backdoors that result from sloppy code. That said, most of these solutions are incapable of understanding contextual vulnerabilities (like the SDK in Twilio) or business logic vulnerabilities, which are defined as a way of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. This is an important distinction. A backdoor could be intentionally placed (not due to faulty code), or it could be the result of a dependency on a third-party service or code base. Being able to identify that contextual vulnerability or business logic flaw has historically been nearly impossible to automate.
Fortunately, we’re starting to see technology emerge that allows teams to overcome this issue in application security testing. How does this work? At a high-level it involves allowing teams to map code analysis to unique application requirements (essentially to make a unique query request and/or rule) and automate the testing. Traditional tools use generic queries, security auditors, and reviewers, which result in high false positives and negatives when testing. By misunderstanding the complex routes between data sources and the ultimate goal of the application (or processes), the ability to be effective at scale is eliminated. Just imagine working through false positives associated with pushing 10 or 20 updates a day – it’s not going to happen.
The good news is that security innovation is continuing at a blistering pace. Application security testing continues to be the fastest growing segment of information security (with 14 percent CAGR through 2021), and the market was projected by Gartner to hit $775 million by the end of 2018. As the pace of software development quickens, it’s imperative that we raise the bar around security and increasingly automate code auditing to help root out vulnerabilities like software backdoors. Ultimately, it’s going to take tools that both deliver more automation and enable security and development teams to apply their knowledge of the code. One such example is an emerging open-source project called Joern. If we can’t modernize application security, organizations will increasingly find themselves the victim of attacks that have crippling impacts on consumer confidence, market economies, or worse, international nation-state conflicts.
About the Author
Bob Flores, President and CEO of Applicology. Bob is a cyber security expert and founder of Applicology, a security consulting firm. He previously worked for the Central Intelligence Agency (CIA) for 30 years, holding positions in the Directorate of Intelligence, Directorate of Support, and the National Clandestine Services. He also served as the CTO of the CIA for several years, and was awarded the CIA’s Distinguished Career Intelligence Medal. Bob has a bachelors and masters degree in statistics from Virginia Tech, and has done graduate studies at George Washington University and the Kellogg School of Management at Northwestern university. He can be reached through his company website https://www.applicology.com/Home/contact-1