Chapter 36 Β· Tricks & Performance

Trick Questions & Performance Tasks

The supply chain misconceptions most likely to cost exam points β€” and the performance task that tests whether you can respond to a live supply chain incident.

Trick 1: "Code signing guarantees that a software update is safe and has not been tampered with, so organizations can install signed updates from trusted vendors without additional scrutiny." True or False?
FALSE β€” code signing proves provenance, not safety. It cannot protect against compromise that occurs before the signing step.

This is the central lesson of the SolarWinds SUNBURST attack. Code signing answers one question: "Was this software package produced and signed by the entity named on the certificate?" It says absolutely nothing about whether the code those bytes represent is safe, beneficial, or malicious.

Why SolarWinds broke this misconception:
SolarWinds' developers compiled and signed the SUNBURST-infected Orion update using their legitimate, CA-issued code-signing certificate. Every signature check passed. "Signed by SolarWinds" was true β€” it genuinely came from SolarWinds' signing infrastructure. What the signature could not say was that SolarWinds' build server had been compromised and that the code being signed was not the code SolarWinds' developers intended to ship.

The code signing assumption chain:
Traditional code signing security depends on an unbroken chain: (1) Developers write clean code, (2) the build process faithfully compiles it, (3) the resulting binary is signed before distribution. SUNBURST broke step 2. If the build process is compromised, malicious code enters the binary before signing and exits the other side with a valid, trusted signature.

What code signing does protect against:
Code signing remains valuable β€” it protects against tampering after signing (an attacker who intercepts a legitimate package and modifies it will break the signature), impersonation (a vendor claiming to be another vendor won't have their certificate), and delivery-level tampering. These are real threats. But they are not the only supply chain threats.

Exam tip: When a question pairs "code signing" with "guarantees safety" or "proves the code is not malicious," the answer is false. Code signing proves who signed it, not what was signed. When a question describes a build pipeline compromise where malicious code is inserted before signing, the correct answer is that code signing does NOT protect against this scenario.
Trick 2: "Supply chain attacks primarily target large enterprise software vendors. Small vendors like facilities management companies, cleaning services, or HVAC contractors do not represent meaningful supply chain security risks because they have no IT function." True or False?
FALSE β€” supply chain risk is determined by what access a vendor holds, not by the nature of their business.

This misconception directly contradicts the Target breach of November 2013, which remains the most prominent real-world example of a service provider supply chain attack.

The HVAC argument:
An HVAC company monitors temperature and refrigeration. They have no IT security function. They don't touch payment systems. They don't handle sensitive data. By the logic in the trick question, they are not a supply chain risk. But they had VPN credentials to access Target's network β€” issued for the legitimate purpose of remote system monitoring. That access, when compromised, gave attackers a foothold inside Target's network with enough reach to install malware on 1,800 point-of-sale systems.

The risk equation:**
Supply chain risk = (vendor access to systems) Γ— (vendor security posture). A small vendor with VPN access to internal systems and weak security may represent a higher effective risk than a large enterprise software vendor with strong security practices but only read-only access to a non-critical external API.

Vendor types that commonly have overlooked access:
β€’ HVAC and building management (environmental monitoring access)
β€’ Elevator and escalator maintenance (building systems access)
β€’ Cleaning services (after-hours physical access to unlocked workstations)
β€’ Payroll processors (read access to HR systems, write access to payroll data)
β€’ External auditors (access to financial systems during audits)
β€’ Managed print services (devices connected to the network with their own credentials)

Exam tip: Whenever a question describes a breach traced to an "unexpected" vendor β€” especially one that seems unrelated to IT β€” the answer is supply chain/service provider attack. The surprise is part of the concept. Questions may describe cleaning companies, HVAC contractors, vending machine technicians β€” any entity with network access credentials is a potential supply chain vector.
Trick 3: "Open-source software is immune to software supply chain attacks because the source code is publicly visible and anyone can inspect it for malicious changes." True or False?
FALSE β€” open-source software is not immune to supply chain attacks; public visibility is not equivalent to actual review.

The misconception assumes that because source code is visible, someone is always looking at it. In practice, widely-used open-source libraries may have hundreds of thousands of downstream users but only a handful of active maintainers, and those maintainers may not have comprehensive security expertise.

Attack vectors in open-source supply chains:

1. Maintainer account compromise: Attackers can compromise the credentials of a package maintainer and publish a malicious version of a legitimate package. The package appears in the official registry with the legitimate maintainer's account β€” no one would expect a new version of a trusted library to be malicious.

2. Typosquatting: Publishing a malicious package with a name one letter off from a popular legitimate package (e.g., "reqests" vs "requests" in Python). Developers who mistype the package name or use a requirements file with a typo install the malicious package instead.

3. Dependency confusion: Publishing a malicious public package with the same name as a private internal package at a higher version number. Build tools that check public registries first may install the malicious public version instead of the internal one.

4. Compromising the source itself: A contributor with malicious intent (or a compromised contributor account) can submit code changes that introduce vulnerabilities or backdoors. If reviewers don't catch the issue, the malicious code ships in an official release.

Exam tip: Questions that suggest open-source is inherently more secure than closed-source because "anyone can review the code" should be questioned. Review availability is not the same as review occurrence. Supply chain attacks have successfully used all the vectors above against widely-deployed open-source packages.
Trick 4: "The SolarWinds SUNBURST attack was undetected for nine months because it used highly sophisticated zero-day exploits against endpoint security tools at each victim organization." True or False?
FALSE β€” SUNBURST was undetected primarily because it exploited trust, blended into normal traffic, and used deliberate evasion techniques β€” not by breaking endpoint security tools with zero-days.

SUNBURST's stealth came from its design philosophy: don't fight the security tools, make them irrelevant.

Why SUNBURST was invisible for nine months:

1. Legitimate delivery channel: SUNBURST arrived as an official SolarWinds update through the normal update mechanism, signed with a valid certificate. Every security tool that checked the update said "legitimate, approved." There was nothing to block at delivery.

2. Dormancy period: SUNBURST waited 12–14 days after installation before activating. Test environments and sandbox analysis systems typically don't run deployed software for two weeks. The code was dormant during any testing window.

3. Environment detection: Before activating, SUNBURST checked whether it was running in an analysis environment β€” it looked for domain names associated with security vendors, sandbox artifacts, and tools used by malware analysts. If any were detected, it remained dormant indefinitely.

4. Traffic blending: When active, SUNBURST communicated over HTTPS β€” the same protocol used for all normal web traffic β€” using domain names designed to look like legitimate SolarWinds infrastructure. Network monitoring would see HTTPS traffic to what appeared to be a SolarWinds server.

5. Exploitation of existing trust: The malware leveraged SolarWinds' pre-existing legitimate network connections, process identities, and communication patterns. Security monitoring that flagged "SolarWinds process making network connection" would see this as expected behavior.

Exam tip: SUNBURST's evasion was architectural, not technical. It didn't need zero-days at each victim because it never had to fight security controls directly β€” it arrived through a trusted channel, impersonated a trusted process, and communicated over trusted protocols. The lesson: sophisticated attackers prioritize blending in over breaking through.
Performance Task: Your organization's threat intelligence team has received a notification that a widely-used IT monitoring software vendor has discovered a supply chain compromise: malicious code was inserted into the vendor's software update released 60 days ago. Your organization installed that update across 200 servers and workstations. The vendor has released a clean update and a forensic indicator report with file hashes, network IOCs (IP addresses and domains), and registry keys associated with the malicious code. Describe your complete incident response procedure from initial notification to remediation, including how you determine scope, contain the threat, and prevent recurrence.
Model Answer:

Phase 1 β€” Immediate Assessment (Hours 0–2):
Treat this as a confirmed breach with unknown scope until proven otherwise. All 200 systems that installed the affected update must be assumed compromised until cleared. Immediately convene the incident response team and brief leadership β€” a 60-day dwell time means the attacker has had two months of undetected access, which may include credential harvesting, data exfiltration, lateral movement, and persistence establishment. This is a P0 incident. Notify legal counsel regarding potential breach notification obligations.

Phase 2 β€” Scope Determination (Hours 2–8):
Using the vendor's forensic indicators (file hashes, IOCs, registry keys): (1) Search all 200 affected systems for the indicator files and registry keys to confirm whether the malicious component is present and was activated. (2) Search network logs for communications with the vendor-provided malicious IP addresses and domains. Identify which systems made outbound connections to these destinations β€” any that did should be treated as active compromises. (3) Search endpoint logs for process execution events matching the malicious file hashes. (4) Review authentication logs for unusual activity from service accounts, especially any lateral movement, privilege escalation, or access to sensitive systems, over the 60-day window.

Phase 3 β€” Immediate Containment:
For systems that show active IOC indicators (network connections to malicious IPs, presence of malicious files, registry key matches): immediately isolate from the network β€” disconnect the host's network interface or firewall it off at the network layer. Do NOT shut down immediately β€” capture volatile memory (RAM dump) first to preserve forensic evidence of what the malware was doing in memory. After memory capture, preserve disk images before any remediation to maintain forensic integrity.

For all 200 affected systems: block the vendor-provided malicious IP addresses and domains at the firewall and proxy level immediately, even for systems that have not yet shown indicators β€” this prevents any remaining active compromises from communicating with the attacker's command-and-control infrastructure.

Phase 4 β€” Credential Reset (High Priority):
Because the malware had 60 days of potential access and credential harvesting is a standard attacker objective, assume that credentials from any system that communicated with the malicious infrastructure have been compromised: (1) Reset all service account passwords used on affected systems. (2) Force password resets for all user accounts that logged into affected systems during the 60-day window. (3) Revoke and re-issue any API keys, certificates, or tokens stored on affected systems. (4) If domain-joined systems are affected, reset the krbtgt account twice (to invalidate all Kerberos tickets) if there is any indication of lateral movement.

Phase 5 β€” Remediation:
After forensic preservation: (1) Deploy the vendor's clean update to all 200 systems. (2) Remove or quarantine any files and registry keys identified in the vendor's indicator report. (3) Rebuild any systems with confirmed active compromise from known-good baselines rather than attempting to clean them in place β€” if the attacker had 60 days, there may be persistence mechanisms not yet known. (4) Verify the new update's integrity against the vendor's published hash before deployment β€” do not trust the update distribution channel until you have confirmed the vendor has secured their pipeline.

Phase 6 β€” Post-Incident:
Review why the malicious update was not detected during its 60-day dwell time: (1) Did any network monitoring alert on the malicious outbound connections? If not, why not? Update detection rules. (2) Was staged deployment (test environment before production) in place for vendor software updates? If not, implement it. (3) Update vendor risk assessment for this supplier β€” a build pipeline compromise is a severe security failure; conduct a formal re-assessment of whether this vendor's security posture meets requirements for continued access. (4) Review SBOM for all critical applications to identify any other dependencies on this vendor's software components. (5) File a formal post-incident report documenting timeline, scope, actions taken, systems affected, and systemic process changes implemented to prevent recurrence.