Supply Chain Security, Assumptions & Blind Spots

Chinese Cyberspies Appear to be Preparing Supply-Chain Attacks

First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.
We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.
Hackers focus on collecting network credentials and then spreading laterally inside a company.
Attackers then use a technique known as “living off the land,” which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.

First, don’t forget the ‘supply chain’ isn’t just raw materials or parts or assemblies or their ilk. It’s the HVAC and fish tank maintenance companies, too.
I like the phrase LotL (“Living off the Land”). I think, tho need to check, it translates well.
Tl;dr: Orgs with strong security & defense-in-depth can still harbor blind spots & inaccurate assumptions.
The above story, while not unique, does a nice job of describing how the attack surface changes after each successful step and how overlooked or taken-for-granted parts of an infrastructure can be purposed by bad actors. For example, …
Many years ago my good friend and colleague Edgar Rojas and I (with 2 others – a story for another time) worked a client engagement. We were not allowed to introduce our employer’s tools into the environment yet we needed to mine and process substantial amounts of data.
We were able to do a lot by LotL. I don’t mean to imply we were doing any penetration testing or hacking. We used the tools that were available, or could be.
For example, the client’s VDI security policies restricted installing Windows programs but had no restrictions for downloading and running tools as a local user. I used Emacs & Orgmode extensively for processing data, writing the report, and deliverable documentation. I used a few other tools to help with the data processing. I wrote PowerShell scripts and elisp to do what some denied tools would have done. Ed did other stuff with other tools I will let him describe if & when he chooses.
IMNSHO, we produced a valuable report and other deliverables for a delighted client surprised & educated by what we were able to generate given the restrictions.
One can imagine a bad actor using various attack vectors, with significant difficulty & probably in combination, to get inside such an org’s environment and then take advantage of the same tools we did.
Is your org’s environment as well governed by policy and technology controls? Or do you have more fundamental issues to address?
P.s. – We were the supply chain in this story. I saw no fish tanks but enjoyed conditioned air.

Be nice with what you write.