Turns out NotPetya was a really bad omen, and only the beginning after all.

I mean, supply chain attacks against operators with big footprints clearly are incredibly effective for resourced attackers. The bad news is there’s currently no easy fix for not having trust in third party software or software updates - including security tools.

Really, the only thing that can be done as more code review efforts spin up is to build good old-fashioned defense-in-depth and operate software in well segmented, least privileged environments.

Unfortunately, many of our most commonly deployed security and infrastructure software suites are pretty insistent about having unfettered access to everything.

Remember Auntie Lesley’s rule #2: Even the most sophisticated adversary with the most expensive intrusion TTPs still have to follow the laws of reality - they can still be caught somewhere else in their attack chain.

I would highly recommend every org perform a TTX in the next month or two where their AV, EDR, or host configuration management tool is updated and compromised by a malicious adversary. Just to go all-out on a plausible worst case scenario.

They are a harder target than Joe Schmo tax software or a network management tool, but man would they ever be a juicy target.