With two young kids, the annual tradition of Elf on the Shelf is alive and well in my house. But, of course, the suspense and thrill of this beloved custom is taken to another level in the Smith household. It begins with the sudden appearance of a suspicious elf – usually the day after Thanksgiving – who not only gathers intel for Santa but thrives on causing a mess, stirring up trouble, and creating disorder in an otherwise peaceful home. While entertaining for the kids, I must admit that the chaos caused by the elf’s antics reminds me of the turmoil that I contend with as a software engineer who has spent more than a decade working to secure software supply chains.
For example, every morning we start with our hunt for the elf. We never know where this wily little guy is hiding or what mischief it was up to as we slept. Truthfully, we don’t even know what kinds of misdeeds it carried out before it showed up in our house.
During our search, we look high and low to determine where this elf – who we willingly trusted and let into our house – is hiding and whether it was engaging in benign or bad behavior.
Analyzing software supply chain security – specifically, open source components – is no different.
We trust open source and let it in our house – or, in this case, our software supply chain.
First and foremost, open source packages are so vast that sometimes things go amuck – plain and simple. A malicious PyPi or NPM package is pushed by a contributor that we thought was legit, we fall victim to typosquatting, or we just get hit by a zero day against a package we are using. And just like the elf that the Smiths blindly trusted as an agent of Santa and who causes a mess that we have to clean up every day, threat actors function as malevolent elves of sorts, wreaking unimaginable havoc on software supply chains that organizations must spend countless hours and thousands (or sometimes millions) of dollars mitigating.
Second, as we figure out what to do with our pesky elf, we need to track the activities of a potential threat actor that’s lurking in the open source software and determine what harm, if any, they could pose. Did they leave a trail? Does the trail contain malicious components or data to factor into our hunt?
Lastly, we need to find the threat actor. Fortunately for us, the elf in our house is pretty easy to track down. After all, my kids are only two and four, so we can’t make it too hard for them to find. Unfortunately, for organizations, they typically only identify and track down the threat after the mess has been made – after that, it’s too late for a quick fix. When we look at just the beginning of December, we had to deal with multiple messes imposed by a myriad of attacks on open source software like solana/web3.js, Ultralytrics, and Apache Struts. These all trigger a zero day response style playbook, where you have to identify if the component is being used by your organization, how it’s being pulled into your organization, and at what stage it’s being introduced. The pace of attacks has quite literally become a nightly event and is keeping pace with the messes created by the elf on the shelf.
That’s where Hunted Labs comes in – through our advanced technology, we are able to provide unparalleled visibility into the software supply chains of organizations so we can quickly identify potential threats, track and predict their movements, eliminate them and prevent destructive harm.
Although I have playfully likened the Smiths’ Elf on the Shelf to threat actors, the simple truth is that the mess that our elf creates is nothing compared to the catastrophic damage that opportunistic threat actors can cause while on the hunt for vulnerabilities. I have spent many holidays and special occasions working to clean up the mess they create. That’s why Hunted Labs exists: to protect the hunted and keep their software supply chains safe from harm. Happy Holidays, everyone!