August 18, 2021
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have provided information on software supply chain attacks, the associated risks, and how organizations can mitigate them. Here are the basics.
What is a software supply chain attack?
The software supply chain is part of the information and communications technology (ICT) supply chain framework, which represents “the network of retailers, distributors and suppliers that participate in the sale, delivery and production of hardware, software and managed services,” according to CISA and NIST. A software supply chain attack occurs when threat actors manage to compromise a vendor’s environment and poison their software before it reaches customers, with the purpose of infiltrating the customers’ systems. Once a vendor has been hacked, customers are compromised either through the acquisition of new, already infected software, or through the installation of malicious updates or hotfixes. This is exactly what happened in the now infamous SolarWinds supply chain attack.
What are the dangers of a software supply chain attack?
In a document titled Defending Against Software Supply Chain Attacks, CISA and NIST state: “These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure and private sector software customers.” It goes on to outline common techniques that attackers use when launching software supply chain attacks, including update hijacking, tampering with code signing and the compromise of open-source code. Thus, the adversary may compromise a vendor’s update mechanism, hack signing systems or employ self-signing certificates, or add their own code to publicly accessible code libraries. This compromise allows attackers to bypass in-place defenses for initial access, while also enabling them to gain persistent access to the targeted environment to perform financial theft, data exfiltration, cyber-espionage, to disable defenses and even cause physical harm.
How to mitigate supply chain attacks
To mitigate the risks associated with supply chain attacks, network defenders should apply industry best practices before the attack occurs, CISA and NIST say. They also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM approach. The agencies also provide a series of recommendations on how organizations can prevent the acquisition of malicious or vulnerable software, on how to mitigate already deployed malicious or vulnerable applications, and on how organizations can increase resilience. The document also includes recommendations for software vendors, such as implementing and following a software development life cycle (SDLC) and integrating a secure software development framework (SSDF) to ensure they won’t supply malicious or vulnerable software.
We highly recommend clients give the document a read and adhere to its guidelines, but we understand that it can be a lot to take in. We can assist you in its full implementation — as well as that of NIST 800-171 and CMMC.