July 29, 2022
With everything going on in the world right now, one of our most vulnerable points of attack are our supply chains. What is a software supply chain attack? What are the associated risks, and how can organizations mitigate them? Here are the basics.
What is a supply chain attack?
The software supply chain is part of the information and communications technology (ICT) supply chain framework, which represents “the network of retailers, distributors and suppliers that participate in the sale, delivery and production of hardware, software and managed services,” according to CISA and NIST. A software supply chain attack occurs when threat actors manage to compromise a vendor’s environment and poison their software before it reaches customers, with the purpose of infiltrating the customers’ systems. Once a vendor has been hacked, customers are compromised either through the acquisition of new, already infected software or through the installation of malicious updates or hotfixes. This is exactly what happened in the now infamous SolarWinds supply chain attack.
How do supply chain attacks affect us?
In a document titled Defending Against Software Supply Chain Attacks, CISA and NIST state: “These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure and private sector software customers.” It goes on to outline common techniques attackers use when launching software supply chain attacks, including update hijacking, tampering with code signing and the compromise of open-source code. Thus, the adversary may compromise a vendor’s update mechanism, hack signing systems, employ self-signing certificates, or add their own code to publicly accessible code libraries. This compromise allows attackers to bypass in-place defenses for initial access, while also enabling them to gain persistent access to the targeted environment to perform financial theft, data exfiltration, cyber-espionage, to disable defenses and even cause physical harm.
How do we prevent supply chain attacks?
To mitigate the risks associated with supply chain attacks, network defenders should apply industry best practices before the attack occurs, CISA and NIST say. They also recommend organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM approach. The agencies also provide a series of recommendations on how organizations can prevent the acquisition of malicious or vulnerable software, on how to mitigate already deployed malicious or vulnerable applications, and on how organizations can increase resilience. The document also includes recommendations for software vendors, such as implementing and following a software development life cycle (SDLC) and integrating a secure software development framework (SSDF) to ensure they won’t supply malicious or vulnerable software.
We highly recommend clients give the document a read and adhere to its guidelines, but we understand that it can be a lot to take in. We can assist you in its full implementation — as well as that of NIST 800-171 and CMMC 2.0.