CISA, NIST Provide New Resource on Software Supply Chain Attacks

In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.

The software supply chain is part of the information and communications technology (ICT) supply chain framework, which represents “the network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services,” CISA and NIST explain.

Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc (Ukrainian accounting software) compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.

A software supply chain attack occurs when threat actors manage to compromise a vendor’s environment and poison their software before it reaches customers, with the purpose of infiltrating the customers’ systems.

Once a vendor has been hacked, customers are compromised either through the acquisition of new, already infected software, or through the installation of malicious updates or hotfixes.

“These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,” CISA and NIST note in a document titled Defending Against Software Supply Chain Attacks.

Common techniques that attackers use when launching software supply chain attacks include update hijacking, tampering with code signing, and the compromise of open-source code. Thus, the adversary may compromise a vendor’s update mechanism, hack signing systems or employ self-signing certificates, or add their own code to publicly accessible code libraries.

“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute. […] In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security,” CISA and NIST say.

Software supply chain compromise allows attackers to bypass in-place defenses for initial access, while also enabling them to gain persistent access to the targeted environment to perform financial theft, data exfiltration, cyber-espionage, to disable defenses, and even cause physical harm.

To mitigate the risks associated with supply chain attacks, network defenders should apply industry best practices before the attack occurs, CISA and NIST say. They also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM approach.

The agencies also provide a series of recommendations on how organizations can prevent the acquisition of malicious or vulnerable software, on how to mitigate already deployed malicious or vulnerable applications, and on how organizations can increase resilience.

Defending Against Software Supply Chain Attacks also includes recommendations for software vendors, such as to implement and follow a software development life cycle (SDLC) and integrate a secure software development framework (SSDF) to ensure they won’t supply malicious or vulnerable software.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack

Related: After Hack, Officials Draw Attention to Supply Chain Threats