Following recent software supply chain intrusions, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) released a joint advisory providing guidance on how software vendors and customers can identify, assess and mitigate risks.
A software supply chain attack is an attack where a threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system. Recent examples of such attacks include the SolarWinds hack, the enterprise password manager Passwordstate compromise and the Codecov hack.
Most common techniques used to conduct supply chain attacks are:
-Hijacking updates;
-Undermining code signing;
-Compromising open-source code
As the advisory points out, the above mentioned techniques are not mutually exclusive, and threat actors often use them simultaneously.
“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred. Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks,” CISA and NIST said.
To mitigate the risks associated with supply chain attacks, network defenders are advised to apply industry best practices before an actual attack occurs. CISA and NIST also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM (Cyber Supply Chain Risk Management) approach.