CISA/NIST Publishes Guidance on Enhancing Protection Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have released guidance to assist companies strengthen their defenses versus software supply chain attacks.

The guidance document – Defending Against Software Supply Chain Attacks – talks about the three methods most frequently used by threat groups in supply chain attacks together with exhaustive advice for software consumers and vendors for deterrence, mitigation, and bettering resilience versus software supply chain attacks.

Just like a lot of supply chain attacks, the latest SolarWinds Orion attack employed hijacking the software update process of the platform to put in a software version that contains malicious code so that attackers could get persistent access to over 18,000 customers’ systems, and then the attackers could pick targets for more considerable compromises. This was additionally the strategy employed by the threat group associated with the 2017 NotPetya wiper attacks. The software update process utilized by a well-known tax accounting software program in Ukraine was hijacked to seize control of the software program and used it in detrimental attacks.

It is additionally prevalent for attackers to weaken the code signing process to control the software update systems and send malicious code. This is frequently accomplished by self-signing certificates and taking advantage of misconfigured access controls to imitate trusted vendors. According to CISA’s report, the Chinese advanced persistent threat group APT41 typically sabotage code signing in its complex attacks in the U.S.

The third most popular method employed in supply chain attacks is to focus on publicly available code libraries and put in malicious code, which is later downloaded by program developers. In May 2020, GitHub, the biggest platform for open-source software programs, found that 26 open source projects were compromised because of malicious code being inserted into open-source software programs. Blocks of open source code are additionally often utilized in privately owned software programs and these could also be quickly exploited.

Software supply chain attacks are cumbersome and resource-demanding and generally call for long-lasting commitment. Although criminal threat actors have succeeded in conducting supply chain attacks, they are more frequently carried out by state-sponsored advanced persistent threat groups, which have the motive, abilities, and assets for long-term software supply chain attack activities.

These attacks could compromise a lot of companies by attacking only one. Companies are vulnerable to these attacks because software vendors get privileged access to their solutions so they could work efficiently. Vendors need to communicate frequently to get updates on the installed software programs to strengthen security versus surfacing threats and to resolve vulnerabilities. In case a vendor is breached, the attackers could get around security tools like firewalls and obtain persistent access to all its clients’ systems.

The guidance document gives a number of suggestions and guidelines for utilizing NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Companies can significantly boost resilience to software supply chain attacks by using software in the scope of a C-SCRM framework along with a mature risk management program.

A mature risk management program allows a company to recognize risks introduced by ICT products and services, which include software programs, in the framework of the mission or supported business processes. Companies could take care of such risks by means of different technical and non-technical actions, such as those specific for C-SCRM for software and the linked complete software lifecycle.

The guidance specifies 8 recommendations for creating a C-SCRM strategy and implementing it to software:

  • Incorporate C-SCRM throughout the company.
  • Set up a formal C-SCRM system.
  • Know and take care of critical components and suppliers.
  • Fully grasp the company’s supply chain.
  • Carefully team up with key suppliers.
  • Involve key suppliers in resilience and enhancement programs.
  • Evaluate and keep track of the supplier relationship.
  • Have a plan for the complete lifecycle.

Even if this method is used, it’s not possible to stop all supply chain attacks therefore it is important to take other steps to mitigate unsecured software components.

Companies must create a vulnerability management program and lessen the attack surface by means of configuration administration. This consists of putting configurations under change management, performing security impact studies, employing manufacturer-presented recommendations to strengthen the application, operating systems, and firmware, and sustaining an information system component listing. Steps must additionally be taken to boost resilience to a thriving exploit and restrict the damage that may be created on mission critical operations, personnel and solutions in case of an attack.