CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks.

The guidance documentDefending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks.

Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax accounting software in Ukraine was hijacked to gain control of the software for use in destructive attacks.

It is also common for attackers to undermine the code signing process to hijack software update mechanisms to deliver malicious code. This is often achieved by self-signing certificates and exploiting misconfigured access controls to impersonate trusted vendors. CISA reports that the Chinese advanced persistent threat group APT41 commonly undermines code signing in its sophisticated attacks in the United States.

The third most common method used in supply chain attacks is to target publicly accessible code libraries and insert malicious code, which is subsequently downloaded by developers. In May 2020, GitHub, the largest platform for open source software, discovered 26 open source projects had been compromised as a result of malicious code being injected into open source software. Blocks of open source code are also commonly used in privately owned software solutions and these too can be easily compromised.

Software supply chain attacks are time consuming and resource intensive and usually require long-term commitment. While criminal threat actors have successfully conducted supply chain attacks, they are more commonly conducted by state sponsored advanced persistent threat groups that have the intent, capabilities, and resources for prolonged software supply chain attack campaigns.

These attacks can allow large numbers of organizations to be compromised by attacking just one. Organizations are vulnerable to these attacks as they give software vendors privileged access to their systems to allow them to operate effectively. Vendors need regular communication with installed software solutions to provide updates to improve security against emerging threats and to fix vulnerabilities. If a vendor is compromised, the attackers can bypass security measures such as firewalls and gain persistent access to all customers’ systems.

The guidance document provides several recommendations and tips for using NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Organizations can greatly improve resilience to software supply chain attacks by operating software within a C-SCRM framework with a mature risk management program.

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle,” explained NIST.

The guidance details 8 best practices for establishing a C-SCRM approach and applying it to software:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  4. Understand the organization’s supply chain.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full lifecycle.

Even when this approach is adopted, it is not possible to prevent all supply chain attacks so it is essential for other steps to be taken to mitigate vulnerable software components.

Organizations should develop a vulnerability management program and reduce the attack surface through configuration management. This includes placing configurations under change control, conducting security impact analyses, implementing manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintaining an information system component inventory. Steps should also be taken to increase resilience to a successful exploit and limit the harm that can be caused to mission critical operations, personnel and systems in the event of a successful attack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.