CISA, NIST Describe Software Supply Chain Attack Preventions, Mitigations


A newly released report jointly issued by the Cybersecurity Infrastructure and Security Agency (CISA) and the National Institute of Standards and Technology (NIST) details how vendors and software customers can identify, assess and mitigate software supply chain risks.

The Defending Against Software Supply Chain Attacks provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

CISA and NIST define the IT supply chain as a network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services, including managed security service providers (MSSPs).

As a case in point of a massive and destructive supply chain attack, the report references the SolarWinds Orion infiltration as a primary example of how foreign bad actors can maintain persistence in a network for months undiscovered, leaving only after “ the company’s build servers and using its update process to infiltrate customer networks.”

Here’s a sampling of some of the report’s highlights:

Common software supply chain attack techniques include:

  • Hijacking updates.
  • Undermining code signing.
  • Compromising open-source code.

These techniques are not mutually exclusive, and threat actors often leverage them simultaneously, the report said.

Consequences of software supply chain attacks.

  • Threat actors use the compromised software vendor to gain privileged and persistent access to a victim network.
  • If a threat actor loses network access, they may re-enter a network using the compromised software vendor.
  • The threat actor injects additional tailored malware packages into a chosen target to conduct various malicious activities.

“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain,” the report reads. “Organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps.”

Actions to prevent acquiring malicious or vulnerable software.

  • Establish a formal, organization-wide C-SCRM program to ensure that supply chain risk considerations receive attention across the organization.
  • Apply the same policies to suppliers that are applied internally.
  • Use supplier certifications to determine if a supplier uses a software development life cycle (SDLC) and incorporates secure software development practices throughout all life cycle phases.

Actions to mitigate deployed malicious or vulnerable software.

  • Develop and implement a vulnerability management program to scan for, identify, triage, and mitigate vulnerabilities.
  • A vulnerability management program should include processes and tools for provisioning and applying patches.
  • Reduce software attack surface through configuration.

“Despite C-SCRM actions, some malicious content and vulnerabilities may still find their way into an organization’s enterprise environment,” the report reads.

The CISA/NIST resource also includes these actions and mitigations:

  • To increase resilience to a successful exploit software, vendors should implement and follow an SDLC.
  • To prevent supplying malicious or vulnerable software, vendors should implement an SSDF in the context of a secure development infrastructure.
  • To mitigate as much post-deployment malicious or vulnerable content as possible, vendors should archive and protect each release of software to analyze, identify, and develop mechanisms to eliminate vulnerabilities discovered post-release.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.