CISA, NIST published an advisory on supply chain attacks

CISA and NIST published a report on software supply chain attacks that shed light on the associated risks and provide instructions on how to mitigate them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) released a joint advisory that provides trends and best practices related to supply chain attacks for network defenders.

A software supply chain attack occurs when a threat actor compromises the network of a software vendor and injects malicious code in the software, or its updates, before the vendor sends it to its customers

The recent SolarWinds demonstrated how dangerous could be a supply chain attack and how hard is to detect it.

The advisory recommends the use of the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks associated with this type of attacks.

Most common techniques used to conduct supply chain attacks are:

• Hijacking updates;
• Undermining code signing;
• Compromising open-source code

In some cases attacks could mix the above techniques to improve the efficiency of their operation.

Most of these attacks are attributed to well-resourced attackers and APT groups which are known to have high-technical capabilities.

“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute.” reads the joint advisory. “In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security”

The report points out that organizations are vulnerable to this kind of attacks for two major reasons:

• many third-party software products require privileged access;
• many third-party software products require frequent communication between a vendor’s network and the vendor’s software product located on customer networks

The advisory includes a series of recommendations on how organizations can prevent supply chain attacks and how to mitigate them in case malware or vulnerable software were delivered using this technique.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain)

[adrotate banner=”5″]

[adrotate banner=”13″]