NIST and CISA share defense advice against software supply chain attacks
– NIST and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency released guidance to support entities in defense against supply chain attacks, following the massive hacking incident against SolarWinds Orion technology .
The publication follows a guide to healthcare-specific supply chain risk management from H-ISAC and the American Hospital Association.
The Civil Rights Office first warned healthcare facilities against cyber attacks against government agencies and private sector entities in mid-January. Nation-state attackers updated the SolarWinds Orion platform updates between March 2020 and June 2020.
In doing so, hackers gained access to a range of private and public sector entities, including at least nine federal agencies and 100 private sector companies.
The full impact has yet to be analyzed, but the incident has highlighted both the persistence and stealth of nation-state hackers – and the need for better transparency and better management of hackers. suppliers.
Recent recommendations from CISA and NIST are designed to address these challenges. Defend against software supply chain attacks is a cross-agency resource for software vendors and customers that provides insight into supply chain risks and recommendations.
The guide also includes information on using NIST’s Supply Chain Cyber Risk Management (C-SRM) framework, released in February 2020, and its Secure Software Development Framework (SSDF).
All three are designed to support the identification, assessment and mitigation of risks.
“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and uses malicious code to compromise the software before the vendor sends it to their customers. customers, ”the researchers explained.
“The compromised software then compromises the customer’s data or system,” they continued. “Newly acquired software can be compromised from the start, or a compromise can occur by other means such as a patch or patch.”
These attacks can impact all users of the compromised software and can have dramatic and widespread consequences for critical infrastructure, the private sector and government entities. Entities are highly vulnerable to software supply chain attacks for two main reasons, the need for privileged access and the frequent communication required between the device and the vendor.
The 16-page document details the supply chain lifecycle and examples of threats, such as cellular device hijacking or end-user malware, along with the three most common attack techniques: hacking updates, reducing code signing, and compromising open source code.
There is also information on the supply chain attack threat profile, highlighting the prevalence of Advanced Persistent Threat (APT) actors in the launch of these targeted attacks. Federal agencies have alerted to a series of APT campaigns over the past year, led by Russia, China and Iran.
This information also provides entities with recommendations to better secure supply chain risks, especially with respect to industry best practices to protect the supply chain before an attack occurs, being given the challenges of mitigating the consequences of a supply chain incident.
The main recommendation is that entities use software as part of a risk management program based on a safety engineering framework and a formal C-SCRM approach. NIST has provided its eight key practices for establishing this type of approach.
Administrators will also find the best ways to prevent the acquisition of malicious or vulnerable software and how to remedy the security incident when these vulnerabilities still find their way into the network.
There is also information on increasing resilience to a successful exploit, as well as recommendations for software vendors, including actions needed to prevent the inadvertent delivery of malicious or vulnerable software.
“Network advocates are limited in their ability to quickly mitigate the consequences after a threat actor compromises a software supply chain,” the researchers explained. “This is because organizations rarely have control over their entire software supply chain and lack the power to force every organization in their supply chain to take rapid mitigation action.”
“A mature risk management program enables an organization to understand the risks presented by ICT products and services, including software, in the context of the mission or business processes they support,” they said. added.