Tips on Enhancing Supply Chain SecurityNIST, CISA Highlight Key Steps to Take
The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have released a report providing insights on how to enhance supply chain security in the wake of the SolarWinds attack.
The guidance released Wednesday, "Defending Against Software Supply Chain Attacks," offers recommendations on how to implement the NIST Cyber Supply Chain Risk Management Framework and the Secure Software Development Framework. "This resource provides in-depth recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks," the report states.
Supply Chain Risks
The report describes the three most common supply chain threats:
- Hijacking software updates: In addition to adding malware to updates to potentially affect numerous victims, as in the SolarWinds attack, the attackers may also alter the update so they can take control of the software’s functionality. One example noted by the report is the 2017 NotPetya campaign, in which Russian actors targeted Ukraine by spreading malware through tax accounting software popular in Ukraine. The attack resulted in worldwide disruption of services in crucial industries, including international shipping, financial services and healthcare.
- Undermining code signing: Code signing validates the identity of the software code author or the integrity of the code. Attackers can undermine this process by self-signing certificates or by exploiting misconfigured account access controls. This helps enable attackers to hijack software updates by impersonating a trusted vendor so they can insert malicious code into an update. APT41, a China-based group targeting the U.S. and other countries, has used this approach.
- Compromising open-source code: In these attacks, the attackers insert malicious code into publicly accessible code libraries, which are then downloaded by unsuspecting developers.
Supply chain risk management recommendations based on NIST's frameworks include:
- Establish a set of security requirements or controls for all suppliers based on the criticality of the supplier and the permissions granted to the information and communications technology.
- Use supplier certifications to ascertain whether a supplier incorporates secure software development practices throughout all life cycle phases, actively identifies and discloses vulnerabilities and maintains a product vulnerability response program.
- Ensure that vendors enforce supply chain security requirements that meet the standards used by the purchasing organization.
The report says vendors in the supply chain should:
- Perform in-house and third-party code review, analysis and testing.
- Use properly configured build processes to improve the security of executable code.
- Configure software so that it is secure at the time of installation. This should involve avoiding the use of hard-coded passwords, enabling firewalls and ensuring mechanisms for verifying software integrity so that the software has not been subjected to tampering.
Industry experts offer additional advice about mitigating supply chain risks.
"Enterprises need to follow a layered defense approach to protect their assets when a breach occurs via supply chain vendor," says Vishal Jain, co-founder and CTO at the security firm Valtix. "They need to have zero-trust security built in with necessary controls to prevent lateral movement of threats and egress filtering to prevent data exfiltration."
Organizations also need to conduct code reviews, says Jack Mannino, CEO of nVisium. "These types of tests explore the likelihood that software contains embedded malware, through malicious code commits or by compromised third-party dependencies."
Kevin Dunne, president of the security firm Pathlock, adds: "Companies should make sure to monitor user activity at the application, network and device levels to ensure they can detect any suspicious behavior that may be linked to intruders who have discovered a vulnerability which is a zero-day exploit and has not yet been found by researchers or product vendors."
The SolarWinds supply chain attack involved attackers planting a backdoor in an update of the Orion platform, which about 18,000 customers downloaded. Nine government agencies and about 100 companies were targeted for follow-on attacks, according to federal investigators, who say a Russian intelligence agency waged the cyberespionage campaign.
Initial reports from FireEye and Microsoft found that the SolarWinds attackers had access to about 30 command-and-control servers. Last week, however, researchers at the security firm RiskIQ discovered 18 previously undocumented command-and-control servers used in the attack (see: Analysts Uncover More Servers Used in SolarWinds Attack).