The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) released a joint advisory that provides trends and best practices related to supply chain attacks for network defenders.
A software supply chain attack occurs when a threat actor compromises the network of a software vendor and injects malicious code in the software, or its updates, before the vendor sends it to its customers
The recent SolarWinds demonstrated how dangerous could be a supply chain attack and how hard is to detect it.
The advisory recommends the use of the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks associated with this type of attacks.
Most common techniques used to conduct supply chain attacks are:
In some cases attacks could mix the above techniques to improve the efficiency of their operation.
Most of these attacks are attributed to well-resourced attackers and APT groups which are known to have high-technical capabilities.
“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute.” reads the joint advisory. “In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security”
The report points out that organizations are vulnerable to this kind of attacks for two major reasons:
The advisory includes a series of recommendations on how organizations can prevent supply chain attacks and how to mitigate them in case malware or vulnerable software were delivered using this technique.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, supply chain)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.