CISA and NIST published a report on software supply chain attacks that shed light on the associated risks and provide instructions on how to mitigate them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) released a joint advisory that provides trends and best practices related to supply chain attacks for network defenders.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

A software supply chain attack occurs when a threat actor compromises the network of a software vendor and injects malicious code in the software, or its updates, before the vendor sends it to its customers

The recent SolarWinds demonstrated how dangerous could be a supply chain attack and how hard is to detect it.

The advisory recommends the use of the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks associated with this type of attacks.

Most common techniques used to conduct supply chain attacks are:

  • Hijacking updates;
  • Undermining code signing;
  • Compromising open-source code

In some cases attacks could mix the above techniques to improve the efficiency of their operation.

Most of these attacks are attributed to well-resourced attackers and APT groups which are known to have high-technical capabilities.

“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute.” reads the joint advisory. “In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security”

The report points out that organizations are vulnerable to this kind of attacks for two major reasons:

  • many third-party software products require privileged access;
  • many third-party software products require frequent communication between a vendor’s network and the vendor’s software product located on customer networks

The advisory includes a series of recommendations on how organizations can prevent supply chain attacks and how to mitigate them in case malware or vulnerable software were delivered using this technique.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain)

The post CISA, NIST published an advisory on supply chain attacks appeared first on Security Affairs.

By admin