Cybersecurity News

NIST, CISA Share Software Supply Chain Attack Defense Guidance

In response to the supply chain attack against SolarWinds, NIST and DHS CISA released guidance to support entities with defense means, including risks and recommendations.

supply chain risk management guidance from NIST and DHS CISA

By Jessica Davis

- NIST and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency released guidance to support entities with the defense against supply chain attacks, in the wake of the massive hacking incident against SolarWinds Orion technology.

The release follows a healthcare-specific supply chain risk management guide from H-ISAC and the American Hospital Association.

The Office for Civil Rights first warned healthcare entities of the cyberattacks against government agencies and private sector entities in mid-January. Nation-state attackers trojanized updates to the SolarWinds Orion platform between March 2020 and June 2020.

In doing so, the hackers gained access to a range of private and public sector entities, including at least nine federal agencies and 100 private sector firms.

The total impact has yet to be analyzed, but the incident has shed light on both the persistence and stealth of nation-state hackers -- and the need for better transparency and management of vendors.

Recent guidance from CISA and NIST is designed to tackle these challenges. Defending Against Software Supply Chain Attacks is an interagency resource for software vendors and customers, which provides an overview of supply chain risks and recommendations.

The guide also includes insights for using NIST’s Cyber Supply Chain Risk Management (C-SRM) framework, released in February 2020 and its Secure Software Development Framework (SSDF).

All three are designed to support the identification, assessment, and mitigation of risks.

“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers,” researchers explained.

“The compromised software then compromises the customer’s data or system,” they continued. “Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix.”

These attacks can impact all users of the compromised software and can have drastic, widespread consequences for critical infrastructure, private sector, and government entities. Entities are highly vulnerable to software supply chain attacks for two key reasons, the need for privileged access and the frequent communication needed between the device and vendor.

The 16-page document details the supply chain lifecycle and examples of threats, such as hijack cellular devices or end-user malware, as well as the three most common attack techniques: hijacking updates, undermining code signing, and compromising open-source code.

There are also insights into the supply chain attack threat profile, stressing the prevalence of advanced persistent threat (APT) actors in launching these targeted attacks. Federal agencies have alerted to a range of APT campaigns in the last year, led by Russia, China, and Iran.

The insights also provide entities with recommendations for better securing supply chain risks, particularly with regard to industry best practices to shield the supply chain before an attack occurs -- given the challenges to mitigating the consequences of a supply chain incident.

The key recommendation is for entities to use software within a risk management program that leans on a security engineering framework and a formal C-SCRM approach. NIST provided its eight key practices to establish this type of approach.

Administrators will also find the best ways to prevent acquiring malicious or vulnerable software and how to remediate the security incident when those vulnerabilities still find a way into the network.

There are also insights on increasing resilience to a successful exploit, as well as recommendations for software vendors, including needed actions for preventing the inadvertent supply of malicious or vulnerable software.

“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain,” researchers explained. “This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps.”

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support,” they added.