28 April 2021

CISA, NIST provide guidance on defending against supply chain attacks


CISA, NIST provide guidance on defending against supply chain attacks

Following recent software supply chain intrusions, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) released a joint advisory providing guidance on how software vendors and customers can identify, assess and mitigate risks.

A software supply chain attack is an attack where a threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system. Recent examples of such attacks include the SolarWinds hack, the enterprise password manager Passwordstate compromise and the Codecov hack.

Most common techniques used to conduct supply chain attacks are:

-Hijacking updates;

-Undermining code signing;

-Compromising open-source code

As the advisory points out, the above mentioned techniques are not mutually exclusive, and threat actors often use them simultaneously.

“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred. Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks,” CISA and NIST said.

To mitigate the risks associated with supply chain attacks, network defenders are advised to apply industry best practices before an actual attack occurs. CISA and NIST also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM (Cyber Supply Chain Risk Management) approach.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021