Supply Chain Compromise: Compromise Software Dependencies and Development Tools

ID Name
VT0004.001 Compromise Software Dependencies and Development Tools
VT0004.002 Compromise Software Supply Chain
VT0004.003 Compromise Hardware Supply Chain

Adversaries may target software dependencies and development tools by manipulating libraries, open source (OS) package manager repositories, container images and repositories, and others before they reach to the end user in order to cause data or system compromise.

Developers rely on OS in every step of the software development process and accelerate it by using functionalities implemented in OS libraries or modules written previously by someone else and that has been proven to work correctly. These OS projects rely on contributions and volunteer developers, and typically incorporate many dependencies from other OS projects, which are prone to abuse, both by accidentally incorporating known vulnerabilities or adding intently malicious piece of code.

Since software development relies more and more on OS and OS package manager repositories, these became the new targets and yield exponential opportunities for attackers.

Targeting may be specific to a desired victim set or may be distributed to a broad set of users and acted on specific victims.

Mitigations

Mitigation Description
Update Software

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

Vulnerability Scanning

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.[1]

Detection

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

References

Attachments

ID
VT0004.001
Sub-techniques
Tactic
Initial Access
Platforms
Linux
Windows
macOS
Data Sources
File monitoring
Web proxy
Version
1.0

Created: 01 December 2020

Last Modified: 09 December 2020