Have we learned anything from SolarWinds supply chain attacks?
From frameworks to new federal offices, it's time to get busy
The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done?
In a matter of days this week, at least four disparate efforts to shore up supply chain security were declared, an example of how front-of-mind such risks have become and a push from vendors and developers to reduce them.
The threat is growing. Gartner expects that by 2025, 45 percent of organizations globally will have experienced a software supply chain attack, a three-fold jump from 2021. It's not a surprise, according to Neatsun Ziv, CEO of startup Ox Security that's building an open MITRE ATT&CK-like framework for enterprises to check software supply chains.
"These kinds of attacks become super, super lucrative just because the [hits] that you could get from a single weapon is not proportional to anything else you see in the industry," Ziv told The Register.
As with the SolarWinds attack, a miscreant can inject malicious code into a piece of software before the compromised software is sent out to customers and compromises those systems. Organizations seem to be slow in catching up to this.
More recently, attackers have targeted code repositories like GitHub and PyPI and companies like CI/CD platform provider CircleCI, an incident that expanded the definition of a supply chain attack, according to Matt Rose, field CISO for cybersecurity vendor ReversingLabs.
"What the CircleCI incident illustrates is that organizations have to not only be concerned about malware being injected into a compiled object or deliverable, but also of the tooling used to build them," Rose wrote in a blog post. "That's why the CircleCI hack is an eye opener to a lot of organizations out there."
One framework for them all
The OSC&R (Open Software Supply Chain Attack Reference) was launched this week, founded by Ziv – former vice president of cybersecurity at Check Point – and other security pros with background at such places as Google, Microsoft, GitLab, and Fortinet.
The idea is to give enterprises a common framework for evaluating and measuring the risk to their supply chains, something that has traditionally been done with intuition and experience. OSC&R will give organizations a common language and tools for understanding the attack tactics and defenses, prioritize threats, and track threat group behavior.
It will be updated as new tactics crop up, will help with red-team penetration exercises, and will take contributions from other vendors. The group took concepts for ransomware and endpoints used in MITRE ATT&CK and applied them to the supply chain.
"The challenge was that there was no framework to get us from a basic understanding to our ability to check our environment if we are susceptible to the supply chain attacks," Ziv said.
The framework touches on nine key areas – such as container and open-source security, secrets hygiene, and CI/CD posture – and outlines the techniques used by attackers in such areas as initial access, persistence, privilege escalation, and defense evasion. It will grow in both features and contributors, he said.
The OpenVEX spec
In the same spirit, supply chain security vendor Chainguard is heading up a group that includes HPE, VMware, and The Linux Foundation to jumpstart the adoption of the Visibility Exploitability eXchange (VEX), a tool for addressing vulnerabilities in enterprise software. It's supported by agencies like the US National Telecommunications and Information Administration (NTIA) and Cybersecurity Infrastructure Security Agency (CISA).
Enter the OpenVEX specification and reference toolchain
"Up until today, VEX has been a concept the industry has invested time debating and building minimum requirements around," Chainguard founder and CEO Dan Lorenc wrote. "With the release of OpenVEX, organizations can now put VEX into practice."
OpenVEX will work as a companion to software bill of materials, which help with transparency but can create "noise" in the industry, Lorenc wrote. With OpenVEX, suppliers can more precisely describe how exploitable the products are and help end users filter out false positives.
Chainguard has put OpenVEX in some of its products, including its Wolfi container-specific Linux distribution and Images secure-by-default container base images.
For its part, cybersecurity vendor Checkmarx is building onto the supply chain security offering it released in March 2022 with a threat intelligence tool to focuses on the supply chain. It includes information such as identifying malicious packages by the type of attack – like typosquatting or dependency confusion -- analysis of the operators behind the attack, how the packages operate, and the historical data behind them.
"This intel is all about tracking purpose-built, malicious packages that often contain ransomware, cryptomining code, remote code execution, and other common types of malware," wrote Stephen Gates, principal content marketing manager for Checkmarx.
CISA on the move
CISA reportedly is creating an office to address supply chain security and work with the public and private sectors to put federal policies in place. According to a report in the Federal News Network, Shon Lyublanovits is leading the initiative. She heads the project management office for cyber supply chain risk management (C-SCRM), which is part of CISA's cybersecurity division.
The issues the office will address range from counterfeit components to open-source software vulnerabilities.
It's the latest step for CISA, which has had a focus on supply chain security since creating a task force for IT and communications technology task for in 2018.
Varun Badhwar, co-founder and CEO at supply chain security vendor Endor Labs, applauded CISA's decision to create the office, telling The Register that establishing "a new capability at such a high level stands out as a milestone."
However, it's important to understand the complexities of the problem, Badhwar said. There are open-source components through the software lifecycle and organizations need to first secure the open-source software they use. Enterprises and agencies use an average of more than 40,000 open-source software packages downloaded by developers, and each of those can bring in another 77 dependencies.
"This causes a massive, ungoverned sprawl that increases the supply chain attack surface across multiple dimensions," he said, adding that Endor Labs has found that 95 percent of open source vulnerabilities are found in the transitive dependencies. ®