-1024x535.png)
What Happened
Over the last month, notable threat activity and U.S. Government regulatory pronouncements have highlighted the evolving technology supply chain security risk surface and the need for focused mitigation measures.
Key threat activity:
- In February, Lapsus, a Latin American-based hacker group, breached NVIDIA and exposed proprietary company data. The leak included sensitive information on the chipmaker’s product schematics, drivers and firmware, as well as code-signing certificates (now expired).
- On March 7th, on the heels of the NVIDIA breach, South Korean technology giant Samsung, reported a breach of its Galaxy device source code. Lapsus published what it claimed to be Samsung’s proprietary code and extortion demands on Telegram messaging app.
- Lapsus also appears to be recruiting insiders willing to sell unauthorized access to their employers™ environments.
And policy and regulatory developments:
- In February, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1, pursuant to Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. SP 800-218 replaces the NIST Cybersecurity White Paper released in April 2020, which defined the original SSDF. This guidance reflects how to implement software supply chain security practices from a software producer point-of-view.
- That same month, NIST also issued Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e (Section 4e Software Supply Chain Security Guidance). This guidance reflects how to implement software supply chain security practices from a software purchaser point-of-view.
- In March, the Office of Management and Budget (OMB), in accordance with Executive Order (EO) 14028 on “Improving the Nation’s Cybersecurity,” announced that Federal agencies must begin to adopt the SSDF and related guidance effective immediately, tailoring the approach to the agency’s risk profile and mission. Going forward OMB will be engaging with the private sector on how best to implement the requirement, which contemplates vendor attestation to SSDF practices. The first workshop will be hosted by NIST on March 23.
- Since the release of EO 14028 in May 2021, NIST and other government bodies have published implementation guidance and best practice documents to advance software supply chain security.
Why it Matters
The combination of heightened software supply chain threat activity and expanded regulatory expectations will require vigilance and focused attention from both technology suppliers and buyers.
- Exfiltration of software supply chain data (e.g., design information, source code, etc.) will significantly expand the risk surface for developers, defenders and users. Sensitive data, like source code, are becoming increasingly attractive targets to sophisticated, financially motivated threat actors. Both state actors and financially motivated criminals will seek to exploit identified weaknesses in exposed source code or other technology supply chain information. While sophisticated state actors have historically been capable of leveraging previously unknown vulnerabilities (i.e., zero days) to achieve disruptive objectives, financially motivated threat actors will be increasingly capable of achieving state-actor-level tradecraft. Organizations will continue to be exploited by subversion of both proprietary and third-party code, with risks increasing from unauthorized code disclosure.
- EO 14028 and associated directives are focused on securing the U.S. Government, but implications will be wider. While the standards and best practices will technically only apply to federal departments and agencies and their technology suppliers, a broader set of buyers and suppliers across critical infrastructure will view the publications as a “north star” for security expectations. The March OMB announcement (see above) will increase alignment to the NIST SSDF for both security practitioners and procurements. As EO 14028 leverages the Government’s procurement process and contractual language to drive compliance, the commercial sector may adopt similar approaches to enrich third party security diligence and risk reduction.
- Recent attack and EO 14028-related announcements warrant a security strategy migration to increased visibility and threat-informed defense. The requirements for federal agencies and technology partners to align to the SSDF, formalize software testing, enhance visibility and adopt “zero trust” architectures, reflects an admission of continuing supply chain weaknesses and the need to assume compromise. These same principles apply equally to commercial sector organization targets of supply chain-related threats.
What to Do About It
Software Producer Viewpoint. Organizations can align to best practices and apply defense-in-depth principles to secure the enterprise and technology supply chain.
- Inventory, classify and apply risk-based controls to source code and other sensitive product data. Given recent threat activity, software producers must achieve a greater understanding of how their software is developed and secured. The SBOM offers a common framework expressing an application’s “ingredients” to reduce code opacity, particularly for third-party open-source components. As greater visibility is achieved, organizations should validate that the appropriate protective and detective controls are in place to secure the technology supply chain (e.g., multi-factor authentication, integrity checking, logging and monitoring, etc.). While mature data back-up and recovery capabilities will not address exfiltration-only use cases, they will continue to be imperative for mitigating operational disruption and reducing the need to pay a ransom demand.
- Align software development lifecycle to purpose-built secure software frameworks and tools. As noted above, the NIST SSDF has become an authoritative reference for U.S. Government agencies, and application will likely expand in commercial use cases. The SSDF and other frameworks can serve as a useful starting point for building a secure product development lifecycle. Producers can also prepare for future procurement requirements by comparing current practices against these frameworks.
- Adopt threat modeling, control validation, and threat-informed defense (ATT&CK). Technology providers should anticipate targeting by threat actors, either for financial gain, as a stepping-stone into customer environments or for disruptive effects – and apply and validate security controls. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage. Given recent insider recruiting by threat actors, threat modeling should reflect insider risk and assumed initial access.
- Mature and exercise cyber crisis management capabilities. Organizations must prepare themselves for severe cyber attacks and disruptive conditions that necessitate an enterprise-wide response. Companies that have developed and tested a comprehensive response to a major cyber event will be better positioned to marshal critical internal and external resources, communicate clearly to stakeholders, and resume business operations. Given the rise of cyber extortion, organizations should define extortion response protocols and identify third party negotiators.
Software Purchaser Viewpoint. Organizations can align to best practices and apply defense-in-depth principles to secure the enterprise and technology supply chain.
- Consider how to internalize NIST’s Section 4e Software Supply Chain Security Guidance, described above.
- As with producers, apply threat-informed defenses and crisis management capabilities that assume a version of compromised software is deployed within the organization’s environment.
The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.
