Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies and development tools can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SR-11 | Component Authenticity | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SR-04 | Provenance | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SR-05 | Acquisition Strategies, Tools, and Methods | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CA-07 | Continuous Monitoring | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CA-02 | Control Assessments | mitigates | T1195.002 | Compromise Software Supply Chain | |
| RA-10 | Threat Hunting | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SA-22 | Unsupported System Components | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CM-11 | User-installed Software | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SI-02 | Flaw Remediation | mitigates | T1195.002 | Compromise Software Supply Chain | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CM-07 | Least Functionality | mitigates | T1195.002 | Compromise Software Supply Chain |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1195.002 | Compromise Software Supply Chain | |
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1195.002 | Compromise Software Supply Chain |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_update_manager | Azure Update Manager | technique_scores | T1195.002 | Compromise Software Supply Chain |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| assured_oss | Assured Open Source Software | technique_scores | T1195.002 | Compromise Software Supply Chain |
Comments
Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.
References
|
| google_secops | Google Security Operations | technique_scores | T1195.002 | Compromise Software Supply Chain |
Comments
Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable ".*\\solarwinds\.businesslayerhost\.exe").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral
References
|