Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Supply chain compromise can take place at any stage of the supply chain including:
While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| STA-16 | Supply Chain Data Security Assessment | mitigates | T1195 | Supply Chain Compromise |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
References
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1195 | Supply Chain Compromise |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
References
|
| I&S-05 | Production and Non-Production Environments | mitigates | T1195 | Supply Chain Compromise |
Comments
This control maintains separation of production and non-production environments, which can prevent the introduction of exploitable weaknesses and avoid exposure of sensitive information. During development, apply caution when selecting third-party libraries to integrate into applications and, where possible, lock software dependencies to specific versions rather than pulling the latest version on build to help mitigate supply chain compromise.
References
|
| STA-10 | Supply Chain Risk Management | mitigates | T1195 | Supply Chain Compromise |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
References
|
| DSP-07 | Data Protection by Design and Default | mitigates | T1195 | Supply Chain Compromise |
Comments
Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1195.001 | Compromise Software Dependencies and Development Tools | 7 |
| T1195.002 | Compromise Software Supply Chain | 4 |