Chain Reaction: Analyzing Trends and Crafting Defenses Against Software Supply Chain Attacks

  IJCTT-book-cover
 
         
 
© 2024 by IJCTT Journal
Volume-72 Issue-8
Year of Publication : 2024
Authors : Varadharaj Varadhan Krishnan
DOI :  10.14445/22312803/IJCTT-V72I8P110

How to Cite?

Varadharaj Varadhan Krishnan, "Chain Reaction: Analyzing Trends and Crafting Defenses Against Software Supply Chain Attacks," International Journal of Computer Trends and Technology, vol. 72, no. 8, pp.70-79, 2024. Crossref, https://doi.org/10.14445/22312803/IJCTT-V72I8P110

Abstract
This paper comprehensively analyses the software supply chain attack. Software supply chain attacks have increased in frequency and sophistication in recent years and have already caused widespread impact. This paper outlines the anatomy of such attacks, detailing various techniques used at different supply chain stages, from development to software distribution. The paper delves into notable incidents, including the SolarWinds attack and other significant breaches from 2020 to 2023, showing the widespread impact and TTPs and exploring the strategies that could have prevented or minimized the impact. The study uses open-source software supply chain security incident data sets to analyze trends and investigate the root cause and mitigation strategies. By performing thematic and empirical analysis of past incidents, this paper aims to produce critical actionable insights and equip organizations with the knowledge and strategies to mitigate and defend against these software supply chain attacks in the future.

Keywords
Cybersecurity, Software supply chain security. Supply chain attack, SSCA mitigation strategies, SSCA trend analysis open-source supply chain attack.

Reference

[1] Defense Technical Information Center, Securing the Supply Chain from Cyber-Attack: Challenges and Best Practices, (Report No. AD1108057), 2020. [Online]. Available: https://apps.dtic.mil/sti/trecms/pdf/AD1108057.pdf
[2] Jon Boyens et al., “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” National Institute of Standards and Technology Special Publication 800-161, 2015.
[CrossRef] [Google Scholar] [Publisher Link]
[3] Haydn Brooks, Risk Ledger, Top Supply Chain Cyber Security Trends 2024, 2024. [Online]. Available: https://riskledger.com/resources/cyber-security-trends
[4] Supply Chain Trends, Critical Infrastructure, and Cyber Security in 2024, CyberTalk, 2023. [Online]. Available: https://www.cybertalk.org/2023/12/29/supply-chain-trends-critical-infrastructure-and-cyber-security-in-2024/
[5] Kevin Townsend, Cyber Insights 2024: Supply Chain, SecurityWeek, 2024. [Online]. Available: https://www.securityweek.com/cyber-insights-2024-supply-chain/
[6] Carolynn van Arsdale, The State of Software Supply Chain Security Report 2024: Key takeaways, ReversingLabs, 2024. [Online]. Available: https://content.reversinglabs.com/state-of-sscs-report/the-state-of-sscs-report-24
[7] ReversingLabs, Gartner Report: Mitigate Software Supply Chain Risk - Key Takeaways. [Online]. Available: https://content.reversinglabs.com/gartner-sscs-risk-mitigation/gartner-report-mitigate-sscs-risk-takeaways
[8] Carolynn van Arsdale, How NIST CSF 2.0 and C-SCRM Help Manage Software Supply Chain Risk, ReversingLabs, 2024. [Online]. Available: https://content.reversinglabs.com/special-nist-csf-cscrm-sscs-risk
[9] Mitigate Enterprise Software Supply Chain Risks, Gartner Research, 2023. [Online]. Available: https://www.gartner.com/en/documents/4893131
[10] 9th Annual State of the Software Supply Chain, Modernizing Open-source Dependency Management, Sonatype. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain/modernizing-open-source-dependency-management
[11] Zach Capers, Three in Five Business Affected by Software Supply Chain Attacks in Last 12 Months, Capterra, 2023. [Online]. Available: https://www.capterra.com/resources/software-supply-chain-attacks/
[12] Bart Lenaerts, What is Supply Chain Attacks? CrowdStrike, 2023. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/cyberattacks/supply-chain-attacks/
[13] The Software Supply Chain is Under Attacks, Cloudflare. [Online]. Available: https://www.cloudflare.com/the-net/supply-chain-attacks/
[14] Paul Roberts, A Partial History of Software Supply Chain Attacks, ReversingLabs, 2024. [Online]. Available: https://www.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks
[15] Matt Kapko, Cybersecurity Dive, Costs of Software Supply Chain Attacks Could Exceed $46B this Year, 2023. [Online]. Available: https://www.cybersecuritydive.com/news/software-supply-chain-attacks/650148/
[16] Sumeet Wadhwani, Attacks on Software Supply Chains to Increase in Severity in 2023: Report, Spiceworks, 2022. [Online]. Available: https://www.spiceworks.com/it-security/security-general/news/software-supply-chain-attacks-rising/
[17] Ax Sharma, 6 Most Common Types of Software Supply Chain Attacks Explained, CSO, 2023. [Online]. Available: https://www.csoonline.com/article/570743/6-most-common-types-of-software-supply-chain-attacks-explained.html
[18] Snyk, “2023 Supply Chain Attacks Report,” Cybersecurity Ventures, 2023.
[Publisher Link]
[19] Threat Landscape for Supply Chain Attacks, European Union Agency for Cybersecurity (ENISA). [Online]. Available: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
[20] Mackenzie Jackson, Supply Chain Attack: 6 Steps to Protect Your Software Supply Chain, GitGuardian, 2021. [Online]. Available: https://blog.gitguardian.com/supply-chain-attack-6-steps-to-harden-your-supply-chain/
[21] SLSA, Threats and Mitigations. [Online]. Available: https://slsa.dev/spec/v0.1/threats
[22] AxSharma, Codecov Hack Aftermath: Hundreds Breached, Many more to Follow, SecurityReport, 2021. [Online]. Available: https://securityreport.com/codecov-hack-aftermath-hundreds-breached-many-more-to-follow/
[23] Justin Bhar, Top Software Supply Chain Security Solution Approaches: Pros and Cons, Security Boulevard, 2022. [Online]. Available: https://securityboulevard.com/2022/11/top-software-supply-chain-security-solution-approaches-pros-and-cons/
[24] Dr. Trey Herr, Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain, Atlantic Council, 2020. [Online]. Available: https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/#improve
[25] Will Loomis et al., DFRLab, Software Supply Chain Security: The Dataset, 2023. [Online]. Available: https://dfrlab.org/2023/09/27/software-supply-chain-security-the-dataset/
[26] Ax Sharma, Cryptocurrency Launchpad Hit by $3 Million Supply Chain Attack, Ars Technica, 2017. [Online]. Available: https://arstechnica.com/information-technology/2021/09/cryptocurrency-launchpad-hit-by-3-million-supply-chain-attack/
[27] Juan Aguirre, NPM Hijackers at it Again: Popular ‘COA’ and ‘RC’ Open-Source Libraries Taken Over to Spread Malware, Sonatype, 2021. [Online]. Available: https://blog.sonatype.com/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware
[28] Microsoft Security Response Center, Customer Guidance on Recent Nation-state Cyber Attacks, Microsoft, 2020. [Online]. Available: https://msrc.microsoft.com/blog/2020/12/customer-guidance-on-recent-nation-state-cyber-attacks/
[29] Thomas Hunter II, Compromised NPM Package: Event-Stream, Medium, 2018. [Online]. Available: https://medium.com/intrinsic-blog/compromised-npm-package-event-stream-d47d08605502
[30] Post-Mortem: April 2021 Incident, Codecov, 2021. [Online]. Available: https://about.codecov.io/apr-2021-post-mortem/
[31] Karl Fosaaen, Attacking Azure Container Registries with Compromised Credentials, NetSPI, 2020. [Online]. Available: https://www.netspi.com/blog/technical/cloud-penetration-testing/attacking-acrs-with-compromised-credentials/
[32] Sonatype, State of the Software Supply Chain. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain/introduction
[33] Marc Ohm et al., “Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks,” Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23-43, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[34] Jeferson Martinez, and Javier M. Duran, “Software Supply Chain Attacks, A Threat to Global Cybersecurity: SolarWinds’ Case Study,” International Information and Engineering Technology Association, vol. 11, no. 5, pp. 537-545, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[35] William J. Heinbockel, Ellen R. Laderman, and Gloria J. Serrao, “Supply Chain Attacks and Resiliency Mitigations,” MITRE Technical Report, pp. 1-78, 2017.
[Publisher Link]
[36] Robert J. Ellison et al., “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, pp. 1-50, 2010.
[Publisher Link]
[37] Cailean Osborne, “Public-private Funding Models in Open Source Software Development: A Case Study on Scikit-learn,” arXiv, pp. 1- 15, 2024.
[CrossRef] [Google Scholar] [Publisher Link]