New “MITRE ATT&CK-like” framework outlines software supply chain attack TTPs

A new open framework has been launched to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack Reference (OSC&R) initiative, led by OX Security, evaluates software supply chain security threats, covering a wide range of attack vectors including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates. Cybersecurity professionals among the matrix’s founding consortium include representatives from GitLab as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP.

OSC&R addresses need for MITRE-like security framework for software supply chain

The OSC&R framework has been created to address the need for a MITRE ATT&CK-like framework that allows experts to better understand and measure software supply chain risk, Neatsun Ziv, founder of OX Security, tells CSO. “In other fields, let’s say endpoint and ransomware, there are great frameworks that give a full view of the threat landscape,” he says. “When it comes to the software supply chain, there is no understanding whatsoever in the industry. What we’re trying to do is take all the information that is out there and build it into a framework that every practitioner will be able to use to assess what they’re currently doing in terms of the software supply chain, understand what their exposures are, and try to understand how to address them in a rapid way.”

Hiroki Suezawa, senior security engineer at GitLab, stated that the framework gives the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions to help security teams build their security strategy with confidence.

OSC&R framework focuses on software supply chain attack methods

The OSC&R framework focuses on attack kill chains and the processes adversaries employ to carryout software supply chain attacks, Ziv says. The OSC&R framework follows the steps attackers take and gives defenders visibility they currently do not have to help them secure themselves and understand where they are vulnerable and should focus their efforts,” he adds.

OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups. It will regularly update as new tactics and techniques emerge and evolve and will assist red-teaming activities by helping set the scope required for a pen test or a red team exercise, serving as a scorecard both during and after the test.

Around 20 companies are contributing to the framework as part of a working group, with the aim to open it out for wider industry contribution in the next few months, Yael Citro, OX Security consultant, tells CSO. “Everyone will be able to share their knowledge and expertise and experience – that is really where the project is headed,” she adds.

Software supply chain security still high on the agenda

Software supply chain security is high on the agenda for businesses and the security industry as software supply chain-related compromises and risks continue to impact organizations across the globe. In September last year, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: Recommended Practices Guide for Developers. The publication emphasizes the role developers play in creating secure software and provides guidance in line with industry best practices and principles which software developers are strongly encouraged to reference.

In July, the Center for Internet Security published similar best practice guidance for securing each phase of the software supply chain. In May, Rezilion launched Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities.