With the ever-increasing awareness of threats to software supply chains, a burning question arising in many organizations is, "Are we protected?" To help answer that question, a new software supply chain security framework crafted along the lines of MITRE ATT&CK has been released.
The Open Software Supply Chain Attack Reference (OSC&R), which was forged by a group led by OX Security with cybersecurity pros from a number of companies, including Google, GitLab, FICO, Check Point, and Fortinet, is a first-of-its-kind framework for understanding techniques, tactics, and procedures (TTPs) used by attackers to compromise supply chains.
The OSC&R framework is a matrix with the stages of an attack as column headers — reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, lateral movement, collection, exfiltration, and impact — and supply chain areas as row labels — container security, open source security, SCM posture, secrets hygiene, code security, cloud security, CI/CD posture, artifact security, and infrastructure as code.
OX Security said OSC&R can be used by security teams to evaluate existing defenses, define which threats need to be prioritized, and how existing coverage addresses those threats, as well as to help track the behaviors of attacker groups.
Here's what you need to know about OSC&R, along with expert insights on the new framework's potential to improve software supply chain security.
Follow the leader: MITRE ATT&CK is the role model
OSC&R clearly communicates the various aspects of software supply chain security organizations need to consider, such as SCM posture, open source, cloud and code security, while listing the various TTPs for each malicious activity across those areas, said Chris Hughes, co-founder and CISO of Aquia.
"OSC&R brings a very familiar layout to security professionals, aligning itself with approaches such as MITRE's ATT&CK framework."
Matt Rose, Field CISO at ReversingLabs, said OSC&R goes further than MITRE ATT&CK does, with more prescription and granularity.
"If you're a cloud security professional or concerned with secrets hygiene or infrastructure as code, OSC&R tells you the things you need to do to secure your supply chain."
To better prepare from a security posture and prevention strategy, teams need to know how and where a supply chain attack can happen, noted Jay Paz, senior director for penetration tester advocacy and research at Cobalt Labs.
"The entire framework provides a holistic idea on the attacker mindset. A software builder can take preventive action based on the components being used."
Paz noted that OSC&R is going to be helpful for red teaming exercises, because it provides a clear approach on how this type of attack happens. "However, the framework will need to evolve as new attack vectors are released."
Tim Mackey, a principal security strategist at the Synopsys Cybersecurity Research Center, asserted that it’s important to look at OSC&R through the lens of a development team creating an application.
"OSC&R seeks to consolidate what has been known from other attack models like MITRE ATT&CK and map those techniques into actions or targets that development teams might recognize."
Very few people really understand just how unprotected our software supply chains are, said Jeff Williams, co-founder and CTO of Contrast Security.
"But OSC&R is just the attack side of things. There is also an amazing amount of research that has to go into the defense side. We lack even basic tools to defend the software supply chain against all the ideas in OSC&R."
Williams said he does not see anything new with OSC&R, but said, "It’s nice to have a model to capture all the possible ways that a supply chain attack might be orchestrated from beginning to end."
OSC&R gets key concepts out in the open
Because OSC&R is aimed specifically at software supply chain security, it can fill some gaps unaddressed by other frameworks, said Davis McCarthy, a principal security researcher at Valtix.
"It’s nuanced, but the processes and tools for detecting a backdoor on an endpoint are different than if the backdoor were implanted directly into the source code. TTPs like brandjacking did not previously map to a framework, so OSC&R is at least putting those concepts out in the open."
Frank Downs, a senior director at enterprise cybersecurity company BlueVoyant and a member of the ISACA emerging trends working group, said that OSC&R offers a perspective on software supply chain security that many companies lack.
"This framework acts as a complement to other frameworks which may be applied to the third-party relationships organizations have by showing companies that relationship through the eyes of an attacker, such as a cybercriminal or an APT."
While OSC&R is thin in some areas, that is likely a deliberate decision by its authors, Rose noted.
"You don't want to overload people with too many things to look at. One of the things it's trying to do is focus attention on limited resources and farming those resources out."
However, OSC&R could benefit from some added detail within its TTPs. "Defining what to look for within each TTP and how to mitigate them will improve OSC&R," McCarthy said.
Software Supply Chain Security: An interesting journey ahead
Mackey noted some limitations in terms of operationalizing OSC&R, which shows an entry for malicious code contribution to an open-source code repository, but doesn’t yet provide guidance for how to detect malicious code and differentiate between a malicious code contribution relative to a legitimate one.
"OSC&R is in its early stages of development and at present only provides a high-level view of a potential software supply chain threat."
Mackey pointed out that the cybersecurity industry has a large number of frameworks each with their own set of controls, activities, and tasks to describe potential pitfalls that lead to exploitable weaknesses. For OSC&R to gain traction, it will need to identify potential alignment with major frameworks and their associated controls, he said. "Many of these frameworks have a standards or regulatory component to them."
Williams added that OSC&R is a good start, but there are quite a few attack vectors missing, such as malicious test cases, deliberate vulnerability placement for plausible deniability, trojan-infected development tools and plug-ins, insider attacks, developer laptops, attacking test servers, and targeting binary repos.
But Williams said the team behind OSC&R can build out over time as they consider the full range of things that can affect the integrity of code in the supply chain.
"I suppose even ChatGPT has to be considered now that developers are using it to write code for them. It’s going to be an interesting journey."
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key