Technique on mitre.org

T1195: Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

Manipulation of development tools
Manipulation of a development environment
Manipulation of source code repositories (public or private)
Manipulation of source code in open-source dependencies
Manipulation of software update/distribution mechanisms
Compromised/infected system images (multiple cases of removable media infected at the factory)
Replacement of legitimate software with modified versions
Sales of modified/counterfeit products to legitimate distributors
Shipment interdiction

While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

ID	DS0013	Data source and component	Sensor Health: Host Status	Description	Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior.

ID	DS0022	Data source and component	File: File Metadata	Description	Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

ID	Data source and component	Description
DS0013	Sensor Health: Host Status	Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior.
DS0022	File: File Metadata	Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

Mitigation

ID	M1013	Name	Application Developer Guidance	Description	Application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions rather than pulling the latest version on build.

ID	M1016	Name	Vulnerability Scanning	Description	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.

ID	M1033	Name	Limit Software Installation	Description	Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.

ID	M1046	Name	Boot Integrity	Description	Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

ID	M1051	Name	Update Software	Description	A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

ID	Name	Description
M1013	Application Developer Guidance	Application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions rather than pulling the latest version on build.
M1016	Vulnerability Scanning	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1033	Limit Software Installation	Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.
M1046	Boot Integrity	Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
M1051	Update Software	A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.