Software Supply Chain Attacks — A CAPEC Perspective
A comprehensive view of how the MITRE CAPEC framework organizes supply chain attack patterns within a robust and flexible three-tier hierarchical structure.
In cybersecurity, an appropriate defence can only be established if we know how a system may be attacked.
In my quest for uncovering software supply chain attacks and the attack patterns that adversaries employ to compromise systems and organizations, I have been reviewing frameworks that cover these attack techniques.
In my previous article, I discussed about the MITRE ATT&CK framework.
MITRE ATT&CK Framework and Supply Chain Compromises
*An in-depth review of MITRE ATT&CK framework for ‘supply chain compromises’.*medium.com
The focus of this article is the MITRE CAPEC framework.
One might ask, “Why are there two separate MITRE frameworks?”
That’s a valid question, and it’s worth addressing before we delve into the discussion about the MITRE CAPEC framework.
MITRE ATT&CK vs MITRE CAPEC
It is increasingly important to understand adversary behaviour in order to devise effective mitigation strategies. The two frameworks, ATT&CK and CAPEC, operated by The MITRE Corporation, take different approaches to organize knowledge around adversary behaviours, each focused on a specific set of use-cases.
Common Attack Pattern Enumeration and Classification (CAPEC) is focused on application security and describes common attributes and techniques employed by adversaries to exploit known weaknesses (such as SQL injection or XSS).
Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) is focused on network defence and details attacker tactics, techniques and procedures (TTPs) describing pre- and post-exploit operational phases of an attack (such as persistence, lateral movement and data exfiltration).
CAPEC has provided a detailed comparison of the two frameworks, explaining similarities, differences, relationship between the two, and the role that each plays in cybersecurity.
CAPEC and Supply Chain Attacks
CAPEC provides a publicly available catalogue of known attack patterns helping users understand attacker tactics employed to exploit weaknesses in applications and other cyber-enabled capabilities.
Attack Pattern is a blueprint for a specific type of an attack, with abstracted common attack approaches from known exploits. Attack patterns capture an attacker’s perspective to aid software developers and security practitioners to improve the security profile of a software application.
CAPEC has a dedicated category for supply chain attacks, which is classified under “Domains of Attack” as “Supply Chain — (437)”, where the number in the brackets represents the Attack Pattern ID.
CAPEC describes Supply Chain attack patterns as follows:
Attack patterns within this category focus on the disruption of the supply chain lifecycle by manipulating computer system hardware, software, or services for the purpose of espionage, theft of critical data or technology, or the disruption of mission-critical operations or infrastructure. Supply chain operations are usually multi-national with parts, components, assembly, and delivery occurring across multiple countries offering an attacker multiple points for disruption.
It is evident from the above description that the broader scope and intricate nature of supply chain operations pose challenges in fully comprehending the threat landscape. There could be a multitude of suppliers (both hardware and software) spread across physical geographies, systems, and manufacturing, operational, and distribution processes. All of these could make it difficult to identify weak spots and vulnerabilities within systems and processes posing risks, and to formulate effective mitigation strategies.
The one thing I like about CAPEC framework is that the attack patterns provide detailed information on Likelihood and Severity of attacks, Relationship with other attack vectors, Pre-requisites and Resources required to conduct an attack, Consequences, Mitigation advice, and a mapping with applicable CWE-IDs. All this information helps practitioners with understanding potential risks and devising effective mitigation strategies.
Exploring CAPEC’s Supply Chain Attacks Category
CAPEC offers a systematic approach to categorizing and understanding supply chain attacks. By classifying these attacks into specific attack patterns, CAPEC provides valuable insights to security professionals and organizations to identify, prevent, and mitigate supply chain attacks effectively.
CAPEC categorizes attack patterns into three levels: Meta, Standard, and Detailed. The hierarchical structure helps organize and describe the attack patterns with varying levels of detail and granularity.
The screenshot below lists a subset of CAPEC supply chain attack patterns.
Source: CAPEC
Here’s an overview of each level within the context of supply chain attacks:
#1 — Meta Level:
The Meta level is the top-tier classification under a specific domain in the CAPEC framework. The Meta level provides a broad and conceptual view of supply chain attacks. It helps users identify fundamental themes or commonalities among these attacks, making it easier to navigate the CAPEC framework at a high-level and to understand the broader goals of an attacker.
Meta categories for supply chain attacks include —
Excavation (116)
Resource Location Spoofing (154)
Configuration/Environment Manipulation (176)
Software Integrity Attack (184)
Modification During Manufacture (438)
Manipulation During Distribution (439)
Hardware Integrity Attack (440)
Metadata Spoofing (690)
The Meta level supply chain attack patterns describe at a high-level the approaches that attackers can take to compromise software and hardware manufacturing and distribution processes, along with attacks on the integrity of the end product.
#2 — Standard Level:
The Standard level is the second tier of classification in the CAPEC framework. The Standard level adds a layer of detail to the classification, allowing users to explore supply chain attack patterns within a broader Meta category. It helps security professionals and researchers identify specific types of supply chain attacks with similar characteristics and tactics.
For example, at the time of this writing, the Standard categories under “Manipulation During Distribution — (439)” Meta category include —
Malicious Hardware Component Replacement*— (522)*
Malicious Software Implanted*— (523)*
Rogue Integration Procedures*— (524)*
The Standard categories under “Software Integrity Attack — (184)” Meta category include —
Malicious Software Update — (186)
Alteration of a Software Update — (669)
The Standard attack patterns may further be divided into Detailed attack patterns based on the granularity required to describe a specific attack pattern. For example, the “Malicious Software Update” category above has further sub-categories as Detailed attack patterns, as described below.
#3 — Detailed Level:
The Detailed level is the most granular level of classification within the CAPEC framework. Attack patterns at this level provide detailed information about specific methods, tactics, prerequisites, and potential mitigations associated with a particular supply chain attack.
The Detailed level serves as a valuable resource for security practitioners and researchers seeking to understand the nuances of a supply chain attack in detail, including how it is executed and how it can be defended against.
At the time of this writing, the Detailed categories under “Malicious Software Update — (186)” Standard category include —
Malicious Automated Software Update via Redirection*— (187)*
Malicious Manual Software Update*— (533)*
Malicious Automated Software Update via Spoofing*— (657)*
I would describe CAPEC’s approach as highly robust in the way it categorizes the attack patterns across various levels. It offers the flexibility to describe an attack at both an abstract level or in greater detail, taking into account the information available and the specific techniques used in executing an attack. This adaptability enables the addition of new attack patterns as they are discovered, whether at the higher Meta level or the more granular Standard or Detailed levels.
Analysis of Software Supply Chain Risks
I dedicated time to compile information from CAPEC’s supply chain attack patterns, presenting it in the form of a table below highlighting risks associated with each pattern outlined in the CAPEC framework.
The table emphasizes specific attack patterns posing greater risks than others, helping to direct your focus towards mitigating supply chain risks effectively.
Summary
In summary, CAPEC’s three-tiered classification system — Meta, Standard, and Detailed levels — provides a hierarchical structure and an organized approach to categorizing and describing supply chain attacks. This structure simplifies the process of locating and identifying relevant attack patterns.
The three levels allow for varying levels of granularity and detail. The Meta level provide a high-level conceptual framework for understanding broad attack themes. The Standard level refine the classification, enabling users to explore specific types of attacks within a broader theme. The Detailed level offers comprehensive information, including attack prerequisites, execution steps, potential mitigations, and real-world examples.
This logical structure and the hierarchical organization assists security professionals, researchers, and organizations in navigating the CAPEC framework and gaining a better understanding of supply chain attacks and associated mitigation strategies in a systematic and consistent manner. Along with this, the assigned risk ratings help with prioritisation efforts.
Related Articles
History and Evolution of Software Supply Chain Attacks
*An exploration of software supply chain threats evolving from initial experiments to sophisticated nation state and APT…*medium.com
MITRE ATT&CK Framework and Supply Chain Compromises
*An in-depth review of MITRE ATT&CK framework for ‘supply chain compromises’.*medium.com