Common Attack Pattern Enumeration and Classification

CAPEC User Summit Transcript - “Supply Chain Attacks—MITRE’s System of Trust™ and CAPEC”

Robert A. Martin, The MITRE Corporation

Session 5 - Supply Chain Risk and CAPEC | View all Summit transcripts

(00:35) Speaker: Rich Piazza (Summit Host)

This is our session on supply chains. As we know supply chain is the word of 2021 and maybe of 2022.

We've had a lot of attack patterns in that domain for quite some time, and we're looking to improve upon that given the fact that it's so important these days. Bob is going to talk about how supply chain attacks and CAPEC are related and a little bit about MITRE's system of trust, so take it away Bob.

(01:22) Speaker: Robert A. Martin

Thank you and hello to everyone.

It's been a little while since I've been engaged with CAPEC since I was a project leader way back when CAPEC started.

I'm happy to talk about how the two can come together.

If you haven't heard of MITRE's system of trust, don't worry, it's something that's been emerging over the last couple years and it just now starting to come out onto the public stage and into view, so let me dig into it and give you some background.

(02:08) Speaker: Robert A. Martin

When you talk about supply chains everyone definitely knows the customer and their supplier. Often, you don't have any visibility beyond that. Sometimes you can get a little bit of visibility into that next tier or the tier after but it's notional and not very specific. But if we could actually expose and make that visible there'd be so many things that are not currently concretely really addressable that could be.

And one example of this, you may already be aware of, is in the software bill of materials arena, where understanding that software supply chain is a huge issue. But it's not just software. It's hardware and the general visibility into supply chains.

(03:05) Speaker: Robert A. Martin

A lot of people, when they talk about supply chains, tend to think about it in terms of the attacks, those intentional acts to disrupt or to take advantage of supply chains.

I want to make sure you have in mind when you think about supply chains those unintentional acts. You know, those quality escapes, tainted goods, not through malicious means, shortages, weather disruptions, the whole coronavirus issue, a canal being blocked by a ship. Lots of different things that can disrupt and open the door to, for instance, the chip shortage from the coronavirus has led to counterfeit chips in several markets so you need to think about this holistically.

(04:10) Speaker: Robert A. Martin

The other part of supply chain is that there's some aspects of it that have been worked for eons, such as supply chain logistics, understanding where things are coming from, sourcing it, inventory management, all those topics have been a part of human society for centuries.

The whole idea of buying and acquiring is not new, but in a supply chain situation where you're talking about an organization, there's other aspects of it that come to bear that are really important and dependent on its supply chain.

As more and more of the things we buy, acquire, install and use or have software and network capabilities, the whole idea of managing cyber risk as part of supply chain has come to bear and is ever increasing, and the fact that your organization depends on the things that come through the supply chain really brings supply chain security into your organizational risk management picture.

And one of the things that has really come to the fore in the last couple of decades, is the idea of a cyber supply chain. These bring additional risks and additional levels to the whole situation, so all of this is context setting for what we are going to now talk about which is MITRE's supply chain security system of trust and then I'm going to wrap that into attacks and CAPEC.

(06:10) Speaker: Robert A. Martin

System of trust is aimed to be widely adoptable, widely used and a data driven evidence-based way of looking at supply chain risks - a framework. It's based on MITRE, industry and government insights into supply chain issues over decades as well as trying to learn for what we've been able to do here in MITRE in the area of bringing standardization and frameworks - think CVE, CWE, CAPEC, but also the ATT&CK framework - to bring groups of people into a more mature more consistent approaching to talking about and dealing with a problem area.

(07:20) Speaker: Robert A. Martin

We see two “not so good” ways people who are new to this topic, start. The first is when people start to think about supply chain they start writing down all the things they can think about that need to be managed as part of their supply chain. The second approach that we've seen is somebody has been assigned or needs to do supply chain and so they go borrow from some other effort that's been addressing supply chain.

Both of these have issues with completeness and appropriateness. If you're borrowing from another project they may have a totally different set of consequences from supply chain issues. They may have different technology, different vendors, different everything. Borrowing from them might totally send you off in the wrong direction. Both of these are common practice approaches to setting up supply chain and our goal is to minimize, if not eliminate, both of them.

(08:30) Speaker: Robert A. Martin

The other area a lot of people, especially in industry, talk about and believe is part of supply chain security is 3rd party risk management, but when they deal with it they may not be dealing with all the different aspects of it that really need to be addressed when you're talking about a supply chain and the risks from your supply chain. You also need to think about:

• attackers,
• counterfeiters,
• natural hazards and disasters, and
• human hazards.

So all of these things together may come to the fore and what we're trying to do in system of trust is say, OK if I need to trust my suppliers and services, how am I going to achieve that in a responsible repeatable scalable way given all the risks they represent. What we've come up with is 14 areas of risk that are pretty complete as far as we can tell - common across the industries and the three different areas of businesses/suppliers, products, and services. These areas break into lots, and lots of subcategories and I'm just showing you one of them here, external influence. One example is external influence, where one risk is being worried that your supplier is being influenced by your competitor because they're also supplying them. And maybe your competitor buys more product from that supplier and therefore could influence things being available to you. Maybe they get the best goods. Those are the things you're worried about. Those are the risks now when you think about companies working in the national security or critical infrastructure, then external influence can have a different spin. We're trying to be comprehensive in that.

You'll see a mixture of things here and the point to note is not every one of these areas of risk is going to be appropriate to you, but you should start with that bigger picture and then drop out the things that aren't appropriate rather than have different frameworks for different situations.

(11:11) Speaker: Robert A. Martin

This is the picture of our top level of our risks. You can see it kind of has an ATT&CK framework look. Basically what I just walked you through is the far left column under supplier risks.

There are seven risk areas for suppliers, whether it's financial stability, organizational stature susceptibility culture and so on, so when you think about CAPEC well, where does it fit into this picture today. One example would be in the supply risks in the product security so here's a couple of examples of attack patterns for supply chain that are really a good match for product security.

The idea being that somebody can go find out information about your products that could allow them, then to do attacks. Now there are other areas here, just a couple here, in the supplier area where your supplier and their cyber hygiene and practices could lead to somebody attacking into their networks into their physical facilities and then the supply items. These are the kinds of thinking we want to key up, look at them and figure out where we can expand, where we can add in and refine what's there to help do that.

(12:54) Speaker: Robert A. Martin

Let's think about what is in a supply chain. You have a product. That product has components sub-parts and somebody has made that product by combining those subcomponents. Each of them gets made either from other subcomponents or from raw materials, and you may have contractual relationships between those organizations’ ongoing prime sub.

The place where CAPEC can come into play with supply chain security is helping get a handle on where's the attack surface of the supply chain? CAPEC addresses several of these now for hardware supply chain attacks and then the idea would be is, do we want to just continue with hardware of microelectronics, or do you want to go beyond to the physical devices and other aspects of products that come through a supply chain.

(14:15) Speaker: Robert A. Martin

Another example that I wanted to walk through is the software supply chain. So here you have source. You make it. It gets into a distribution package - there may be some iterative moving around through dependencies and updating libraries and eventually gets to the customer and this actual graphic is from the Supply-chain Levels for Software Artifacts (SLSA) project. It's part of a software supply chain effort to get a handle on how supply chains can be involved in an attack on the software creation process and so they've gone and laid out the kinds of disruptions that can happen and where they happen, and CAPEC has also done a good job at getting a handle on these kinds of attacks against the software supply chain, which is kind of what you would expect, since CAPEC's meat is in the software area. But this kind of model, both the software and hardware one, are a little simplistic because when you look at a real supply chain, it's going to start with raw materials. They get folded into intermediate goods that may get further refined and then get manipulated into and assembled with others. That then get distributed and goes through a retail supplier and then to the consumer and then of course, retired.

And these kinds of supply chains aren't just around town, they're international. Almost every product in every country has things coming from other countries because of the resources and skills in labor pool and lots of different things that are driving that.

(16:30) Speaker: Robert A. Martin

So when you think about this additional detail you need to think about these different steps - I'm producing it. I have to distribute it. It's somewhere, there will be a supplier that the customer actually goes too. And it's not even that simple, because it needs to move through this supply chain and so the product goes materially through some kind of transporter whether it's a car, a truck, a train or ship, a plane and it moves from location to location.

And you don't just send things because you think people are going to need it, you actually have customers asking for things you have producers coordinating and restocking shelves and such and, of course, there's money that gets paid so when you start thinking about attacks against supply chains all of these different aspects are open candidates to where a supply chain could be attacked. The attacker could be going at the information flow, in one way or the other, the money flow, the actual physical movement of goods through loading docks and storage facilities and railroad yards and so on, so there's a lot of these details that are part of supply chains and the current work in CAPEC doesn't capture and doesn't address these directly so I basically want to open up the idea to all of you about focusing on what kinds of things we could talk about and expanding CAPEC to address these and just to open the discussion here. I've got a couple more slides to wrap up with, but this is where I really wanted to have the discussion.

So other people have things they'd like to put in the chat to.

(18:43) Speaker: Alec J. Summers - CAPEC/CWE Program

We do have a question Bob that I'll just relay to you from the chat. The question is, in the absence or opaqueness of supply chain information how do we model the risk quantification reliably?

(19:05) Speaker: Robert A. Martin

So one of the interesting things about supply chains as well as in cyber is that we have no statistics to really base probabilities on so one of the approaches to do with that is what kind of indicators can you look for that would give insight into whether a particular risk is actually manifest or not.

One of the things we're doing in our system of trust effort is moving away from a probability and impact math and really focusing in on what things that you can find that would show that at risk is being mitigated or not present at all, and how can you make that concrete so that you don't have to be a subject matter expert to actually do that assessment. The idea is to articulate those in ways that a broader audience of people could follow so that it doesn't take a supply chain expert to actually get a handle on these risks.

It comes to the opaqueness, specifically and that's where I think there's going to have to be a phase shift. I think people are going to have to demand insight into their supply chain. You already see this happening in software with the SBOM and I think you will see it very soon in hardware with an HBOM and so one of the efforts I'm involved with is bringing standards to that area and the standard includes a core bill of materials. What do you need to know if you're going to actually maintain and build and distribute a bill material and then on top of that it's got additional information. If it's a software Bill of material or hardware building material or a system bill of material so that we can have some automation possible that scales and is consistent across these different area.

Hopefully, that addresses the question.

(21:43) Speaker: Rich Piazza

If you have questions raise your hand or put them in the chat. I see Joe has his hand up.

(21:49) Speaker: Joe Jarzombek - Synopsys (Guest)

Bob, as a follow on to that very good presentation which gives an overview of the nature of the challenges that we have, but CAPEC is often used for: this is how it can be attacked. It would be nice if it also included indicators of compromise that says it has been attacked or it has been compromised so that we know if it's counterfeit, if it's tainted and certainly the work with SAE J 19 a can lend itself to that, so it be nice if we kind of opened up the aperture of CAPEC of not just how, but indicators that something has happened.

(22:27) Speaker: Robert A. Martin

Well in fact, if you remember and I'm sure you do, about a dozen years ago, we started efforts to see if CyBOX could be augmented to capture observables about supply chain attacks. Things like, seeing something in the wrong place or “oh this has been tampered with”. How do you know? Well this tamper proof seal has been broken and or the shrink wrap is so those are very easy to communicate to record but we don't do it in any automated way. So yeah, I think you know, some way and this goes along with the discussion about the probabilities. If you're going to say, yes, it has been tampered or it is a risk, you need some data driven observable or recording something that can support because when you start, saying OK, you're in violation of this contract or I'm no longer going to do business with you. They're going to want to say, "wait a minute, what basis? I'm going to take you to court", so having a factual record of how you got there and supporting evidence is going to be critical.

(23:57) Speaker: Joe Jarzombek - Synopsys (Guest)

Yep. Thanks.

(23:58) Speaker: Rich Piazza

Did someone else had their hand up, I thought they did?

(24:02) Speaker: Robert A. Martin

Saw something go by in chat.

(24:04) Speaker: Rich Piazza

Yeah, OK.

How do we guarantee integrity of SBOM/HBOM information provided by an entity? How do we ensure and enforce integrity of the information made available across entities in the supply chain. Blockchain? Or other methods?

(24:23) Speaker: Robert A. Martin

Not necessarily blockchain, but so there is another set of activities working that area, I don't have it in this presentation. I have one, I'm giving it tomorrow. But basically, there's another community effort to come up with ways of signing BOMs. So you have assurance as to what is the identity of the publisher, so it has a verifiable mechanism but also for the integrity of the documents.

And that you can then confirm through hashing and so on, so there's work in that area, but that doesn't let you say it was also tested by this organization using this approach and technology. So a BOM of hardware or software is an attestation about the product, but you need other attestations.

In the recent executive order 14028 it put a requirement for software bills of material on federal suppliers, but it also put in a requirement being articulated by NIST about the attestations about that software - why should we trust it now. Those are starting out as self-attestations, but you know 3rd party attestations are going to be a requirement as well when you really need confidence. Whether that 3rd party be your agent or some independent lab. There are efforts in the Linux Foundation, the OSSF (open source security foundation) part of Linux Foundation to come up with standards for how to capture that in a ledger, not a blockchain ledger, but a distributed confidential ledger, a little lighter weight way of getting that kind of integrity.

And so I think you'll find the industry, in the spring or early summer time frame, is going to start making SBOMs and attestations about the software captured by those SBOMs available to customers and then if you're have the right relationship you can then see the details of those attestations.

So big changes are going on in those areas and so the idea here is to help that along by articulating what attack pattern, what kinds of evidence will help you have assurance that has been addressed.

(27:36) Speaker: Rich Piazza

So there's a comment in the chats by Jim which says "consider the open group trusted technology provider standard, that is now an ISO/IEC standard."

(27:54) Speaker: Robert A. Martin

I was a part of the team authoring that standard and the trusted technology providers standard and Joe Jarzombek, who is on this call, is also very familiar with it, basically it is about malicious taint and counterfeits. It doesn't address some of the other risks about good quality product.

And so it's a part of what we want, I think as an industry. But it’s not addressing all of those areas that need to be addressed, we are trying to get them to open that standard up and expand it so that it's got a closer match to what the risks that we talk about in system of trust, but the story, is still unfolding.

(28:54) Speaker: Rich Piazza

OK, Jim has a response.

Open source software is pervasive in COTS software supply chain. Have you considered publishing recommended security practices and measuring for development of open source software?

(29:12) Speaker: Robert A. Martin

I just brought up the chat so I can read it. The effort with the open source security foundation (OSSF) that I just talked about, has a big focus on the open source. That is the underpinning of much commercial capabilities and that group is also the one that's putting in the scorecard that can rate open source projects, badges that can rate projects and the qualifications of the person doing the work.

So yes, there's attention being paid and it goes broader to not only the flow of how do I gain assurance? What is in the software I'm using? but also how do I gather the information. I need to figure out if it's a risk that I can't accept and that goes for different organizations. Those risks may be known vulnerabilities, but it also could be - I can't deal with people from those organizations being involved in that software - so all of this kind of information. It depends on your risk aversion. What areas of risk, you're focused on and so being able to make it visible and available? Is the key not coming up with, oh here's the approved products list, because what criteria you use to make that list may be totally inappropriate to another organization and be missing things that they're really interested in, and it's key to their ability to make decisions about what to bring into the enterprise.

(31:25) Speaker: Rich Piazza

We have another comment here: for supply chain and attacks in general I think it is important to look at the effect of an attack in terms of how it either obtains information resources, gains control of a particular process or how it alters disrupts destroys the behavior of the supply chain process to the end of getting an understanding of how a given attack provides leverage to the attacker against the system or the supply chain.

(32:07) Speaker: Robert A. Martin

Yep, totally agree and that's the scope of the things we're trying to address. To make people aware, make them understand, and when it comes to system or trust, we have this huge taxonomy of the risks that could be coming from your suppliers or the services you're making use of and it's that rubric you just went through that lets you narrow down to those that are really going to be impactful; that are appropriate to the technologies and the practices and processes you're talking about in your supply chain. So the key to the magic of our system of trust framework is that it is going to be online and available and being managed in a cloud capability that people can go in and basically build a profile that does that sub-setting and then leverage that result, so that we can have the huge coverage, but then narrow it down appropriately and quickly so that for your particular supply chain problem you'll have a workable size set of risks to evaluate and manage.

(33:47) Speaker: Robert A. Martin

So, just finish the last few slides I have here.

You know basically in the past, we've talked about physical movement of goods and these discrete different activities and players and as now we need a lot more information about the bills of materials. The quality pedigree. The provenance and it's a two-way direction. Not only does the customer need these things but each leg in the supply chain needs information from the other participants and it's not just handoff and forget it. In our work on the system of trust we're going to be coming out with ways everyone can get a handle on this, can make use of it. It will be publicly available, there'll be standards, there'll be training materials. I'll be giving a talk at RSA in June on this in the supply chain track.

And we will be licensing the application. We're going to have it available so that organizations could bring it in house and use it themselves. There's a bunch of material out there already about these things.

All these slides will be available and also the sot@mitre.org is a live email. Even though sot.mitre.org isn't going to be launched until just before RSA.