Construction of Software Supply Chain Threat Portrait Based on Chain Perspective
Abstract
:1. Introduction
- An analytic framework for a comprehensive analysis of the SSC portrait is proposed. The framework comprises three core stages: event collection, event analysis, and model construction, alongside seven specific processes. It introduces an innovative, whole-process analytical methodology for constructing the SSC threat portrait.
- We propose an innovative method of event analysis that combines a generative artificial intelligence model, using artificial intelligence and human experience, to deeply mine key nodes and chains in SSC events.
- The overall model and micro-level attack indicators offer a comprehensive and accurate depiction of the SSC threat surface. The model comprehensively characterizes the supply chain from a macro and chain-oriented perspective with 3 levels and 31 dimensions. This broadens the research perspective and accurately captures the interconnectedness and interdependency within the entire supply chain. The attack indicators, guided by attack techniques, present a detailed description with 14 tactical and 113 technical dimensions, accurately describing attack behavior in the supply chain.
2. Related Work
2.1. Software Supply Chain Threat Surface
2.2. Software Supply Chain Attack and Threat Detection
3. The Framework of Software Supply Chain Threat Portrait Model
3.1. Software Supply Chain Threat Portrait Model Design Framework
3.2. Event Collection Layer
3.3. Event Analysis Layer
3.4. Model Construction Layer
4. Software Supply Chain Model
- The Inner Layer
- The Middle Layer
- The Outer Layer
5. Software Supply Chain Attack Indicator Matrix
5.1. Reconnaissance
5.2. Resource Development
5.3. Initial Access
5.4. Execution
5.5. Persistence
5.6. Privilege Escalation
5.7. Defense Evasion
6. Event Verification and Visualization
6.1. RQ1: Event Verification
6.1.1. Codecov Attack Event
6.1.2. Output Analysis
6.2. RQ2: Questionnaire Assessment
6.3. RQ3: Visualization
- Visualization of Event-Streams Events
- Visualization of XcodeGhost attack event
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Peisert, S.; Schneier, B.; Okhravi, H.; Massacci, F.; Benzel, T.; Landwehr, C.; Mannan, M.; Mirkovic, J.; Prakash, A.; Michael, J.B. Perspectives on the SolarWinds incident. IEEE Secur. Priv. 2021, 19, 7–13. [Google Scholar] [CrossRef]
- In-Depth Aanalysis of the Supply Chain Attack Case of CCleaner Backdoor Code-Compilation Environment Pollution. Available online: https://ti.qianxin.com/blog/articles/in-depth-analysis-of-ccleaner-malware/ (accessed on 15 March 2023).
- The State of Software Supply Chain Security. Available online: https://www.reversinglabs.com/resources/the-state-of-software-supply-chain-security (accessed on 15 March 2023).
- How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks. Available online: https://www.gartner.com/en/documents/4003625 (accessed on 1 March 2023).
- Zhenfei, Z. Research on Pollution Mechanism and Defense of Software Supply Chain. Master’s Thesis, Beijing University of Posts and Telecommunications, Bejing, China, 2018. [Google Scholar]
- Du, S.; Lu, T.; Zhao, L.; Xu, B.; Guo, X.; Yang, H. Towards an analysis of software supply chain risk management. In Proceedings of the World Congress on Engineering and Computer Science, San Francisco, CA, USA, 23–25 October 2013; Volume 1. [Google Scholar]
- Introducing ChatGPT. Available online: https://openai.com/blog/chatgpt (accessed on 1 May 2023).
- Steffan, J.; Schumacher, M. Collaborative attack modeling. In Proceedings of the 2002 ACM Symposium on Applied Computing, Madrid, Spain, 11–14 March 2002; pp. 253–259. [Google Scholar]
- ATT&CK Matrix. Available online: https://attack.mitre.org (accessed on 1 March 2023).
- Technical Advisory: Zero-Day Critical vulnerability in Log4j2 Exploited in the Wild. Available online: https://www.bitdefender.com/blog/businessinsights/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild/ (accessed on 1 March 2023).
- Torres-Arias, S.; Afzali, H.; Kuppusamy, T.K.; Curtmola, R.; Cappos, J. in-toto: Providing farm-to-table guarantees for bits and bytes. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA, 14–16 August 2019; pp. 1393–1410. [Google Scholar]
- Software Supply Chain Attacks. Available online: https://www.whitesourcesoftware.com/resources/blog/software-supply-chain-attacks/ (accessed on 1 March 2023).
- Ji, S.; Wang, Q.; Chen, A.; Zhao, B.; Ye, T.; Zhang, X.; Wu, J.; Li, Y.; Yin, J.; Wu, T. Review of open source software supply chain security research. J. Softw. 2022, 34, 1330–1364. [Google Scholar]
- Benthall, S. Assessing software supply chain risk using public data. In Proceedings of the 2017 IEEE 28th Annual Software Technology Conference (STC), Gaithersburg, MD, USA, 25–28 September 2017; pp. 1–5. [Google Scholar]
- Pfretzschner, B.; ben Othmane, L. Identification of dependency-based attacks on node.js. In Proceedings of the 12th International Conference on Availability, Reliability and Security, Reggio Calabria, Italy, 29 August–1 September 2017; pp. 1–6. [Google Scholar]
- Gokkaya, B.; Aniello, L.; Halak, B. Software supply chain: Review of attacks, risk assessment strategies and security controls. arXiv 2023, arXiv:2305.14157. [Google Scholar]
- Liu, C.; Chen, S.; Fan, L.; Chen, B.; Liu, Y.; Peng, X. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In Proceedings of the 44th International Conference on Software Engineering, Pittsburgh, PA, USA, 21–29 May 2022; pp. 672–684. [Google Scholar]
- Zimmermann, M.; Staicu, C.A.; Tenny, C.; Pradel, M. Small world with high risks: A study of security threats in the npm ecosystem. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA, 14–16 August 2019; pp. 995–1010. [Google Scholar]
- Ohm, M.; Plate, H.; Sykosch, A.; Meier, M. Backstabber’s knife collection: A review of open source software supply chain attacks. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, (Proceedings 17), Lisbon, Portugal, 24–26 June 2020; Springer: Berlin/Heidelberg, Germany, 2020; pp. 23–43. [Google Scholar]
- Zahan, N.; Zimmermann, T.; Godefroid, P.; Murphy, B.; Maddila, C.; Williams, L. What are weak links in the npm supply chain? In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice, Pittsburgh, PA, USA, 25–27 May 2022; pp. 331–340. [Google Scholar]
- Dey, T.; Mockus, A. Are software dependency supply chain metrics useful in predicting change of popularity of npm packages? In Proceedings of the 14th International Conference on Predictive Models and Data Analytics in Software Engineering, Oulu, Finland, 10 October 2018; pp. 66–69. [Google Scholar]
- Gonzalez, D.; Zimmermann, T.; Godefroid, P.; Schäfer, M. Anomalicious: Automated detection of anomalous and potentially malicious commits on github. In Proceedings of the 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), Madrid, Spain, 25–28 May 2021; pp. 258–267. [Google Scholar]
- Duan, R.; Alrawi, O.; Kasturi, R.P.; Elder, R.; Saltaformaggio, B.; Lee, W. Towards measuring supply chain attacks on package managers for interpreted languages. arXiv 2020, arXiv:2002.01139. [Google Scholar]
- Tang, W.; Luo, P.; Fu, J.; Zhang, D. Libdx: A cross-platform and accurate system to detect third-party libraries in binary code. In Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), London, ON, Canada, 14–21 February 2020; pp. 104–115. [Google Scholar]
- Ladisa, P.; Plate, H.; Martinez, M.; Barais, O. Sok: Taxonomy of attacks on open-source software supply chains. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 21–25 May 2023; pp. 1509–1526. [Google Scholar]
- Bos, A.M. A Review of Attacks Against Language-Based Package Managers. arXiv 2023, arXiv:2302.08959. [Google Scholar]
- Reed, M.; Miller, J.F.; Popick, P. Supply Chain Attack Patterns: Framework and Catalog; Office of the Deputy Assistant Secretary of Defense for Systems Engineering: Washington, DC, USA, 2014; Volume 2. [Google Scholar]
- Supply Chain Attack Framework and Attack Patterns. Available online: https://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf (accessed on 1 March 2023).
- Buchicchio, E.; Grilli, L.; Capobianco, E.; Cipriano, S.; Antonini, D. Invisible supply chain attacks based on trojan source. Computer 2022, 55, 18–25. [Google Scholar] [CrossRef]
- Neil, L.; Mittal, S.; Joshi, A. Mining threat intelligence about open-source projects and libraries from code repository issues and bug reports. In Proceedings of the 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), Miami, FL, USA, 9–11 November 2018; pp. 7–12. [Google Scholar]
- Neupane, S.; Holmes, G.; Wyss, E.; Davidson, D.; De Carli, L. Beyond Typosquatting: An In-depth Look at Package Confusion. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, USA, 9–11 August 2023; pp. 3439–3456. [Google Scholar]
- Zahan, N. Software Supply Chain Risk Assessment Framework. In Proceedings of the 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 14–20 May 2023; pp. 251–255. [Google Scholar]
- Ohm, M.; Sykosch, A.; Meier, M. Towards detection of software supply chain attacks by forensic artifacts. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual, 25–28 August 2020; pp. 1–6. [Google Scholar]
- Zhenhua, W. Research on Pollution Detection Technology of Software Supply Chain. Master’s Thesis, The Information Engineering University, Henan, China, 2019. [Google Scholar]
- Vu, D.L.; Pashchenko, I.; Massacci, F.; Plate, H.; Sabetta, A. Towards using source code repositories to identify software supply chain attacks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual, 9–13 November 2020; pp. 2093–2095. [Google Scholar]
- Wang, X. On the feasibility of detecting software supply chain attacks. In Proceedings of the MILCOM 2021-2021 IEEE Military Communications Conference (MILCOM), San Diego, CA, USA, 29 November 2021–2 December 2021; pp. 458–463. [Google Scholar]
- Purba, M.D.; Chu, B. Extracting Actionable Cyber Threat Intelligence from Twitter Stream. In Proceedings of the 2023 IEEE International Conference on Intelligence and Security Informatics (ISI), Charlotte, NC, USA, 2–3 October 2023; pp. 1–6. [Google Scholar]
- Wang, P.; Dai, G.; Zhai, L. Event-Based Threat Intelligence Ontology Model. In Proceedings of the International Conference on Science of Cyber Security, Shanghai, China, 13–15 August 2023; pp. 261–282. [Google Scholar]
- Perrina, F.; Marchiori, F.; Conti, M.; Verde, N.V. AGIR: Automating Cyber Threat Intelligence Reporting with Natural Language Generation. arXiv 2023, arXiv:2310.02655. [Google Scholar]
- Fayyazi, R.; Yang, S.J. On the Uses of Large Language Models to Interpret Ambiguous Cyberattack Descriptions. arXiv 2023, arXiv:2306.14062. [Google Scholar]
- Ali, T.; Kostakos, P. HuntGPT: Integrating Machine Learning-Based Anomaly Detection and Explainable AI with Large Language Models (LLMs). arXiv 2023, arXiv:2309.16021. [Google Scholar]
- Sun, Y.; Wu, D.; Xue, Y.; Liu, H.; Wang, H.; Xu, Z.; Xie, X.; Liu, Y. When GPT Meets Program Analysis: Towards Intelligent Detection of Smart Contract Logic Vulnerabilities in GPTScan. arXiv 2023, arXiv:2308.03314. [Google Scholar]
- Wang, Z.; Zhang, L.; Cao, C.; Liu, P. The Effectiveness of Large Language Models (Chatgpt and Codebert) for Security-Oriented Code Analysis. SSRN 2023, SSRN:4567887. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4567887 (accessed on 7 November 2023).
- Setianto, F.; Tsani, E.; Sadiq, F.; Domalis, G.; Tsakalidis, D.; Kostakos, P. GPT-2C: A parser for honeypot logs using large pre-trained language models. In Proceedings of the 2021 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, Virtual, 8–11 November 2021; pp. 649–653. [Google Scholar]
- Le, V.H.; Zhang, H. Log Parsing with Prompt-based Few-shot Learning. arXiv 2023, arXiv:2302.07435. [Google Scholar]
- Ranade, P.; Piplai, A.; Joshi, A.; Finin, T. Cybert: Contextualized embeddings for the cybersecurity domain. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December 2021; pp. 3334–3342. [Google Scholar]
- He, J.; Wang, L.; Hu, Y.; Liu, N.; Liu, H.; Xu, X.; Shen, H.T. ICL-D3IE: In-context learning with diverse demonstrations updating for document information extraction. arXiv 2023, arXiv:2303.05063. [Google Scholar]
- Wei, X.; Cui, X.; Cheng, N.; Wang, X.; Zhang, X.; Huang, S.; Xie, P.; Xu, J.; Chen, Y.; Zhang, M.; et al. Zero-shot information extraction via chatting with chatgpt. arXiv 2023, arXiv:2302.10205. [Google Scholar]
- XcodeGhost. Available online: https://en.wikipedia.org/w/index.php?title=XcodeGhost&oldid=1022461786 (accessed on 15 March 2023).
- I Don’t Know What to Say. Available online: https://github.com/dominictarr/event-stream/issues/116 (accessed on 1 March 2023).
- A New Open Framework For Releasing Secure Products. Available online: https://pbom.dev/#overview (accessed on 1 May 2023).
- Goggle Scolar. Available online: https://scholar.google.com/ (accessed on 2 March 2023).
- IEEE. Available online: https://ieeexplore.ieee.org/ (accessed on 2 March 2023).
- Sciencedirect. Available online: https://www.sciencedirect.com (accessed on 2 March 2023).
- Software Supply Chain Compromises. Available online: https://github.com/in-toto/supply-chain-compromises (accessed on 15 March 2023).
- Catalog of Supply Chain Compromises. Available online: https://github.com/cncf/tag-security/tree/main/supply-chain-security (accessed on 15 March 2023).
- FreeBuf. Available online: https://www.freebuf.com (accessed on 15 March 2023).
- SecWiki. Available online: https://secwiki.org/w/Main_Page (accessed on 15 March 2023).
- CNVD. Available online: https://www.cnvd.org.cn (accessed on 15 March 2023).
- NVD. Available online: https://nvd.nist.gov (accessed on 15 March 2023).
- Star Map Lab. Available online: https://tianwen.qianxin.com/blog/ (accessed on 15 March 2023).
- Post-Mortem/Root Cause Analysis. Available online: https://about.codecov.io/apr-2021-post-mortem/ (accessed on 2 March 2023).
- Hackers Backdoor PHP Source Code after Breaching Internal Git Server. Available online: https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/ (accessed on 15 April 2023).
- “Driver Talent” Trojan Detailed Analysis Report Infected 100,000 Computers to Mine Monero in 2 h. Available online: https://s.tencent.com/research/report/610.html (accessed on 15 March 2023).
- Martínez, J.; Durán, J.M. Software supply chain attacks, a threat to global cybersecurity: SolarWinds’ case study. Int. J. Saf. Secur. Eng. 2021, 11, 537–545. [Google Scholar] [CrossRef]
- Supply-Chain-Attack. Available online: https://github.com/kcrio/supply-chain-attack (accessed on 30 August 2023).
Event | Risk | ||
---|---|---|---|
Attack Objects | Attack Path | Upstream and Downstream Chains | |
XcodeGhost [49] | Software code Software installation package | Attackers implant malicious code into the development tool XcodeGhost and spread it maliciously through cloud services and resource sharing. | Software code → Development tool Software installation package → resource sharing, cloud services |
Event-Streams [50] | Software code | Malicious maintainers insert malicious code into third-party component code | 1. For EventStreams: Software code → Developers 2. Affected downstream code: software code → third-party components → third-party open source library |
Events | Attack Phases | Attack Behavior |
---|---|---|
XcodeGhost | Implant malicious modules | Develop a malicious version of the development tool Xcode |
Malicious propagation | Phishing techniques trick developers into downloading unofficial versions | |
Execute malicious commands | Use powerful interfaces and runtime backdoors in the system to issue malicious commands | |
Evade defense measures | Install certificates on target systems through social engineering and forced authentication | |
Control target systems | Use pseudo-protocol combined with malicious remote control modules to control the target system | |
Capture sensitive information | Collect sensitive information such as network information and credentials from controlled systems | |
Event-Streams | Implant malicious modules | open-source repository maintainers maliciously submit components containing malicious code |
Trigger malicious code execution | Exploit runtime backdoors and trick users into triggering the malicious code execution | |
Establish long-term control | Exploiting backdoors in code | |
Obtain Higher Privileges | Plant malicious dependencies into the repository of high-privilege users | |
Obtain Legal Access | Exploit the compromised credentials |
Mathematical Notation | Definition |
---|---|
C | Components level |
S | Source Code level |
E | Runtime Environment level |
I | Installation Package level |
M | Represents the final model obtained |
Represents the attack techniques present on x | |
Represents threats present on the |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion |
---|---|---|---|---|---|---|
Scan Used Open-Source Dependencies | Contributing Malicious Code to Open-Source Repository | Code Repository Contamination | Package Manager Threats | Backdoor in Code | Implant Malicious Dependencies in High-Privilege User Repository | Saas Sprawl |
Scan Code Repository | Malicious Behavior by Open-Source Maintainers | Development Environment Threats | Executing Malicious Components/Extensions | Implant in Zombie Instance | Malicious Components Introduced in High-Privilege User Environments | Configuration Error |
Scan Public Container Images | Malicious Substitution of Legitimate Items | Development Tool Threats | IDE Malicious Build Injection | Deploy Keys | Exploiting Software Vulnerabilities | Development Tool Threats |
Investigate Supply Chain Relationships | Develop Malicious Project | Vulnerabilities in Third-Party Components/Extensions | Exploiting Software Vulnerabilities | Browser Extensions | Manipulate Access Token | Exploiting Vulnerabilities |
Phishing for Information | Malicious Acquisition | Repojacking | Runtime Backdoor | Manipulate Access Token | Abusing Privilege Escalation Control Mechanisms | Impair Defense Mechanisms or Components |
Active Scanning | Hacking the Update Server | Combosquatting | SQL Injection | Implanting Container Images | Exploiting Valid Accounts | Manipulate Access Token |
Scan Open Information Sources | Hacking the Official Website | Typosquatting | Command Execution | Abuse Task Scheduling | Exploiting Valid Accounts | |
Collect Target Host Information | Steal Accounts | Dependency Confusion | Cross-Site Scripting | External Remote Services | Abusing Privilege Escalation Control Mechanisms | |
Collect Target Identity Information | Create and Cultivate Account | Brandjacking | User Execution | Account Manipulation | Indicator Removal | |
Shadow IT | API Exploitation | Establish Accounts | Subvert Trust Controls | |||
Exposed Public Artifacts or Information | Deploy Container | Alternate Authentication Material Theft | ||||
CI/CD Threats | Abuse of Container Management Commands | Obfuscate Files or Information | ||||
Malicious Module Injection | ||||||
Exploiting Trusted Third-Party Relationships | ||||||
Exploiting Application Vulnerabilities and Errors | ||||||
Phishing | ||||||
Exploiting Valid Accounts | ||||||
Drive-by Compromise | ||||||
External Remote Services |
Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|
Steal Third-Party Software Tokens | Discover Dependent Code Repository | Push Implants Across Repositories | Information from Code Repository | Remote Access Software | Exfiltration to Code Repositories | Implant Malicious Module |
Brute Force | Discovering System Information | Exploiting Remote Services | Information from Cloud Storage | Ingress Tool Transfer | Exfiltration to Cloud Storage | Data Manipulation |
Man-in-the-Middle Attack (MITM) | Account Discovery | Exploiting Valid Accounts | Information from System | Exploitation of Pseudo-Protocol | Weebhook | Data Destruction |
Forced Authentication | Permission Groups Discovery | Internal Phishing | Exfiltration Over Alternative Protocol | Resource Hijacking | ||
Exploiting Vulnerabilities | Password Policy Discovery | Alternate Authentication Material Theft | ||||
Credential Dump | ||||||
Steal or Forge Credentials and Certificates | ||||||
Steal Session Cookies | ||||||
Leak Insecurely Stored Credentials | ||||||
Input Capture |
Event | Dependency Chain |
---|---|
XcodeGhost [49] | Software → Code → Development Tools |
Software → Installation Package → Resource Sharing, Cloud Service | |
Event-Streams [50] | 1. For EventStreams itself: Software → Code → Developer |
2. For affected downstream software: Software → Components → Component Source Code → Third-Party Open-Source Library | |
PHP Backdoor [63] | Software → Installation Package → Updates by Users → Update Server |
Driver Talent [64] | Software → Installation Package → Updates by Users → Update Server |
SolarWinds [65] | Software → Installation Package → Official Website |
Log4j [10] | For affected downstream software: Software → Components → Component Source Code → Third-Party Open-Source Library |
Event | Tactic | Technique |
---|---|---|
XcodeGhost [49] | Resource Development | Develop Malicious Project |
Initial Access | Phishing | |
Execution | API Exploitation, Runtime Backdoor | |
Defense Evasion | Subvert Trust Control | |
Credential Access | Forced Authentication, MITM, Input Capture | |
Collection | Information from System | |
Command and Control | Exploitation of Pseudo-Protocol | |
Impact | Implant Malicious Module | |
Event-Streams [50] | Resource Development | Contributing Malicious Code to Open-Source Repository |
Initial Access | Malicious Module Injection | |
Execution | User Execution, Runtime Backdoor | |
Persistence | Backdoor in Code | |
Privilege Escalation | Implant Malicious Dependencies in High-Privilege User Repository | |
Credential Access | Leak Insecurely Stored Credentials | |
PHP Backdoor [63] | Resource Development | Develop Malicious project, Create and Cultivate Account, Hacking the Update Server |
Initial Access | Malicious Module Injection | |
Execution | Runtime Backdoor | |
Persistence | Backdoor in Code | |
SolarWinds [65] | Reconnaissance | Collect Target Identity Information |
Resource Development | Malicious Acquisition, Develop Malicious Project | |
Initial Access | Exploiting Application Vulnerabilities and Errors, External Remote Services, Exploiting Trusted Third-Party Relationships, Exploiting Valid Accounts | |
Execution | Command Execution, IDE Malicious Build Injection | |
Persistence | Account Manipulation, External Remote Services, Abuse Task Scheduling | |
Defense Evasion | Obfuscate Files or Information, Impair Defense Mechanisms or Components, Indicator Removal | |
Credential Access | Leak Insecurely Stored Credentials, Steal or Forge Credentials and Certificates, Credential Dump, Steal Session Cookies | |
Discovery | Account Discovery, Permission Groups Discovery, Discovering System Information | |
Lateral Movement | Exploiting Remote Services, Alternate Authentication Material theft | |
Collection | Information from Code Repository, Information from System | |
Log4j [10] | Reconnaissance | Active Scanning |
Resource Development | Malicious Acquisition, Develop Malicious Project | |
Initial Access | Code Repository Contamination, Development Environment Threats, Vulnerabilities in Third-Party Components/Extensions, Development Tool Threats, Exploiting Application Vulnerabilities and Errors | |
Execution | Package Manager Threats, Exploiting Software Vulnerabilities | |
Privilege Escalation | Exploiting Software Vulnerabilities | |
Defense Evasion | Exploiting Vulnerabilities | |
Driver Talent [64] | Credential Access | Exploiting Vulnerabilities |
Reconnaissance | Collect Target Identity Information, Collect Target Host Information, Scan Open Information Sources | |
Resource Development | Malicious Acquisition, Hacking the Update Server | |
Initial Access | Exploiting Valid Accounts | |
Execution | User Execution | |
Defense Evasion | Exploiting Valid Accounts, Indicator Removal | |
Credential Access | Brute Force, Credential Dump | |
Lateral Movement | Exploiting Valid Accounts, Exploiting Remote Services | |
Collection | Information from System | |
Impact | Data Manipulation |
Assessment Dimensions | Sample Questions of SSCM | Sample Questions of SSCIM |
---|---|---|
Understandability | Is it easy to understand the various levels and nodes of the assessment model? | How easily understandable is the content of this technical matrix? |
Naming Acceptance | How well do you agree with the names of different levels and nodes of the model? | How do you agree with the naming of different tactics and techniques? |
Structural Acceptance | What are your thoughts on the overall structure of this model? | What are your thoughts on the overall structure of this technology matrix? |
Position Acceptance | Evaluate the accuracy of each node position? | Evaluate the accuracy of the tactical phases to which techniques are assigned in the technique matrix? |
Correctness | Evaluate the correctness of node settings at each layer of the model? | How accurate are the sub-techniques within the matrix? |
Comprehensiveness | How comprehensive is the model’s coverage of attack points in the SSCAs? | Evaluate this technique matrix’s coverage of SSCA techniques? |
Effectiveness | How effective is the node chain formed by the model for analyzing a specific SSCA event? | Evaluate whether this matrix effectively analyzes the techniques used by attackers for a specific SSC incident? |
Usefulness | Is this model useful for understanding, analyzing, and defending against the attack surface of the SSC? | Evaluate the usefulness of this matrix for analyzing and defending against SSCAs? |
Dimensions | SSCM | SSCIM | ||||
---|---|---|---|---|---|---|
Mean | Median | Acceptance Percentage * | Mean | Median | Acceptance Percentage * | |
Understandability | 8.03 | 8.00 | 77.50% | 7.90 | 8.00 | 80.00% |
Naming Acceptance | 7.93 | 8.00 | 80.00% | 7.85 | 8.00 | 85.00% |
Structural Acceptance | 7.75 | 8.00 | 80.00% | 7.98 | 8.00 | 82.50% |
Position Acceptance | 7.83 | 8.00 | 85.00% | 8.13 | 8.00 | 87.50% |
Correctness | 7.90 | 8.00 | 82.50% | 7.93 | 8.00 | 87.50% |
Comprehensiveness | 7.50 | 7.00 | 72.50% | 7.58 | 7.50 | 77.50% |
Effectiveness | 8.28 | 8.00 | 85.00% | 8.03 | 8.00 | 82.50% |
Usefulness | 8.20 | 9.00 | 85.00% | 8.25 | 9.00 | 85.00% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wang, M.; Wu, P.; Luo, Q. Construction of Software Supply Chain Threat Portrait Based on Chain Perspective. Mathematics 2023, 11, 4856. https://doi.org/10.3390/math11234856
Wang M, Wu P, Luo Q. Construction of Software Supply Chain Threat Portrait Based on Chain Perspective. Mathematics. 2023; 11(23):4856. https://doi.org/10.3390/math11234856
Chicago/Turabian StyleWang, Maoyang, Peng Wu, and Qin Luo. 2023. "Construction of Software Supply Chain Threat Portrait Based on Chain Perspective" Mathematics 11, no. 23: 4856. https://doi.org/10.3390/math11234856
APA StyleWang, M., Wu, P., & Luo, Q. (2023). Construction of Software Supply Chain Threat Portrait Based on Chain Perspective. Mathematics, 11(23), 4856. https://doi.org/10.3390/math11234856