Understanding SBOMs and Your Software Attack Surface

Mar 20, 2024

Written by Tim Barone

Over the course of my career, I've seen a lot of cool technology, but I think most of us know in the cybersecurity community that the weakest link is typically the human. Many times that was in the form of performing security assessments and seeing how companies tracked inventory of components of their system or should I say failed to track. Back in the day, when it came to software, you were lucky to see an accurate list of software applications. Generally, it was listing out applications without understanding what they were actually composed of. I could also argue that most didn’t really know what software they had running in their environment(s).


Cut to today, as cyberattacks grow in sophistication and frequency, organizations must adopt robust strategies to mitigate risks effectively. Late last year, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on Software Bill of Materials (SBOM), offering a valuable framework to enhance cybersecurity practices. At Hunted Labs, we understand why SBOMs are important (it’s kinda our thing), and how organizations can leverage CISA's guidance to bolster their cybersecurity posture.


What is a Software Bill of Materials (SBOM)?


A Software Bill of Materials (SBOM) is a detailed inventory of software components used in a particular application or system. Similar to a traditional bill of materials in manufacturing, an SBOM provides a comprehensive list of all software elements, including open-source libraries, third-party components, and dependencies, along with their versions and sources. By providing visibility into the software supply chain, an SBOM helps organizations map their software attack surface, understand the composition of their software assets and assess each and every potential attack vector an attacker could leverage against them. 


The Cyber Kill Zone emphasizes the importance of visualizing your software attack surface. This is the first step in understanding the threats present within your software, and more importantly, the relationships within all of the dependencies that helps you really start to understand the complexity of the blast radius with some of these software supply chain attacks that plague the headlines today. From our assessments and internal research, most organizations lack visibility into the components used in their applications, which can leave them vulnerable to various security threats, including supply chain attacks, software vulnerabilities, and license compliance issues. It’s important to note that failing to gain visibility into your software attack surface using SBOMs puts you on poor footing to establish an advantage over a software supply chain attack, which could actually start from an unintentional/unmalicious intention. 


CISA's SBOM Guidance: Key Recommendations


In its SBOM guidance, CISA provides recommendations for organizations to create, maintain, and leverage SBOMs effectively. Some key recommendations include:


  1. Establish SBOM Requirements: Organizations should establish policies and procedures requiring the creation and maintenance of SBOMs for all software assets, including internally developed software and third-party applications.
  2. Automate SBOM Generation: Leveraging automated tools and processes for SBOM generation can help organizations streamline the creation and maintenance of SBOMs, ensuring accuracy and consistency across software assets.
  3. Integrate SBOM into Security Practices: SBOMs should be integrated into existing security practices, such as vulnerability management, incident response, and risk assessment, to enhance the effectiveness of cybersecurity measures.
  4. Collaborate with Software Suppliers: Organizations should collaborate with software suppliers and vendors to obtain accurate and up-to-date SBOMs for third-party software components, fostering transparency and accountability throughout the software supply chain. 


Hunted Labs' SBOM Recommendations


  1. Validate Remediation Reaches the Developers Hands: Automate the remediation at best, but worst case, validate the remediation information is accurate and makes its way back to the developer. Often, remediation information available through a series of links are available for the responsible developer to power-click on - that is remediation information, not remediation steps. The difference is multiple hours of wasted time and a diluted ROI on an SBOM. 
  2. Hunt with SBOMs: Have the ability to hunt for a specific package in a matter of seconds. At Hunted Labs, we focus on the hunt. It’s important to just type a package identifier and identify your blast radius quickly. In actual security incidents, this can save an enterprise organization millions of dollars in potential damages. This is really useful for leveraging existing cyber threat intelligence and hunting for IoCs within your SBOM. The team that leverages third party and relevant data points to overlay on top of the SBOM has a strategic advantage in their cybersecurity posture by allowing their teams to draw additional cybersecurity insights such as continuously identifying potential IoCs or even IoAs that could be hidden within your software attack surface. 
  3. Enrich your SBOM Data with Other Security Information: SBOM is a great data point, but nothing is the solution to every problem – no matter how many times you see it on LinkedIn. SBOMs aren’t the end all be all. Leverage third party and other security data points to overlay on top of the SBOM to identify additional cybersecurity insights such as identifying potential IoCs or even IoAs that could be hidden within an SBOM in your organization. 


Conclusion


CISA's guidance on SBOMs provides organizations with a basic, yet valuable framework to enhance visibility, transparency, and accountability in their software supply chains. By implementing these best practices, organizations can strengthen their cybersecurity posture and take a step in mitigating software supply chain risks. By adopting Hunted Labs recommendations, your organization can actually build resiliency into your software supply chain, help manage your software attack surface, and reduce your blast radius by integrating SBOMs into existing cybersecurity operations. To learn more about how SBOMs can help you maneuver in the Cyber Kill Zone, check out our previous blog here


Did We Miss Something?


At Hunted Labs, we want to be transparent about hearing different voices and perspectives from members of the community. If we missed something, please reach out!


HAPPY HUNTING!

Where the Wild Things Are: A Complete Analysis of Jia Tan’s GitHub History and the XZ Utils Software Supply Chain Breach

By Hayden Smith 02 Apr, 2024
The following is a story about the recent XZ Utils security breach and how things came about. For more context on the exploit, take a stroll over to here . What can I say? My mother only read me picture books growing up. Once upon a time there was a software developer, belonging to a nation-state that was an extremely patient and persistent attacker. They created a GitHub account on January 26th 2021.

Software Supply Chain Defense: Colorama, GitHub, and More

By Hayden Smith 26 Mar, 2024
Recently, there was an attack targeting 170k+ GitHub users in a very complex attack that leveraged a lot of different tricks in the book including stealing session cookies, account takeover, dependency confusion and dependency hijacking just to name a few. I think all of the NVD drama drowned this out, but it's a pretty damning indicator of persistence to commit a software supply chain attack by adversaries which have planted this since *squints at watch* early February! Attackers are patient and can fool anyone, even maintainers who are the trusted guardians of a repository. Today, we will discuss lessons learned from the attack and some easy things your teams can do to protect their organization. 1. Anyone can be a target. Yes, that means you: Again, we are really cautious about putting out any FUD, but when we find a package as widely used as Colorama, anyone can fall victim to an attack as widespread as this which impacted just your every day developers doing their own projects after logging off of the 9 to 5. It’s time to step it up. It’s time to step it up and gain visibility into your software supply chain ( Cyber Kill Zone Tenet #1). SSC Defense: Incorporate security tooling into your CLI. When you are pulling packages, validate your packages being pulled are coming from legitimate upstream sources. S/O to my good friends over at Phylum which provides a fine tool to help protect your source code via blocking malicious packages from being downloaded onto your machine: https://docs.phylum.io/ 2. The Details Matter: The only difference between the legitimate website versus the poisoned domain was Python hosted versus PyPi hosted. Here is a screenshot from the CheckMarx blog, which you can find here .

Using Bard to Secure the Software Supply Chain

By Hayden Smith 12 Mar, 2024
SBOMs, CTI, and I

How SBOMs Help You Maneuver in the Cyber Kill Zone

By Hayden Smith 16 Jan, 2024
Prepare yourself/team/organization for a pre zero day, zero day, software supply chain attack. Knowing the software in your organization is a necessity for tracing threats in your software supply chain. See a break down of some of the OSS tooling available to help you make sense of the ever growing software supply chain attack surface.

CYBER KILL ZONE

By Hayden Smith 03 Jan, 2024
In this blog we discuss defining the Cyber Kill Zone, how it differs to be more proactive than the Cyber Kill Chain, and how to identify if you are in a Cyber Kill Zone today.
Share by: