Supply-Chain Firewall unverified package manager command

supply-chain-firewall

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This rule detects instances of Supply-Chain Firewall running a package manager command without verification, which occurs when the underlying package manager is on an unsupported version. Supply-Chain Firewall was therefore unable to resolve the command’s installation targets, if any.

Strategy

This rule monitors Supply-Chain Firewall’s logs for @verified:false. This attribute is set only in cases when Supply-Chain Firewall was unable to verify a package manager command it executed.

Triage and response

  • Examine the logs to determine the package manager command that was executed and whether the command may have installed packages.
  • Determine whether any packages that were installed have associated security advisories using:
    • Datadog Security Research’s public malicious packages dataset
    • OSV.dev’s public API or website
  • Based on the results of the previous step, take any necessary action to remediate the system where the command was executed.
  • If possible, update the affected package manager to a supported version to take advantage of Supply-Chain Firewall verification.