Info
ID: AT-RE002.003
Technique: Application Dependencies Mapping
Tactic: Reconnaissance
Platforms: PRE
Version: 1.0
SBOM Analysis
Software Bill of Materials (SBOM) Analysis is a reconnaissance sub-technique within Application Dependencies Mapping where attackers analyze SBOM files to identify vulnerable dependencies in target applications. SBOMs, which document all components and dependencies in software packages, have become more prevalent due to regulatory requirements and supply chain security initiatives. Attackers leverage these inventory documents to map the application's dependency structure, identify outdated or vulnerable components, and discover specific library versions with known security flaws. By comparing SBOM contents against vulnerability databases (like NVD or OSV), attackers can precisely target exploitable dependencies without needing direct access to the application's source code. Organizations that publish SBOMs for compliance or transparency inadvertently provide attackers with a detailed blueprint of potential attack vectors, making this an efficient early-stage reconnaissance method that requires minimal probing of the target system itself.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Limit the granularity of SBOM information published publicly. Consider publishing sanitized versions that exclude specific version numbers for internal dependencies |
| M1017 | User Training | Train development teams on the risks of publishing detailed dependency information and establish guidelines for SBOM publication |
| M1021 | Restrict Web-Based Content | Implement access controls on SBOM repositories and limit public access to detailed dependency information |
Detection
Most SBOM analysis is performed off-network using copies of SBOM artifacts that an organisation publishes for transparency or compliance. As such, defenders rarely receive endpoint or network telemetry during the reconnaissance stage.
Detection is generally limited to:
- Download analytics from the platform hosting the SBOM (artifact repository, website) when detailed logs are available.
- Third-party intelligence that monitors mass-download of SBOM files or correlates scraper fingerprints with known threat actors.
- Later-stage clues, e.g., exploits precisely matching CVEs listed in the public SBOM.