HF 2021 - Call for Papers

Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks
2021-11-19, 14:30–15:20, Hackfest - Track 1

As Marc Andreesen so aptly noted “Software is eating the world”. Our technology-driven world increasingly relies on third party code, open source libraries and shared repositories. We don’t fully appreciate just how interconnected we are, and how that translates into software code dependencies. It took an event like the SolarWinds Orion attack to rattle the bars on that cage, and wake us up to what’s been going on for some time. The reality is that software supply chain attacks aren’t new. They’ve been around for many years, and we’ve been watching that check engine light but not really addressing the issues. Recent attacks show how easy it is to create confusion and send malicious code undetected through automated channels to trusting recipients. SolarWinds delivered a hard truth to defenders: everyone is vulnerable when trust can be abused. Where is the weakest link in your software supply chains of trust?

Talk Outline
An Abuse of Trust: • What software supply attacks are • The abuse of trust and compromise at the source • The risk of trusted third parties with third parties: MSPs, SolarWinds •
Who are the attackers, what are their targets and motivations • Using stolen certificates to move laterally through chains of trust • "As long as you can own the people you can own the world" Mark Rogers, Okta
Pwning Open Source: • Show how our drive to innovate and cloud migration fuel increasing code dependency • Cite the increased targeting of online code repositories and automated software distribution • How exploitation of code signing allows attackers to impersonate trusted programs, evade detection and bypass security
Walk through a timeline of supply chain attacks on repositories
Understanding Continuous Integration and Continuous Delivery: • The road to hell is paved with good intentions. CI/CD is a DevOps best practices and meant to deliver good things • But, as we continue to see mistakes will be made: accidental credential exposure, misconfigurations
It's Happened Before: • Walk through of past attacks including Operation Aurora, CCleaner, NotPetya • Contrast these in a walk through of current attacks starting with SolarWinds, Dependency Confusion, Codecov and XCodeSpy
Take Away: The importance of historical context will show tactics, techniques and procedures in past attacks that we can monitor for and secure against Now What Do We Do? • We will review current best practices and mitigations to improve securing these cloud assets • Help from Sigstore by Linux and Package Hunter by Gitlab
Audience Takeaways: 1) Attendees will gain awareness of how software supply chain dependencies have become vulnerabilities over time and how that can impact them
2) They will understand how dependencies and overlap have become risk in an increasingly open-source world through shared repositories and code reuse
3)Walk-throughs of attacks will show tactics and vulnerabilities exploited by threat actors, notably nation state backed, and how those can be reviewed against existing security controls to monitor and mitigate
4) Recommendations of best practices and mitigations to secure, as well as new services offered to verify, protect and check for malicious code

Are you releasing a tool? – no Have this talk already be given? – yes