As the inaugural Supply Chain Cybersecurity Summit approaches, we're getting excited for two days packed with expert presentations exploring critical supply chain challenges and potential solutions organizations can implement to help mitigate third-party risk.
The Summit's advisory board has worked diligently to assemble an agenda that provides a diverse set of perspectives on and approaches to the problem of supply chain cybersecurity. Below you'll find some featured presentations which will help you become better equipped to deal with this often-overlooked threat vector.
For the entire list of Supply Chain Summit presentations and speakers, check out the Complete Summit Agenda.
We'll kick off both Summit days with in-depth talks from two of the most well-respected cybersecurity leaders in the industry.
Third Party Software Assessments for Modern Development
Chris Wysopal, Veracode
Software is no longer delivered on a CD-ROM with occasional updates. Software delivery has become a continuous process for SaaS, mobile and desktop apps. So what value is a point in time assessment to understand the risk accepted by software users? Software assessments must become continuous and process based. There is also a need to balance the transparency desired by software users with the needs of vendors to be effective in software delivery and maintenance. We need continuous assessment with the right level of transparency to keep up with our rapidly changing and deeply nested software supply chains.
About Chris Wysopal
Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.
When Your OT Support Supports the APT
Jake Williams @malwarejake, SANS Institute; Rendition Infosec
Manufacturing, medical, and many other environments have extremely specialized (and expensive) operational technology (OT) devices. Due to a high degree of specialization, these devices are rarely maintained by the same organization that operates them. In some cases, these devices are merely leased from the manufacturer, remotely maintained by the manufacturer, but deployed in a customer's production network.
While it is well understood that remote support technicians could achieve malicious effects through remote administration software, what about APT? How easily can an advanced attacker pivot from an infected remote support machine to the OT device (and ultimately to the customer network)? In this talk, Jake will walk through the mechanics of compromising OT equipment via remote support software complete with demonstrations of gaining access.
About Jake Williams
SANS Senior Instructor and Founder of Rendition Infosec, Jake Williams boasts a decade of experience in secure network design, pen testing, incident response, forensics, and malware reverse engineering. He's obtained clearance from various government agencies and regularly responds to cyber intrusions by state-sponsored actors in the financial, defense, aerospace, and healthcare sectors. Williams developed a cloud forensics course for a U.S. government client, the pentesting tool Dropsmack, the anti-forensics tool ADD, and builds other custom solutions to address incident and malware-reversing challenges. He has identified vulnerabilities in a state counterpart to Healthcare.gov, and as a former N.S.A. employee, Williams' expert opinion is a frequently sought after by Wall Street Journal and New York Times reporters.
These presentations include new research, interesting concepts, and innovative approaches to supply chain cybersecurity.
Hacking the Motherboard: Exploiting Implicit Trust in All of the Forgotten Places
Sophia d'Antoine @Calaquendi44, River Loop Security
Last year, Bloomberg's Big Hack article gave everyone a (questionably accurate but) much needed scare which forced companies to evaluate their exposure to supply chain intervention attacks. But a wider acknowledgment of the problem doesn't make it go away. We need to understand the attack vectors and the inherent hardware vulnerabilities used by these backdoors, as well as the steps we can take to protect ourselves. We must have confidence in the systems and the technical infrastructure that supports our economy. This confidence currently relies on too much implicit trust — overlooking serious risks. Assurance in this area is hard won, manual, and costly.
In this talk, Sophia will dive into several recent hacks including the ASUS software update hijacking and the SuperMicro supply chain allegations vs. reality. This discussion will include a technical overview of various types of hardware implants, the access they enable, and what we should be doing to detect and mitigate. Attendees will leave the talk with an in-depth understanding of what a hardware implant is, what types of implants provide what capabilities, and — with this knowledge — how to protect their enterprise from these attacks against a modern supply chain.
About Sophia d'Antoine
Sophia is a Director of Research at River Loop Security. She is a graduate of RPI, and earned her MS on exploiting CPU optimizations, which later assisted in the development of Spectre/Meltdown. Sophia has spoken at dozens of conferences, sits on the PC for WOOT and SummerCon, and is the NYU Hacker in Residence. She develops tooling to assist vulnerability discovery.
Trust but Verify: An Argument for Security Testing Vendors
Rachel Black, One Medical and Kyle Tobener @kylekyle, Salesforce
Before a company shares data with an external vendor, an important question needs to be considered: Does this vendor have a mature security program that will keep the company's data safe? To answer this question, companies often employ a variety of vendor risk-management strategies, including questionnaires, requests for documentation, and contract language, as well as a variety of new tools that scan the public face of a vendor. But are these strategies truly effective at gauging the vendor's security maturity?
In this session, the presenters will argue that hands-on security testing is one of the best methods to measure security maturity, and that it is far more effective than any other strategy. You'll learn how best to incorporate security testing into your vendor risk-management program at any scale, scope your testing, interpret results, and overcome the common challenges that a security team can face with hands-on security testing.
About Rachel Black
Rachel Black is a Senior Manager of Application Security at One Medical focusing on product security, vendor security, and a little of everything else. In her free time she snuggles with her Corgi, plays Stardew Valley on the Switch, and religiously uses Yelp to decide where to eat!
About Kyle Tobener
Kyle is a Director of Enterprise Security at Salesforce where he focuses on vendor and application security. In his free time, he collects cyberpunk paintings, runs the largest board game Meetup in San Francisco, and teaches his toddler daughter to break things.
It's not a SANS Summit without a deep technical dive. These demonstrations will show you ways an adversary can attack your supply chain.
Hack Your Lunch: A Live Demo of How Your Supply Chain is Getting Pwned!
Brandon Helms @_ChiefyChief, Rendition Infosec
Working as a Red Teamer has challenged Brandon's thinking and helped build solutions to previously unsolved problems. One of the more interesting solutions that he helped engineer revolved around using the developer to enable the deployment of their tools. In this presentation, Brandon will demonstrate the impact of a developer being compromised and the exponential impact that can result from it.
In this hands-on demo, we will reconstruct an engagement where a developer was compromised and the attacker (Red Teamer in this case) was able to inject malicious code into the production code base which in return enabled remote access to any user that executed that code. You will be able to see the impact from both the developer's point of view as well as the attacker. Afterwards, Brandon will decomp the indicators and speak to best practices when using centralized code repositories and engineering production-based workflows.
About Brandon Helms
Brandon is the COO at Rendition Infosec. He has dedicated most of his career to leading some of the most advanced cyber operations for both the DoD and private sector. He was a Chief Petty Officer in the U.S. Navy where he ran IT and security operations for submarines and then transitioned to become a technical director at the NSA. Following his military career, he entered the private sector as a Business Information Security Officer, supporting numerous Nation States and Fortune 500 companies. Today, his focus is on training the next generation of cybersecurity professionals.
Bring Your Own Threat - Supply Chain Attacks Using Personal IoT Devices in Companies
Martin Hron @thinkcz, Avast
According to statistics, 35% of IT Directors report more than 1,000 pieces of shadow IoT on their networks daily, 39% said they used personal devices connected to the enterprise network. Most popular devices were fitness, digital assistants and smart kitchen devices. Every single day we hear how consumer IoT is weak and in its infancy, still, according to the statistics, these devices are commonly allowed to join computer networks of many small, medium and big companies. What could go wrong? If we talk of software supply chain attacks, the situation is somewhat easier, but what about all those IoT devices, we don't really have insight into? How easy is it to infiltrate enterprise network using off the shelf commodity IoT?
Martin will present a proof of concept (live demo) of how this could theoretically happen. Using a simple camera with modified-firmware an attacker may start the attack from the inside out which gradually leads to getting access into the network infecting a coffee maker, modifying router settings, and in the end deploying ransomware, rendering the whole network inoperable. In conclusion, he'll discuss possible attack vectors and solutions to this problem.
About Martin Hron
Martin is a Security Researcher at Avast where he leads research across various disciplines such as dynamic binary translation, hardware-assisted virtualization and malware analysis. Recently, his focus is on firmware and IoT security. Martin is devoted to technology and is a true software and hardware reverse engineer with more than 20 years of experience in the industry.
Attend the inaugural Supply Chain Cybersecurity Summit!
These are only a few of the presentations on the Summit agenda. In addition to expert talks and demos, the Summit will host an evening reception, onsite luncheons, and several networking sessions. This is your chance to learn, share, and connect with the best in Supply Chain Cybersecurity. We hope to see you there!