June 16

Webinar takeaway: Learn to Detect and Defend Against Supply Chain Attacks Before They Compromise Your Network

0  comments

My key takeaways

  • First trojan probably was implemented 1983 by Ken Thompson, who invented Unix, C,..
  • He also warned back then: "You can’t trust code that you did not totally create yourself"
  • Brand new hardware from the factory can be infected by malicious code as well
  • Also open source software is constantly compromised
    • example of a free website counter enforcing a backlink, first to a nice picture, then unnoticed to a malicious JS file
    • WP Plugin "SEOPressor" implementing a backdoor as well
  • The creator of PHP is named Rasmus Lerdorf
  • A security scan of well known programming languages revealed:
  • Beware of package typosquatting:
    • naming a malicious package like a well known and widely used one, so used if
      • the developer has a typo like "atlas-client" instead of "atlas_client"
      • a developer looks in a repo like pypi for a package misspelling the package he is looking for
  • Roger Grimes was involved in the forensics of the 2011 RSA attack
    • He believes the seed for the RSA SecurID token was stolen (Others say nay)
    • and used to break in at e.g. Lockheed Martin
  • Great image of the timeline for the Solarwinds supply chain attack
    • 425 of the US Fortune 500 companies have been affacted
    • a teardrop attack as the malware created a lot of different malicious files over the time
    • they had some 0d for M$ and VMware and bypassed MFA as well
  • Why are these attacks so hard to detect
    • often implanted in sources you could and have trusted for a long time before
    • malware uses encrpytion to call home
  • Prevention is preferred over detection
  • Social engineering (SE) is responsible for 70-90% of breaches
    • second is unpatched software
  • Best defenses to not let them in
    • mitigate SE
    • Patch Internet-accessible software
    • Use non-guessable passwords/multifactor authentication (MFA)
    • Use Least-Permissive Permissions
    • Aggressive monitoring, anomaly detection, and alerting
  • Developers should not reuse code they can not inspect and approve as "backdoor free" <- IMPOV: unrealistic
  • Most developer (cough, cough) have accidently leaked some credentials eg on Github
  • run eg Process Explorer to inspect whats on your machine
  • Look for anomalies!
    • in network traffic
    • in processes
    • in login attempts
  • Do a "heartbeat" test: send a potentially malicious file to a system and watch it the alert goes off
    • if not, inspect why
  • Honeypots are probably one of the most underrated and underused deception technique, according to Roger Grimes

Env


Tags

blue team, social engineering, solarburst, supply chain


You may also like

Webinar takeaway – How to Detect and Respond to Business Email (M365) Compromise

Webinar takeaway – How to Detect and Respond to Business Email (M365) Compromise

Webinar takeaway – Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse

Webinar takeaway – Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}