The attacker's guide to supply chain attacks
Abstract
Take a step into the world of black hat hacking groups and follow them step by step through a supply chain attack.
Software supply chain attacks have become alarmingly more prominent over the past years. Successful exploits have changed the economics adversaries use allowing them to conduct more sophisticated attacks which have wide-reaching implementations. This presentation will focus on exactly how adversaries target and exploit the software supply chain. The audience will learn not only how attackers were able to infect the supply chain but be able to recreate many of the steps taken, and most importantly, learn what defensive measures to take to prevent their own supply chain incidents.
We first examine broadly what supply chains are using the SLSA framework and take a short journey into the interesting world of hacker economics, hackanomics if you like. Here we will explain the relationship between financial risk and reward that drives malicious actors' activities, further exploring why attacking the supply chain flipped previous economic models on this on their head.
Next, we will focus our attention on three different methods of attacking the supply chain, these are:
Attacking the CI/CD pipeline
Breaching the version control systems (VCS)
Poisoning open-source dependencies
Abusing AI LLMS
For each of these methods we will take a walk through the anatomy of high-profile successful attacks, walking the audience through how initial access was made, how privileges were escalated, and ultimately how the hackers achieved their goals.
In the final stretch, we'll synthesize our findings into effective defense strategies, emphasizing the concept of inside-out security, breach detection, and containment.
Speaker: Mackenzie Jackson
Company: Aikido Security
Function: Developer Advocate
Function: Developer Advocate
Mackenzie is a developer advocate and lifelong traveler with a passion for DevSecOps. As the co-founder and former CTO of Conpago, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today he continues his passion for security as the head of DevRel at Aikido Security.
Mackenzie is also the host of The Security Repo podcast and a prominent security writer contributing to The Financial Times, Dark Reading, Security Boulevard, and more.
He has spoken at conferences in 30 countries around the world, from Kazakhstan to Sydney, and has also been featured in security documentaries and made multiple TV appearances.
Want to see Mackenzie in action?