Slide 1

Slide 1 text

Broken Links: 
 Emergence and Future of Software Supply Chain Compromises Ryan Kazanciyan - Chief Product Officer, Tanium Black Hat Europe 2018
 December 6, 2018

Slide 2

Slide 2 text

Alexandria, VA

Slide 3

Slide 3 text

2004 - 2009 2009 - 2015 2015 - Present

Slide 4

Slide 4 text

Technical Consultant, S2 & S3

Slide 5

Slide 5 text

Software supply-chain attacks a brief timeline

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

MeDoc 2018 2017 2016 2019 HandBrake 2015 2016 2013

Slide 12

Slide 12 text

MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic Shell
 & Audacity Transmission 2018 2017 2016 2019 HandBrake 2015 Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk 2016 2013

Slide 13

Slide 13 text

Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk 2018 2017 2016 2013 2019 Net-
 Sarang Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs npm 
 38 pkgs

Slide 14

Slide 14 text

Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet Net-
 Sarang Docker 
 Hub Docker 
 Hub Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs

Slide 15

Slide 15 text

Timeframe: < 1 day Exposure: (?) 25 companies Objective: Targeted compromise

Slide 16

Slide 16 text

Timeframe: < 3 days 
 Exposure: ~4.8 million users Objective: Mass adware

Slide 17

Slide 17 text

Timeframe: One month
 Exposure: > 2M downloads Objective: Targeted compromise of 18 tech firms

Slide 18

Slide 18 text

…and these are just a subset of supply-chain attacks…

Slide 19

Slide 19 text

End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS and Service Providers Data 
 Providers

Slide 20

Slide 20 text

End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS and Service Data 
 Providers

Slide 21

Slide 21 text

What’s driving these attacks? (despite their relative difficulty)

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

https://www.w3counter.com/trends

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-declining-rig-exploit-kit-hops-coinmining-bandwagon/

Slide 28

Slide 28 text

https://go.recordedfuture.com/hubfs/reports/cta-2018-0327.pdf

Slide 29

Slide 29 text

How have attackers adapted?

Slide 30

Slide 30 text

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Slide 31

Slide 31 text

https://enigma0x3.net/2018/01/29/reviving-dde-using-onenote-and-excel-for-code-execution/

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Why we’re vulnerable challenges with prevention & detection

Slide 34

Slide 34 text

Subverting our trust mechanisms

Slide 35

Slide 35 text

Elmedia
 Player* 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic Shell
 & Audacity Transmission* Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet* Net-
 Sarang Docker 
 Hub Docker 
 Hub HandBrake* PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs Attacks that delivered signed malware Web Developer
 +8 Chrome 
 extensions * Signed with a different certificate than the original developer

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

189 signed malware samples 111 certificates 72 compromised certs 80% not revoked http://signedmalware.org/

Slide 38

Slide 38 text

https://arxiv.org/pdf/1803.02931.pdf

Slide 39

Slide 39 text

Software diversity 
 == risk https://twitter.com/halvarflake/status/909864760853884928

Slide 40

Slide 40 text

How many endpoint agents are deployed in a typical enterprise?

Slide 41

Slide 41 text

32%six to ten endpoint agents Ponemon Institute, “2017 State of the Endpoint Report” 27%ten or more endpoint agents

Slide 42

Slide 42 text

What is the ratio of endpoints to unique versions of installed user applications?

Slide 43

Slide 43 text

5-7 x # of endpoints 1-3 x # of endpoints Large networks (>100k endpoints) Small networks (<100k endpoints) * Measured by total unique instances of installed application versions

Slide 44

Slide 44 text

230,000 systems 400,000 unique
 application + version pairs

Slide 45

Slide 45 text

How do security teams cope?

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

Trends and patterns
 attacks in the past year

Slide 49

Slide 49 text

Emergence of cryptocurrency payloads

Slide 50

Slide 50 text

Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet Net-
 Sarang Docker 
 Hub Docker 
 Hub Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs

Slide 51

Slide 51 text

5 million downloads of 17 infected images 12,000 users infected 400,000 users infected event-stream ~8 million downloads 1.2 million extension users exposed 700,000 web sites exposed

Slide 52

Slide 52 text

5 million downloads of 17 infected images ~$90,000 (545 Monero coins) https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/

Slide 53

Slide 53 text

What about more “targeted”, strategic compromises?

Slide 54

Slide 54 text

Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily
 Supply” Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter PyPi
 (10 pkgs) phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet PyPi
 (12 pkgs) Net-
 Sarang Docker 
 Hub Docker 
 Hub npm 
 (38 pkgs) Ask.com 
 Partner Network HandBrake Web Developer
 +8 Chrome 
 extensions

Slide 55

Slide 55 text

Challenges with timely detection and response

Slide 56

Slide 56 text

phpBB (2018) UltraEdit (2017) Mega Extension (2018) ESLint (2018) Gentoo Linux (2018) Web Developer Extension (2017) Elmedia Player (2017) Transmission (2016) Arch Linux AUR (2018) StatCounter (2018) Handbrake (2017) npm - 38 pkgs (2017) PyPi 10 pkgs (2017) VestaPC (2018) NetSarang (2017) MediaGet (2018) npm - getcookies (2018) MeDoc (2017) CCleaner (2017) Ask.com Partner Network (2016) PDFEscape (2018) PyPi - 12 pkgs (2018) Docker Hub (2017) 0 100 200 300 Approximate # of days Initial compromise to resolution < 1 day > 1 month

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

Dodging Bullets

Slide 60

Slide 60 text

https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md 15,495 accounts
 (July 2017)

Slide 61

Slide 61 text

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

Slide 62

Slide 62 text

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

Slide 63

Slide 63 text

How to respond practical mitigations for enterprises

Slide 64

Slide 64 text

End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS and Service Data 
 Providers

Slide 65

Slide 65 text

Assessing your visibility

Slide 66

Slide 66 text

What • EDR telemetry • On-disk program files & dependencies • Normalized application inventory

Slide 67

Slide 67 text

What • EDR telemetry • On-disk program files & dependencies • Normalized application inventory Where • Endpoint coverage (device types, operating systems, organizational units) • Which teams have access to which data?

Slide 68

Slide 68 text

What • EDR telemetry • On-disk program files & dependencies • Normalized application inventory Where • Endpoint coverage (device types, operating systems, organizational units) • Which teams have access to which data? When • How current is the data? • How far back does the data go? • How quickly can you search it?

Slide 69

Slide 69 text

Managing endpoint software

Slide 70

Slide 70 text

Trending and minimizing application sprawl over time

Slide 71

Slide 71 text

Controlling end-user software distribution

Slide 72

Slide 72 text

https://medium.com/@rootsecdev/controlling-google-chrome-web- extensions-for-the-enterprise-7414bf8cc326 Establishing inventory and control over browser extensions https://specopssoft.com/blog/using-firefox-enterprise-gpos-enable-windows- integrated-authentication-specops-websites/

Slide 73

Slide 73 text

Catching post-compromise activity

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

• Second-stage malware
 • Persistence mechanisms
 • Credential theft
 • Lateral movement
 • Data gathering Attackers still need to expand beyond an initial compromise

Slide 76

Slide 76 text

Testing your processes

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

Future attacks and wild speculation

Slide 79

Slide 79 text

End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS and Service Providers Data 
 Providers

Slide 80

Slide 80 text

https://news.crunchbase.com/news/venture-funding-ai-machine-learning-levels-off-tech-matures/

Slide 81

Slide 81 text

Where will these startups get their training data or learning models? How will they be protected? www.logicalfallacytarot.com

Slide 82

Slide 82 text

https://arxiv.org/pdf/1808.06809.pdf

Slide 83

Slide 83 text

https://arxiv.org/pdf/1808.06809.pdf

Slide 84

Slide 84 text

Closing thoughts putting things in perspective

Slide 85

Slide 85 text

https://www.ncsc.gov.uk/blog-post/managing-supply-chain-risk-cloud-enabled-products --Ian Levy, Technical Director, NCSC

Slide 86

Slide 86 text

• Software supply-chain attacks are just another means of initial compromise - the same foundational principles for detection, containment, and response still apply

Slide 87

Slide 87 text

• Software supply-chain attacks are just another means of initial compromise - the same foundational principles for detection, containment, and response still apply • Ensure you have a complete, timely, and accurate record of all software on all your computing devices - then drive towards stronger governance over it

Slide 88

Slide 88 text

• Software supply-chain attacks are just another means of initial compromise - the same foundational principles for detection, containment, and response still apply • Ensure you have a complete, timely, and accurate record of all software on all your computing devices - then drive towards stronger governance over it • Challenge your enterprise software vendors to attest to their investment and attention to supply-chain risk

Slide 89

Slide 89 text

Thank you! [email protected] 
 @ryankaz42 https://speakerdeck.com/ryankaz