The Enemy Within: Modern Supply Chain Attacks

Conference:  BlackHat USA 2019



The importance of clear contracts, regular software assessments, and inventorying services in cybersecurity and DevOps.
  • Clear contracts should outline expectations in partner relationships
  • Regular software assessments are necessary and should include listening for potential issues across the extended ecosystem
  • Inventorying every service used and having a response plan is crucial
  • Sharing information and uplifting others in the industry can make adversaries work harder
The speaker shared an example of a security researcher discovering a database with Microsoft data exposed due to configuration errors. Upon investigation, they found that the company responsible was a subprocessor of telco SMS providers. They reached out to the vendors and had a positive conversation about making changes to improve their products. The point was that it's not about the specific devices or actors, but about how the industry operates as a whole.


I'm in your supply chain, and you're probably in mine. Our increasingly interconnected infrastructure leaves us all vulnerable. With hundreds of millions of devices and millions of enterprises betting on the cloud, we see sophisticated attacks every day. Hardware, software, and service-based attacks, good and bad engagements with suppliers and partners – we've seen it all. Go behind the scenes and learn about previously undisclosed supply chain attacks – from the techniques and objectives of adversaries, the mechanisms that were effective in blunting their attacks, and the sometimes-comical challenges dealing with our most complex asset to defend… developers. It's a statistical certainty, everyone will eventually be a victim of a supply chain compromise. Whether you're in SecOps or App Development, you'll leave this presentation with practical guidance on how to defend against supply chain attacks and harden your systems. Prevention is important, but how you respond when you get owned is the true test of character. Are you up to the challenge?