Pages

6 May 2023

RSAC in review: Supply chain security, cyber war and AI

Paul Roberts 

More than three years after the COVID pandemic threw the global economy — not to mention the technology conference business — on its ear, the RSA Security Conference was back in full force this year, with attendance and a theme, Stronger Together, that celebrated the diversity of the information security community and promoted a sense of post-pandemic healing.

But amid the crowds and good vibes in and around San Francisco’s Moscone Center was a palpable sense of unease at this year’s show. The world’s first “hot” cyber war in Ukraine and a steady drumbeat of nation-state backed attacks on software supply chains might have had something to do with that. And let’s not forget about the prospect of AI-fueled disruption that loomed over the event, prompting questions about what lies ahead for cyber defenders in industry, enterprises and the public sector.

The ReversingLabs team was at the show. Here is a look at some of the big takeaways from this year’s RSA Conference.

Software supply chain security gets messy

Threats to software supply chains were one of the most prominent themes at this year’s RSA Conference. Supply chain threats and attacks have been a top concern for organizations in recent years, especially after the attack on the firm Solar Winds made clear that sophisticated, nation-state actors were capable of penetrating and leveraging trusted software supplier relationships to plant malicious code.

At this year’s event, the recent 3CX hack ensured that conversations about the security of software supply chains would occupy center stage. The picture that emerged from RSAC was complicated, however, with a range of experts warning that not enough was being done to manage supply chain risks, and counter growing attacks.

Despite the media attention to supply chain attacks such as SolarWinds, CodeCov and 3CX, awareness of supply chain threats still lags within the development community, said Karine Ben-Simhon, Vice President of Customer Advocacy at the Trellix Advanced Research Center, who was speaking at RSAC as part of a panel discussion of supply chain threats, trends and mitigation strategies.

“We all know about it, we’ve all heard about it, but as a community, we haven’t done enough about it. There are a lot of organizations that are not aware of this type of threat.”

Instead, conversations about software security within development organizations, and the information security industry still focus on software vulnerabilities to the exclusion of other risks, said ReversingLabs Product Manager Charlie Jones in his RSAC talk on supply chain threats.

“There’s a disconnect between this hyperfocus on the detection, the response, the mitigation of vulnerabilities in software [and] the actual threats that we see being taken advantage of and targeted in the threat landscape. Focusing on vulnerabilities simply isn’t enough — and it tends to not be that effective.”
Shift left loses its luster

RSAC also showed that the recent orthodoxy that security needs to “shift left” and become a developer priority is also starting to crumble in the face of pushback from developers — and others, who argue that loading sole responsibility for security on developers is a bridge too far.

Omer Yaron, the Head of Research at Enso Security, said in the panel on supply chain threats, trends and mitigations that shifting risk was not realistic.

“[Developers] don’t have the time or the expertise to do security.”

RSAC 2023 showed that the software industry hasn’t arrived at a consensus about how to delegate the responsibilities of securing the software supply chain. However, a number of presentations sketched out the broad outlines of a future in which the security of software is easier for development teams and customers to assess and monitor.
Supply chain security: It’s complicated

Open source software alone, which is found in anywhere from 75% to 95% of all applications, is challenging security teams. Unlike traditional cybersecurity threats such as endpoint security, software supply chain attacks are not cookie-cutter incidents, but bespoke creations that differ from each other in ways that complicate the job of defenders.

But help may be on the way, with a number of presentations at RSA sketching the broad outlines of a future in which the security of software supply chain elements is easier for development teams and customers to assess and monitor.

Take the Open Source Software Foundation’s Security ScoreCard, a free tool that assesses open source projects based on its adherence to 18 different best practices including whether the project is being actively maintained, and whether it uses secure workflow features, such as branch protection.

“It’s like having a speedometer on your car to tell you ‘How fast am I going?’ said Naveen Srinivasan, one of the maintainers of the Scorecard, who spoke at RSAC about the Scorecard alongside Brian Russell, an open source product manager at Google.

Srinivasan said the RSA talk, “How do you trust open source,” was just the latest stop in a tour of technology conferences with the goal of making developers aware of the free Scorecard tool and get them to use it to assess the security and integrity of the open source software they rely on.

Multiple speakers at RSA also weighed the pros and cons of Software Bills of Materials (SBOM) — a key element of recent federal guidance on supply chain security. Like other supply chain security initiatives, SBOMs are facing pushback from development organizations, which fear they will become a cumbersome new compliance requirement with little practical security value.

But SBOMs need not be a burden, and will provide a critical bridge between software suppliers, development organizations and end users, said Kate Stewart, the Vice President of Dependable Embedded Systems at the Linux Foundation.

Speaking alongside Chris Blask of Cybeats, Stewart said that widespread use of SBOMs will reduce the thrashing and inefficiency that characterize current responses to supply chain threats. Already, regulators like the FDA are requiring SBOMs for medical devices, while organizations in healthcare are gearing up to use open source and proprietary tooling to leverage those SBOMs to monitor what is deployed in their environments, as well as the impact of software vulnerabilities like Log4J and other supply chain risks.

Blask said in their presentation, The World on SBOMs:

“Knowing is half the battle. If you have an image from the vendor, you want to know what’s inside that and look to the vendor to update it. But any insights you have will help you deal with vulnerabilities in things you don’t control.”
Learning from Ukraine’s “hot” cyber war

Just like the 3CX hack focused attention on supply chain risk, Russia’s ongoing war on Ukraine has brought concerns about cyberwar to the forefront, as one of the world’s first “hot” cyberwars stoke fears of a broader conflict.

Despite rumblings that Russia’s cyber assault on Ukraine was a bust, NSA Cyber Director Rob Joyce debunked that idea in an address to RSA Conference attendees.


“There’s a lot of narrative that it isn’t so significant inside the cyber activity from Russia, but I think that’s from a viewpoint of people who aren’t actively trying to defend each and everyday the types of attacks that are hitting them (Ukraine).”

In 2022 alone, there were more than 2,000 cyberattacks against Ukraine from Russia, demonstrating that this war’s cyber front is far from insignificant, Joyce noted.

Equally significant is Russia’s desire to specifically attack Ukraine’s critical infrastructure (CI) in an effort to hurt their civil society. Based on the NSA’s intelligence, Joyce shared that there have been Russian cyber attacks on Ukrainian CI organizations, “but they haven’t gotten to the devastating effect that I think Russia wanted to achieve, and still seeks to achieve in that.”

While Russia has not been entirely successful in its goal of damaging Ukrainian CI, it should be read as alarming that this adversary is still actively looking to damage these institutions.

Russian-based threat actors have already managed to target CI outside of Ukraine. Last week, it was discovered that a Russian hacktivist group targeted a Canadian gas pipeline in February 2023, which could have led to an explosion at the company’s gas site. What was also alarming about this incident was the fact that the hacktivists were in communication with Russia’s Federal Security Service throughout their operation. This is a testament to Joyce’s last point on the conflict:

“Hacktivists out of Russia are a natural resource for Russia.”

The number of cyber attacks on Ukraine, as well as the type of institutions being targeted and how Russia is using cybercriminals to advance their interests, shows the Russian war on Ukraine is clearly a cause for concern for global cybersecurity.
All in on AI? The bad guys are

Finally, it wouldn’t be a technology show without talk of artificial intelligence. At RSA, the rise of accessible AI tools like ChatGPT was a big RSAC buzzword — and squarely on the minds of security teams. It’s clear that AI is going to forever impact all kinds of areas within cybersecurity, and will cause both benefit and harm to cyber defenders.

For software supply chain security specifically, AI looks messy — and underbaked, noted Idan Wiener, CEO and co-founder of illustria, noted in the supply chain security panel.

“ChatGPT is not there yet.”

For anyone who adopts AI tooling, whether it be defenders or attackers, their processes will become “faster,” Yaron noted. The alarming reality: AI is “already being used by attackers.”

That threat is only going to grow, said Ali Khan, a field CISO at ReversingLabs. “We think that’ AI is going to really proliferate a lot of the new malware. Threat actors are going to be able to produce much faster.”

The ability of attackers to scale will strain the resources of defenders, he said. “Think of a traditional SOC writing YARA rules to defend against and detect against signature or hashes and traditional, but with LLMs, they’re so fast, they’re producing things fast that you could almost write code on the fly and remove the detection logic that security operations would be dependent on,” Khan said.

Rather than hiding from AI, however, the solution for organizations is to embrace it. “I think the best way to threat model is by immersing yourself as a red team,” said Khan. “I highly recommend organizations to invest more in purple team emulation, where you take your red team and you take your blue team and try to combine the scenarios that we known is being used by large generative AI.”

Finally, Yaron pointed out an elephant in the room: “Any AI system is software by itself,” meaning that it too has the potential to be the target of a software supply chain attack.

In his State of the Hack talk, Joyce echoed the supply chain security panel:

No comments:

Post a Comment