Enhancing CVE Identification using the Contextual Analysis attacks & Detection and Prevention of malicious packages @ Supply Chain Security Meetup Meetup

June 24, 2022

2 min read

Open-source vulnerabilities are in many applications. While finding them is critical, even more, critical is remediating them as fast as possible.

Securing your software supply chain is absolutely critical as attackers are getting more sophisticated in their ability to infect software at all stages of the development lifecycle, as seen with Log4j and Solarwinds.

Hear from industry experts at our upcoming Meetup to learn more about 3rd party vulnerabilities, threat research on real data, Red Teaming of your software supply chain, and CVE Identification and Contextual Analysis.

Talk Start Times:

– 00:12
3rd party vulnerabilities through DNS – Chen Arie (Enso.security)

– 37:56
Detection and Prevention of malicious packages and attacks

Jonathan Sar Shalom, Director of Threat Research @JFrog
Securing your software supply chain is absolutely critical as attackers are getting more sophisticated in their ability to infect software at all stages of the development lifecycle. This webinar, hosted by JFrog Director of Threat Research Jonathan Sar Shalom, will be a technical showcase of the different types of malicious packages that are prevalent today in the PyPI (Python) and npm (Node.js) package repositories. All examples shown in the webinar will be based on real data and malicious packages that were identified and disclosed by the JFrog security research team.

We will dive into:

  • The types of attacks and types of payloads contained in these malicious packages
  • Explain how these malicious packages can be identified and rejected
  • Best practices for a secure development workflow and relevant OSS tools to use

– 1:12:23
Red Teaming – Uriel Kosayev (ABInBev)

– 1:41:40
Enhancing CVE Identification using the Contextual Analysis – Shachar Menashe (JFrog) 

Speaker: Shachar Menashe, Sr. Director of Security Research @ JFrog
Detecting whether a particular system is vulnerable to a particular CVE can be a daunting task. Other than naively checking that the vulnerable component is installed, many factors can make an attack non-viable, such as backported patches, service configurations, the existence of vulnerable sub-components, and more. In this talk, we will elaborate on the most common factors that make a CVE actually exploitable and present techniques to automatically evaluate some of these factors.



Shachar Menashe

Sr. Director of Security Research @ JFrog

Shachar Menashe is the Sr. Director Security Research at JFrog. He has more than 15 years of experience in security research & engineering, including low-level R&D, reverse engineering and vulnerability research. He currently leads the security research division in JFrog, specializing in automated vulnerability research techniques. Before joining Vdoo and JFrog, Shachar was responsible for building the low-level security of Magic Leap’s custom OS. Shachar holds a BSc in Electronics Engineering and Computer Science from Tel-Aviv University.

Jonathan Sar Shalom

Director of Threat Research @ JFrog

Video Transcript


00:00:00.599 –> 00:00:20.490
Kobi Levi: Declaring were saying that they were going to start at five o’clock and people now are joining so yo always like to say grab your favorite drink some beer and then relax in front of your computer and it will wait for this to calm and then I see this one join is see that one.

00:00:22.320 –> 00:00:27.060
JFrog Meetups: that’s great well i’m gonna definitely turn this over to you because i’m in no no condition to sound like anything.

00:00:28.170 –> 00:00:29.520
Jonathan Sar Shalom: Good Actually, I must say.

00:00:30.120 –> 00:00:31.350
Jonathan Sar Shalom: Really yeah.

00:00:32.130 –> 00:00:34.020
JFrog Meetups: Maybe cook my coven voices my new blood.

00:00:34.020 –> 00:00:35.280
Jonathan Sar Shalom: Maybe read read that for me.

00:00:39.360 –> 00:00:40.260
JFrog Meetups: See here.

00:00:41.640 –> 00:00:43.320
JFrog Meetups: Any any other details, we need to handle.

00:00:45.690 –> 00:00:52.620
Kobi Levi: and actually not you wanted let’s test it one more time before people to join i’m going to share my screen now.

00:00:54.090 –> 00:00:55.200
Kobi Levi: Okay, let me know she’s.

00:00:59.070 –> 00:00:59.850
Kobi Levi: seen a screen.

00:01:02.190 –> 00:01:03.150
Jonathan Sar Shalom: not yet.

00:01:03.570 –> 00:01:04.320

00:01:06.210 –> 00:01:06.660

00:01:10.620 –> 00:01:11.370
Kobi Levi: Now you can see it.

00:01:12.510 –> 00:01:13.320
Uriel Kosayev: No.

00:01:13.710 –> 00:01:15.390
Jonathan Sar Shalom: No okay.

00:01:17.370 –> 00:01:18.450
Kobi Levi: Share screen.

00:01:21.270 –> 00:01:23.040
Kobi Levi: OK, so now you’ll be able to.

00:01:24.540 –> 00:01:26.010
Kobi Levi: know this is great.

00:01:27.000 –> 00:01:29.340
Kobi Levi: So these are these are actually.

00:01:30.420 –> 00:01:44.880
Kobi Levi: My tree slide we’re going to start with that and in the end, when everybody will finish up and move on to those one, and the next one, and I will read the poem for you okay now stop sharing So the first one, will be a single array and are you with us no.

00:01:46.710 –> 00:01:52.980
Kobi Levi: I don’t see it so let’s move on, Jonathan over real time a try to take over then share your screen.

00:01:54.900 –> 00:01:55.260
Jonathan Sar Shalom: yeah.

00:01:57.150 –> 00:02:00.600
Jonathan Sar Shalom: Oh, oh yeah go for it, I thought it, this is my turn okay.

00:02:02.220 –> 00:02:02.490
Uriel Kosayev: Okay.

00:02:04.470 –> 00:02:04.800

00:02:13.770 –> 00:02:16.350
Jonathan Sar Shalom: yeah Can you see that slide.

00:02:16.680 –> 00:02:19.290
Kobi Levi: Yes, yes, try to move your slide see that.

00:02:19.620 –> 00:02:19.980

00:02:24.270 –> 00:02:24.690

00:02:25.890 –> 00:02:30.840
Jonathan Sar Shalom: Yes, working fine So do you see only the presentation right.

00:02:30.990 –> 00:02:32.130
Kobi Levi: Yes, yes, correct.

00:02:33.870 –> 00:02:35.520
Jonathan Sar Shalom: Correct okay.

00:02:35.790 –> 00:02:38.310
Kobi Levi: So you stop sharing oh really want to try soil.

00:02:46.380 –> 00:02:46.530
Kobi Levi: hi.

00:02:49.080 –> 00:02:50.100
Uriel Kosayev: you’re going to say.

00:02:50.460 –> 00:02:53.010
Kobi Levi: Yes, but you can see it it’s not in presentation mode.

00:02:53.910 –> 00:02:54.780
Uriel Kosayev: Let me pull it.

00:03:02.850 –> 00:03:04.500
Uriel Kosayev: Open the PowerPoint again.

00:03:09.960 –> 00:03:20.040
Jonathan Sar Shalom: it’s better to share the screen after you start the presentation, because then we will be able to see that the presentation in full screen, at least in my computer.

00:03:20.340 –> 00:03:26.850
Kobi Levi: Okay, we have we have people joined here can see fine Vermont new Val already here.

00:03:28.200 –> 00:03:31.470
Kobi Levi: Great to meet you guys we’re still waiting for others.

00:03:44.940 –> 00:03:45.420
Kobi Levi: We think.

00:03:50.430 –> 00:03:51.840
Shachar Menashe: yeah it looks like he just joined.

00:03:53.310 –> 00:03:55.710
Kobi Levi: Great how are you good to see you.

00:03:58.080 –> 00:03:59.670
Chen Arie: hello, how are you i’m good.

00:04:00.030 –> 00:04:02.070
Kobi Levi: Rates of people are still joining.

00:04:07.620 –> 00:04:12.600
Kobi Levi: See you Val and ellie how lily some rano Hawaii.

00:04:14.310 –> 00:04:16.440
Kobi Levi: Okay, we still waiting for others to come.

00:04:30.060 –> 00:04:33.180
Kobi Levi: So everyone nice to meet you all.

00:04:34.980 –> 00:04:37.770
Kobi Levi: Today, with a very interesting meetup.

00:04:38.820 –> 00:04:40.860
Kobi Levi: About supply chain security.

00:04:42.390 –> 00:04:45.630
Kobi Levi: We have very interesting legs for you all.

00:04:48.330 –> 00:04:50.580
Kobi Levi: And we are still waiting for people to join.

00:05:09.960 –> 00:05:10.350

00:05:22.680 –> 00:05:24.270
Kobi Levi: we’re going to start at five o’clock.

00:05:25.410 –> 00:05:26.190
Kobi Levi: scheduled schedule.

00:05:38.610 –> 00:05:40.200
Kobi Levi: So we’re going to start with.

00:05:41.220 –> 00:05:44.550
Kobi Levi: and hope you’re ready with that we’re going to wait.

00:05:45.630 –> 00:05:47.580
Kobi Levi: 95 at your other first one.

00:05:51.090 –> 00:05:52.380
Kobi Levi: we’re going to talk about.

00:05:53.760 –> 00:05:55.710
Kobi Levi: One ability through DNS.

00:05:57.330 –> 00:06:02.190
Lior Mazor: can be put your presentation in a presentation mode because it’s more of it.

00:06:03.690 –> 00:06:05.340
Okay i’ll do that.

00:06:13.560 –> 00:06:14.400
Kobi Levi: I can see that.

00:06:16.980 –> 00:06:17.280

00:06:29.520 –> 00:06:30.120
Kobi Levi: Coming.

00:06:48.810 –> 00:06:59.400
Kobi Levi: So everyone we’re waiting for others to join you can grab your favorite drinks beer or coffee and he likes his political year.

00:07:00.660 –> 00:07:04.260
Kobi Levi: waiting to hear our interesting meetup yes Leo.

00:07:04.980 –> 00:07:09.360
Lior Mazor: Maybe a cocktail you know if someone wants to drink, something you know you are at home guys.

00:07:09.720 –> 00:07:10.500
Lior Mazor: What every.

00:07:11.070 –> 00:07:14.100
Lior Mazor: Yes, feel free to grab your drink beers.

00:07:14.520 –> 00:07:14.940

00:07:15.990 –> 00:07:17.850
Lior Mazor: whiskey pina colada guys.

00:07:18.930 –> 00:07:31.980
Lior Mazor: home at home safe I hope all your home safe So yes, it could be said, we will start in a in a few minutes copy you want to take up an awards what what we prepared today.

00:07:33.270 –> 00:07:40.740
Kobi Levi: We prepare very interesting meetup about supply chain security we’re going to talk about vulnerabilities with DNS.

00:07:42.750 –> 00:07:51.660
Kobi Levi: and go yeah we’ll discuss it also detection and prevention with malicious package in attacks that will be done by Jonathan from J frog.

00:07:52.200 –> 00:08:08.010
Kobi Levi: And also very interesting about a red teaming penetration testing by we of course I have and we’re going to finish with this CV identification using the contextual analysis done by inertia formed a focus well.

00:08:09.180 –> 00:08:10.650
Kobi Levi: And if he has something to add.

00:08:12.510 –> 00:08:13.890
be glad to hear about it.

00:08:16.590 –> 00:08:19.410
Kobi Levi: Okay people still joining hi David.

00:08:24.390 –> 00:08:27.150
Kobi Levi: So we have couple of minutes wait for the others.

00:08:33.390 –> 00:08:42.240
Kobi Levi: They don’t need to look for a parking space they don’t need to park their car, they just need to again to sit back and relax if they’re in the office.

00:09:02.100 –> 00:09:05.010
Kobi Levi: Yes, their webinar will be recorded.

00:09:07.380 –> 00:09:10.230
Kobi Levi: See i’m asking.

00:09:13.230 –> 00:09:20.700
Kobi Levi: In could be found, also in our YouTube channel at security meetup a YouTube channel.

00:09:23.220 –> 00:09:32.820
Kobi Levi: And you can check us also in our linkedin group application security meetup we have a very intensive a group in the linkedin.

00:09:34.590 –> 00:09:37.860
Kobi Levi: They were going to publish our meetup so next meetup as well.

00:09:39.000 –> 00:09:43.080
Kobi Levi: Okay, I can see another people joining now.

00:09:52.920 –> 00:09:54.540
Kobi Levi: We have couple more minutes.

00:10:33.240 –> 00:10:35.460
Kobi Levi: So hopefully when they start in time.

00:10:39.630 –> 00:10:47.190
Kobi Levi: I know we have a very busy agenda, I don’t want to delay anyone from this time i’m just going to.

00:10:48.540 –> 00:10:50.070
Kobi Levi: deliver his presentation.

00:10:52.440 –> 00:10:56.610
Kobi Levi: Usually, when you start in time any time as well, so basically.

00:10:58.140 –> 00:11:02.880
Kobi Levi: I just wanted to update the guys, that is, here we have the Q amp a you can.

00:11:03.960 –> 00:11:09.330
Kobi Levi: write down your questions will be answered so feel free to ask anything.

00:11:10.950 –> 00:11:13.980
Kobi Levi: You can a box, even in the chat box as well.

00:11:20.760 –> 00:11:22.380
Kobi Levi: see people still joining.

00:11:30.840 –> 00:11:32.550
Kobi Levi: When starting couple of minutes.

00:11:49.860 –> 00:11:51.780
Kobi Levi: Yes, Leo just share the link.

00:11:53.250 –> 00:11:55.350
Kobi Levi: The application security with your meetup.

00:12:00.210 –> 00:12:05.640
Kobi Levi: you’re going to give a couple more minutes for people to have the chance to login as well.

00:12:07.230 –> 00:12:11.430
Kobi Levi: can see that the number is increasing, as we talking.

00:12:15.240 –> 00:12:16.020
Kobi Levi: Judea.

00:12:17.250 –> 00:12:18.720
Kobi Levi: lowly rosenberg.

00:12:21.360 –> 00:12:26.880
Kobi Levi: code, I will wait for others to join when wait couple of minutes.

00:12:29.790 –> 00:12:30.930
Kobi Levi: People are joining.

00:12:32.880 –> 00:12:33.630
Kobi Levi: I hoodie.

00:12:42.120 –> 00:12:47.370
Kobi Levi: hey i’m going to start the meetup in couple of minutes.

00:12:54.390 –> 00:12:57.900
Kobi Levi: We arrange a very interesting meetup for you.

00:13:00.180 –> 00:13:03.630
Kobi Levi: So bear with us and state going to be very interesting.

00:13:05.250 –> 00:13:07.890
Kobi Levi: And also, we have a short DEMO that.

00:13:08.910 –> 00:13:18.030
Kobi Levi: will be done by oh yes it’s a two and a half minutes DEMO about life penetration testing will be very interesting to see.

00:13:26.610 –> 00:13:29.430
Kobi Levi: Okay, people are still joining hi have if.

00:13:37.320 –> 00:13:37.890

00:13:39.150 –> 00:13:39.840
join in.

00:13:41.610 –> 00:13:42.480
Kobi Levi: ICC.

00:13:47.010 –> 00:13:47.310
Kobi Levi: Hello.

00:13:48.930 –> 00:13:50.070
Kobi Levi: Thank you for joining.

00:13:54.450 –> 00:13:55.200
Kobi Levi: So.

00:13:58.620 –> 00:14:00.510
Kobi Levi: let’s wait one more minute and then we’re going.

00:14:00.510 –> 00:14:08.790
Kobi Levi: To start going to start with the end goal oh yay we will discuss about one a better teeth with DNS.

00:14:11.550 –> 00:14:13.080
Good see people’s to joining.

00:14:17.280 –> 00:14:20.100
Kobi Levi: Okay, so I think.

00:14:21.870 –> 00:14:26.100
Kobi Levi: The i’m going to stop sharing and give you the stage.

00:14:28.950 –> 00:14:31.560
Kobi Levi: So please start sharing your presentation.

00:14:34.650 –> 00:14:35.880
Chen Arie: Okay Hello everybody.

00:14:37.380 –> 00:14:38.820
Chen Arie: share the presentation.

00:14:43.980 –> 00:14:53.850
Chen Arie: So Hello everybody i’m saying thank you for having me, and thank you copy for arranging this a wonderful meetup i’m going to talk to talk about vulnerabilities food DNS.

00:14:54.420 –> 00:15:03.990
Chen Arie: And little bit about me before we get into it, so my name is Hannah i’m a Co founder and chief architect a eventual security and espn a platform.

00:15:04.650 –> 00:15:10.920
Chen Arie: Living TV, I really like to build things in computers, but also, also in the physical world.

00:15:11.580 –> 00:15:21.570
Chen Arie: And i’ve been doing application security since 2004 form penetration testing two certifications too many different kinds of activities.

00:15:22.140 –> 00:15:32.220
Chen Arie: Also spent few is building applications myself, so I got to see what it means from the engineering perspective and it’s not so easy to build a secure applications.

00:15:32.760 –> 00:15:44.550
Chen Arie: And today i’m going to talk about some things that are related to DNS related vulnerability and so in this talk what i’m going to cover is.

00:15:45.300 –> 00:15:53.400
Chen Arie: general discussion on on why do we trust the name so much How come we establish such a huge trusted names and.

00:15:53.910 –> 00:16:05.070
Chen Arie: Then why should we discuss a little bit, how should we do it, and what can fail, what can what can bring a additional risk when when we’re building on trust, one on DNS.

00:16:05.730 –> 00:16:12.300
Chen Arie: And what can be the possible impact when when fails when something along this trust a chain or trust layers fails.

00:16:12.720 –> 00:16:25.710
Chen Arie: And then, what can we do as petition as as people that practice application security and try to help our teams and all the other developers, how do we deal with it and how do we approach this problem for mitigation perspective.

00:16:26.820 –> 00:16:41.340
Chen Arie: And so let’s start with a little bit about why do we trust name, so much so on a fundamental level, the combination between the global DNS a system domain name system.

00:16:41.850 –> 00:16:51.600
Chen Arie: and public key infrastructure is arguably the most mature in a scalable trust system that we have on the planet, that the humankind has.

00:16:52.170 –> 00:17:09.360
Chen Arie: And it is battle tested, it has been through a lot and and it basically gives us a what actually powers, the Internet, as we know it today and, especially, we talk about web technologies about things that aren’t inside your way your browser it gives us.

00:17:11.550 –> 00:17:21.270
Chen Arie: scalable and just infrastructure that is almost a almost seamless to integrate with and to start operating side as an entity.

00:17:21.960 –> 00:17:35.340
Chen Arie: With getting a lot of out of the box a trusted domains, that you can build a safe interactions between different platforms and different systems and different companies over the Internet and.

00:17:37.170 –> 00:17:47.250
Chen Arie: Few core properties of have this combination that that enables this is the fact that the DNS itself that domain name system.

00:17:47.760 –> 00:17:59.850
Chen Arie: Is a decentralized on one hand, but still backed by governments governments as a huge incentive to make those systems safe in the time, sometimes it can happen, also for.

00:18:00.690 –> 00:18:08.160
Chen Arie: To the other side that government has some control over these over segments and have a DNS.

00:18:09.120 –> 00:18:17.400
Chen Arie: Infrastructure and they can affect it also in a not so positive way, but it is backed by government and decentralized two properties that.

00:18:18.210 –> 00:18:33.240
Chen Arie: are contributing to the solidity of the say infrastructure and the pk I in the public key infrastructure is completely decentralized and also independent from government.

00:18:33.660 –> 00:18:45.420
Chen Arie: Which means that even when the government goes Logan does things that they shouldn’t be manipulating names in different ways, we still as as citizens as users of the Internet, we still have.

00:18:45.960 –> 00:19:00.120
Chen Arie: A protection because of this, the cupboard in between the authentication DNS and i’m not talking about a secure DNS particles i’m just talking about the basic DNS protocol end system, more importantly, the system.

00:19:00.720 –> 00:19:07.380
Chen Arie: And this independent of authentication infrastructure, let us.

00:19:08.340 –> 00:19:17.730
Chen Arie: Give us the option to play with DNS in kind of a safe way without being without knowing that if something breaks on the DNS level.

00:19:18.120 –> 00:19:25.050
Chen Arie: We can see that integrated with cryptography that is fully open and everybody can read into the.

00:19:25.620 –> 00:19:35.790
Chen Arie: cryptography itself everybody can build the same cryptography it’s it’s fully open and these things together, give us this kind of a confidence that we can build on this trust system.

00:19:36.570 –> 00:19:45.480
Chen Arie: And that’s really going to talk a little bit about what, how do we actually building that trust based on on those two elements, so the Foundation, we have.

00:19:45.900 –> 00:19:51.510
Chen Arie: The domain name system itself and the public infrastructure and we have different different.

00:19:52.350 –> 00:20:11.790
Chen Arie: Methods of different mechanisms for authentication and have different parties, building on those two building blocks, so we have domain validation just direct domain validation to assess if names on a specific domain and we can build different kind of.

00:20:12.870 –> 00:20:19.380
Chen Arie: authentication subsystems based on purity domain validation basically asking.

00:20:20.700 –> 00:20:32.130
Chen Arie: Who is the owner of this domain record usually by by making sure that that the person who’s trying to, for example in wolpe KPI for let’s say secure, for example.

00:20:32.820 –> 00:20:48.030
Chen Arie: And can create a new record in this a in this domain, and by that we do domain validation data domain validation and we can bootstrap another authentication subsystem on top of it and did another layer of task, a very common to.

00:20:48.450 –> 00:20:57.900
Chen Arie: Do environment of bk based on demand validation which you can also enable other so that you can integrate a full infrastructure as a service platform as a service different kind of.

00:20:58.380 –> 00:21:06.840
Chen Arie: A website platform an email platform of the service says everything can be in the world, on top of this stuff sort of a domain validation.

00:21:08.130 –> 00:21:27.810
Chen Arie: And, and on the other hand, when we talk about interactive interaction between your clients and, most notably bausell and we build on and domain names resolving together with public infrastructure for authenticating service so to make sure that service.

00:21:29.250 –> 00:21:36.750
Chen Arie: And kind of the entities that we think that they are when we get the resolution from the names and based on this we built the.

00:21:37.320 –> 00:21:45.840
Chen Arie: Entire a Norwegian installation security model that is a incorporated in implemented in Brazil and that we all use on a daily basis.

00:21:46.200 –> 00:21:50.490
Chen Arie: Is a we can we can build this layer On top of that, and on top of this we have.

00:21:51.030 –> 00:22:00.930
Chen Arie: Many different applications of authentication identity federation resource sharing different kinds of things we can do, once we know who we working with whether it’s another user.

00:22:01.380 –> 00:22:08.880
Chen Arie: or another vendor another way another way provider in the Internet, we can be very complex and very rich.

00:22:09.360 –> 00:22:20.040
Chen Arie: and rich resource sharing scenarios based on this last system that starts from combination of DNS and public infrastructure and.

00:22:20.970 –> 00:22:30.000
Chen Arie: But, of course, and this is never, no, no, no trust system is always a resilient to everything.

00:22:30.450 –> 00:22:39.900
Chen Arie: And in fact this, this has been challenged this combination has been charted in many different ways, and of course it has many failure one so many possible failure points.

00:22:40.380 –> 00:22:53.310
Chen Arie: And we can talk about a root level failures or failure on like the authority level or the system level and but also failure on on any kind of implementation, that the along the said.

00:22:53.970 –> 00:22:59.400
Chen Arie: Among the slaves or longest Sebastian if you may and which includes everything from.

00:22:59.940 –> 00:23:07.500
Chen Arie: A not understanding exactly what the last mean so when you we will get the validated like it all of some kind.

00:23:07.890 –> 00:23:18.000
Chen Arie: And missing understanding of what it actually means what could you can you actually build on top of it, but also some scenarios like what happens when the owner of a specific level changes.

00:23:18.600 –> 00:23:22.770
Chen Arie: And let’s talk a little bit about the different cases, so we go from.

00:23:23.190 –> 00:23:35.070
Chen Arie: From cases weren’t actually walks possibility and before the criticism that they asked us application security community can have on different implementations and different standards and different challenges that we have, for example in cookies.

00:23:35.490 –> 00:23:42.870
Chen Arie: When stayed after a decades of using them we still a will still very concerned and we bought a different problems with me focus.

00:23:43.470 –> 00:23:52.530
Chen Arie: And to do that, to a larger sense and the these protocols most not to be the the https a.

00:23:53.040 –> 00:24:06.270
Chen Arie: A particle is actually providing a lot of tools for building very solid fast and very collaborative a walk on the Internet different origins different businesses can can collaborate based on it in.

00:24:06.750 –> 00:24:14.940
Chen Arie: In another safe way, of course, there are always problems, but in terms of the scale of it, and in terms of the features that they allows you know.

00:24:15.660 –> 00:24:23.280
Chen Arie: most transparent fashion to build those of people who make make us that build into the web, environment, especially.

00:24:24.090 –> 00:24:31.500
Chen Arie: And, especially when you consider also, in addition, our implementations application that builds on these like a different kind of a.

00:24:32.340 –> 00:24:42.300
Chen Arie: federated identity federation protocols and you in a way, and of course this is a somewhat perspective, but in a way.

00:24:43.200 –> 00:24:49.290
Chen Arie: This combination has proven itself to be very powerful and is allowing us to.

00:24:49.830 –> 00:25:01.710
Chen Arie: To do build and a lot of trust and that we can we can actually walk with in the Internet in the open and it’s not such a simple thing and and and in this sense.

00:25:02.130 –> 00:25:16.650
Chen Arie: We have a lot of success with this trust system, however, the complexity of transforming layers of implementation of different protocols together to create the situation.

00:25:17.190 –> 00:25:27.390
Chen Arie: can fairly many different layers and family and friends points of the implementation and so we are what I call local domestic failure of those.

00:25:27.870 –> 00:25:35.730
Chen Arie: Of those of the parts that play a part in in using trust that is based on names and it can be anything from.

00:25:36.450 –> 00:25:46.080
Chen Arie: The actual mechanism used to validate signatures that is crucial for Saudi the pk up to the actual use of a.

00:25:46.620 –> 00:26:03.390
Chen Arie: different origins inside miles in context and the implication that this can have on the actual final result which is being able to isolate your application in a positive way and protected from abuse abusive a course or region calls and resource sharing.

00:26:04.650 –> 00:26:13.410
Chen Arie: And again, most of my talk here is from focus on on web technologies, but when we talk about other the other kind of channels another kind of.

00:26:14.520 –> 00:26:38.970
Chen Arie: Protocols it changes, a little bit, although the main elements still play in the same way and we can go also into talk about the epic failures or places where where the system almost failed completely and dramatically and, and this is a one of the cases is a 2011 breach a.

00:26:40.530 –> 00:26:51.420
Chen Arie: CA certificate authority and it’s a reading, so what happens when a CA is compromised when I say is compromised, we have a global impact of.

00:26:51.840 –> 00:26:57.810
Chen Arie: Having a have not been able to test certificates anymore until the certificate until.

00:26:58.740 –> 00:27:06.180
Chen Arie: The infrastructure as revoked all the certificates that were issued by the CIA and that the operation systems.

00:27:06.750 –> 00:27:18.510
Chen Arie: As remove the past on those specific So what is, we have a period where where we are all at risk at been in i’ve been exposed to a man in the middle attacks basically.

00:27:19.230 –> 00:27:31.830
Chen Arie: But in order for this to really be impactful, we also need a breach of the DNS system, it can be very local it can be global, it can be domestic it can be national.

00:27:32.220 –> 00:27:46.290
Chen Arie: But without breaching this system, a bridge to see a is is less impact for for for all web technologies and for standout use of a of a of a CA backend.

00:27:46.770 –> 00:27:56.790
Chen Arie: Of course I will pass chains might not be so were isolated when this happens, but a but it, but even on our on our basic level.

00:27:57.360 –> 00:28:08.130
Chen Arie: The fact that these are two infrastructural running together, side by side and complementing each other is very useful in in a limiting the impact of of a glitch.

00:28:08.850 –> 00:28:21.840
Chen Arie: And so, in the digital case itself like I said before, 2011 case well, some one and, of course, about these cases, we always need to be very cautious because.

00:28:22.560 –> 00:28:32.670
Chen Arie: We know what we know we don’t know what we don’t know and these into bridge share and to mount and attack on on the scale requires a lot of a.

00:28:33.210 –> 00:28:38.970
Chen Arie: lot of thinking in a lot of preparation, so we don’t really know who are the actual actors and what was the actual.

00:28:39.570 –> 00:28:49.350
Chen Arie: thing behind this, but what we do know is that a Dutch a CA that was fully tested by all the browsers or the operation systems.

00:28:49.860 –> 00:29:14.760
Chen Arie: At 11 2011 it was fully compromise we know this because, as part of the research and someone uncovered 500 fake certificates, including certificates to wild card certificate for rule for gmail and these kind of certificates and we also have this a this report form from anonymous.

00:29:15.780 –> 00:29:31.320
Chen Arie: anonymous user reporting about a failure to connect to Google and not so clear if we can trust this report as it is because a total body as a spoiler to the actual hack.

00:29:31.740 –> 00:29:40.500
Chen Arie: Not i’m not sure what is the meaning behind this but, but the bottom line is and paste been of the certificate still exists, you can still access it today, if you look.

00:29:40.920 –> 00:29:55.320
Chen Arie: At the bottom line is that someone did bleach the system did compromise CA and did the issue and certificates that can play our can can fully blake a our a name validation within.

00:29:55.770 –> 00:30:13.740
Chen Arie: and have us talk to a third party once we figure Google it’s actually not an open, opening up everybody to remain the middle attacks and but, but the thing about this attack is that it was even though it was very.

00:30:14.850 –> 00:30:19.380
Chen Arie: scary and first of all, only only the.

00:30:20.550 –> 00:30:34.650
Chen Arie: The public info section was fully compromised and for a short amount of time and, and it was also possible for users to easily uncover it because of the fact that somewhat because of.

00:30:36.000 –> 00:30:48.030
Chen Arie: The fact that only the DNS system was only locally or domestically compromised and not globally and but but, even more than this is because we have some different.

00:30:48.780 –> 00:31:00.720
Chen Arie: fail over mechanisms that allows a service to allows users and I was a people will operate in the Internet to protect themselves, even in these kind of cases.

00:31:01.140 –> 00:31:09.000
Chen Arie: And we have a beginning, that is not recommended anymore, because of the pollution problem that it can it can cause, but we can still have.

00:31:09.480 –> 00:31:15.570
Chen Arie: extensions that they will will reduce the options to do a success story being righteous aces HST s and.

00:31:15.960 –> 00:31:23.940
Chen Arie: and other ways to make sure that we all see we have some fail overs to make sure that we detect and allow for these kind of scenarios.

00:31:24.450 –> 00:31:38.490
Chen Arie: And, and this is why, even in the most severe failures and now you’re when when the trust system when the authorities compromise, we can stay recovered quite click quite quickly and also discovered this event quite quickly.

00:31:40.800 –> 00:31:41.640
Chen Arie: So.

00:31:43.230 –> 00:32:05.340
Chen Arie: Moving forward to, so if the DNS system itself is compromised by itself still and the pk I bout will authenticate the servers and we are still not fully a compromise so like I said before, there is a lot of fail over and and use it in ways to still be safe, even when an element is composed.

00:32:08.520 –> 00:32:16.320
Chen Arie: When we go on, and I think about other reasons to fail other places where we can affair, so, even if the wood.

00:32:16.770 –> 00:32:28.680
Chen Arie: certificate authority or the global DNS system is not compromised, we can still make mistakes and those mistakes la one of the main problems that we see today with DNS management.

00:32:29.250 –> 00:32:41.130
Chen Arie: Is that we are, we are managing record some of us manage a lot of records for many different purposes and the the event of creating a new record is something that happens in a specific point in time.

00:32:41.610 –> 00:32:53.880
Chen Arie: and not necessarily relevant for for the future always and and we don’t necessarily included in our threat modeling and we don’t necessarily think of all different scenarios.

00:32:55.170 –> 00:33:01.140
Chen Arie: That that can result from managing from having a bad DNS hijacking.

00:33:01.770 –> 00:33:13.830
Chen Arie: And doom main cases, for this is that we manage dangling record meaning records that points to things that are no longer than what they were when we created those records.

00:33:14.220 –> 00:33:21.450
Chen Arie: Or we created those records for to sell some resources and we backed off and didn’t sell that resources and it’s still.

00:33:21.900 –> 00:33:37.050
Chen Arie: available in the Internet on a very classic case would be a setting up an s3 bucket a behind one of our names, but when doing only the name creation and not yes, yes, free registration.

00:33:37.650 –> 00:33:42.360
Chen Arie: And, which results in what we call this three based a subdomain takeover.

00:33:42.960 –> 00:33:56.940
Chen Arie: And this is one case or general concept of records that were created for purpose but, but since then, the the target of the like what the local points are as as changed or changed ownership.

00:33:57.510 –> 00:34:07.890
Chen Arie: Or that it was never even established and it points to somewhere to an ipo to do another record that that is not on by us, and someone can operate behind this I called.

00:34:08.370 –> 00:34:15.210
Chen Arie: In be part of our domain and and I will case that is very similar to this in the in its impact.

00:34:15.690 –> 00:34:22.680
Chen Arie: Is that the records are managed by us and are pointing to the to the weather wherever we want them to point to.

00:34:23.040 –> 00:34:42.180
Chen Arie: But those places like a third party application or web application that is appointing in our origin is vulnerable to client side attack vectors or to some client side attack vectors and then every vulnerability that they have becomes your vulnerability, with some limitations, of course.

00:34:43.920 –> 00:34:52.500
Chen Arie: And so, by codes are very similar to compromise, a domain name system, it depends a little bit on how do you do ssl termination sometimes.

00:34:52.860 –> 00:35:04.260
Chen Arie: it’s a more complex and now you’re when you actually do the ssl termination and based on DNS you follow the request, so the pk I would not protect you in those scenarios, but if you didn’t do that.

00:35:04.620 –> 00:35:10.620
Chen Arie: In a normal scenario, you will be, it will be the same as having bad DNS system and an untrustworthy.

00:35:11.340 –> 00:35:23.760
Chen Arie: DNS system and and someone can potentially do part of those things, based on that on that broken record or whatever, that is not managed properly or even a.

00:35:24.390 –> 00:35:38.520
Chen Arie: full name specific domain, that is not managed properly and follow up with different a human validation scenarios that can breach some authentication, then the Federation associating a facility so subsistence that you have.

00:35:40.920 –> 00:35:53.670
Chen Arie: If you talk about farrier anywhere along the chain, so it can be really much anything that results in in breaking isolation and again focus a little bit on a on a web Aaron.

00:35:54.210 –> 00:36:00.660
Chen Arie: And so, even if you do I for implementation you don’t pay check a check the way that the I flames are.

00:36:01.230 –> 00:36:08.910
Chen Arie: checking all regions before and after and when they receive messages from other flames, you would have the same.

00:36:09.390 –> 00:36:12.600
Chen Arie: The same kind of results, you will have breached origin isolation.

00:36:13.050 –> 00:36:20.790
Chen Arie: And the same goes for if you’re not controlling the course of course site requests if you’re not there to configure your course in a proper way, and even if.

00:36:21.240 –> 00:36:31.830
Chen Arie: If and when we talk about the other other mechanisms, the top voice inside even even things like a broken a broken cryptographic element inside.

00:36:32.370 –> 00:36:43.110
Chen Arie: Is inside the pk I can that is used in pk I can cause the same thing, although that if i’m already put them the five here in the slide so we have to mention that.

00:36:43.620 –> 00:36:54.450
Chen Arie: When the five was a researcher started to the report that they have, which means to breach and the five and by the time that it became practical.

00:36:55.980 –> 00:37:01.020
Chen Arie: bk I was already eradicated they use of me five and the same goes for for the fall so.

00:37:01.320 –> 00:37:13.560
Chen Arie: We can see that these are not so dangerous but but as as the application security folks, we all know how common now away things that breaks our isolation and expose us to try and say the technical.

00:37:14.130 –> 00:37:27.180
Chen Arie: And we just now have to add another item to that list, and that it means having bad DNS hijacking and we saw domain takeover or darkening Domenico to that meeting ID records and you can you can.

00:37:28.710 –> 00:37:37.560
Chen Arie: You can have the same kind of results of bleach the origin isolation and having someone else interacting with your origins in an uncontrolled fashion.

00:37:38.400 –> 00:37:52.740
Chen Arie: And the most common impact of of such a scenario would be that that the origin is not isolated anymore popularly anymore, and that they now.

00:37:53.430 –> 00:38:03.240
Chen Arie: Someone is very similar to cross site scripting to cause miss configuration, you have problem in protecting your allegiance from other Internet diligence and.

00:38:03.870 –> 00:38:14.250
Chen Arie: And and meaning that another one region can you will skip your website or interact with it we consume and create resources in it.

00:38:14.700 –> 00:38:22.320
Chen Arie: But of course now always other things like a much more serious and areas where we have a full subsystem is compromised.

00:38:22.830 –> 00:38:34.650
Chen Arie: This can happen, for example, when they are blue Jay organization is in your authentication and segments of your application, but also in other subsystems like, for example, email validation.

00:38:36.330 –> 00:38:46.260
Chen Arie: let’s really lean a little bit to what is the meaning behind breached origin isolation so bleak storage and isolation.

00:38:48.330 –> 00:38:56.670
Chen Arie: i’m pointing out three different cases of it and that can lead to it so subdomain takeover and it’s a new record pointing to an unclaimed.

00:38:57.390 –> 00:39:03.210
Chen Arie: A cloud resources that doesn’t have to be a cloud resource, but it’s usually a cloud resource like an s3 bucket.

00:39:03.780 –> 00:39:16.980
Chen Arie: And, and the the you already so in your development flow you created a record that points to that bucket but you never claimed the bucket or you’ve claimed, and you closed it.

00:39:17.460 –> 00:39:33.420
Chen Arie: And what happens now is that there is a bucket everybody with an aws account, which means everybody can claim it and it doesn’t have to be s3 bucket it can be recruiting technology in any cloud provider and other things like is a week side.

00:39:35.220 –> 00:39:43.530
Chen Arie: shopify different kind of a different kind of where cloud resources can can be relevant in you and and.

00:39:44.610 –> 00:39:45.210
Chen Arie: and

00:39:46.410 –> 00:39:55.470
Chen Arie: The attack in this case, or the weakness or vulnerability in this case is that someone can create the record that the that a.

00:39:55.920 –> 00:40:07.470
Chen Arie: claim the resource establish the resource your code is already pointing at it, and all I need to do as an attacker is to deploy my my cross site scripting gay men.

00:40:08.010 –> 00:40:13.950
Chen Arie: Framework there and start interacting operating inside your sub domain.

00:40:14.850 –> 00:40:26.490
Chen Arie: and marketing code is a similar case, but in this case you’re just pointing to an IP but this IP is no longer yours, it has been a claim it has been released from your resources.

00:40:26.970 –> 00:40:29.460
Chen Arie: And someone else is up waiting on this IP address.

00:40:30.240 –> 00:40:42.420
Chen Arie: And another case is that there is no problem in your DNS management, as it is, but you have invited someone else into your origin someone else plays inside in your domain in a sub domain.

00:40:43.050 –> 00:40:55.230
Chen Arie: And they have relay they have clydeside attack vector will vulnerabilities so someone can mount a client side attacks on their application.

00:40:55.740 –> 00:41:13.140
Chen Arie: And because they avoid inside your origin inside your sub domain, the impact is mainly on you and not necessarily so much on them, possibly also on them, but, but mainly on you, because you bought someone else into your origin let’s really into discuss.

00:41:14.160 –> 00:41:23.010
Chen Arie: In more details so alicia say skips or one case is a bridge over generations that allows malicious script inside in subdomain.

00:41:23.400 –> 00:41:31.680
Chen Arie: It can be from dangling record pointing to any web self controlled by an attacker it could be a dangling IP like or it can be seen name in and.

00:41:32.460 –> 00:41:44.790
Chen Arie: Once it’s pointing to any survey or bucket or basically a mobile client web client and created by the attacker they can run scripts in a sub domain.

00:41:45.330 –> 00:42:04.500
Chen Arie: And the same goes for corporate scripting a kind of attacks on third party in your domain and the impact is somewhat limited when we talk about the origin isolation, because of the way that the origin isolation, because domain resource sharing and in general.

00:42:05.730 –> 00:42:13.920
Chen Arie: Basel security model is, and when you apply it in a sub domain, you have some limitations, you can steal it very much depends on how.

00:42:15.210 –> 00:42:25.680
Chen Arie: Transparent with education materials or cookies has been created by the main or region by the domain itself if they are not properly isolated and if the.

00:42:26.370 –> 00:42:40.740
Chen Arie: system, on the other side was built to to give a lot of tasks to subdue to progressions learning in sub domain, you are still very much exposed and can be in and can be a.

00:42:41.700 –> 00:42:43.320
Chen Arie: attacked in in this way.

00:42:43.890 –> 00:42:56.850
Chen Arie: And another case of which over origin of isolation is that diminishes script is running on a trusted origins not exactly running on your sub domain it’s just running on an origin that you trust, so you already implemented the course protocol.

00:42:57.150 –> 00:43:17.070
Chen Arie: With a specification to allow someone to say, submit a authenticated request form a subdomain from a region and then this origin was taken over due to a DNS related the attacks, this is another case where we can suffer from bleached origin exploration.

00:43:18.450 –> 00:43:41.730
Chen Arie: But, of course, though, is some more serious things like a you know full full failure of a notification subsystem so think of very basic a very basic case where the full the full name spaces compromised or someone created the past in a in a.com.

00:43:42.780 –> 00:43:51.090
Chen Arie: I own this domain for a while and I registered it and I used it for some things people make some trust on it, but then I didn’t renew it.

00:43:51.660 –> 00:44:01.440
Chen Arie: And someone else can take it, and I think that maybe the good folks from a from J fox security will mention it, because they just recently published an article about.

00:44:02.280 –> 00:44:21.900
Chen Arie: about how our this a was reflected in package management related the problem so someone use these kind of flows, also to take over some packages and how do we approach this in terms of a mitigation, how do, how can we avoid this, how can we solve this so.

00:44:24.000 –> 00:44:26.820
Chen Arie: The men, the men approach to.

00:44:28.470 –> 00:44:35.640
Chen Arie: Solving this is the main, the main thing to consider when you want to tackle this issue is that it has to be done systematically.

00:44:36.060 –> 00:44:46.290
Chen Arie: it’s not something that you can okay you wake up one Monday morning and say oh i’m going to check if I have this problem you did it today, tomorrow it can it can change completely.

00:44:46.710 –> 00:44:53.280
Chen Arie: The resources that you’re pointing to can change your records can change in something that has to happen systematically and continuously.

00:44:53.910 –> 00:45:02.280
Chen Arie: And this is why you have to answer to process continuous process of asset inventory and that you have to know your domains, you have to.

00:45:02.670 –> 00:45:12.720
Chen Arie: And you have to understand, I will you are you using names and what could be well, where is your way weak points in terms of origin isolation.

00:45:13.230 –> 00:45:22.020
Chen Arie: And when you build applications and you bid on on the option to trust other origins and to collaborate with other systems.

00:45:22.350 –> 00:45:32.190
Chen Arie: You need to consider and bringing this question into your flow and ask the right questions when you work on the implementation to make sure that you’re building in a secure way to.

00:45:32.610 –> 00:45:41.220
Chen Arie: To do us a sharing of resources in the Internet and really into inventory in web so it’s a little bit so.

00:45:41.670 –> 00:45:55.020
Chen Arie: You need to talk all the records manage in the domain so have a full list of all the records understand all the records, even those that are not a mounting any applications behind them, just to your loved the clarity of what records, you have.

00:45:55.770 –> 00:46:10.800
Chen Arie: And there are some nice tools to find the records, but the way that we do it at Enzo is that we integrate with your with your own management systems, for example, or 250 and we pull this information and manage this inventory for you.

00:46:11.220 –> 00:46:14.790
Chen Arie: And then we can follow up with some tests like exam, for example, a test, that is.

00:46:15.300 –> 00:46:22.290
Chen Arie: done by these Open Source tools it’s up Finder and project discovered in general is very useful for doing this we say we open data.

00:46:22.680 –> 00:46:34.380
Chen Arie: And some find those will help you to find a your existing domain icons and you need to find like codes a to find it like all the senior like cold and eliminate diagnostic codes.

00:46:34.830 –> 00:46:43.710
Chen Arie: And shadow necessarily ssl termination when you’re doing it for sources that you don’t want to end consider claiming that he failed resources, so those s3 buckets that are.

00:46:44.220 –> 00:46:47.910
Chen Arie: That are pointed by those records claim them, so no one else good.

00:46:48.510 –> 00:46:56.280
Chen Arie: And then you need to follow up with doing the same things, but then find sales web web hosts server that hosts the Web applications.

00:46:56.640 –> 00:47:06.870
Chen Arie: And then you need to also inventory and assess if they are running some sort of a origin, of course, or a resource a sharing protocols and support.

00:47:07.320 –> 00:47:14.280
Chen Arie: A cause and they allow other origins to interact them and you need to include those origins in your inventory as well and.

00:47:15.060 –> 00:47:22.350
Chen Arie: I will finish up very soon, because my time is up, so let’s say really into a little bit a protecting origin isolation.

00:47:22.770 –> 00:47:32.100
Chen Arie: And you need to extend your first model to ask wherever it’s relevant wherever you are having some sort of tacit knowledge and surprisingly enough made validation includes this.

00:47:32.550 –> 00:47:51.090
Chen Arie: But the other centers as well, but that’s what happens when the record the owner of the other side, changes the IP the resource what happens when the only real changes and then beard fat models and based on this question and you need to always pay attention to call settings and.

00:47:52.320 –> 00:47:59.250
Chen Arie: include also server side checks in as part of this implementation try to be as explicit as possible.

00:47:59.610 –> 00:48:07.260
Chen Arie: With cookies I know that we’ve all been complaining about cookies for a very long time, but doesn’t mean that we can stop a maintaining the security of cookies.

00:48:08.250 –> 00:48:18.000
Chen Arie: Do on both to extensions like edge HST S, and if you can afford if you can do it, they do use extension like a content security policy, it will greatly improve.

00:48:18.690 –> 00:48:22.350
Chen Arie: your ability to control what kind of content designing in your allegiance.

00:48:23.070 –> 00:48:31.380
Chen Arie: In conclusion, and we have a to to DNS can affect our origin isolation can bring us more vulnerabilities.

00:48:31.740 –> 00:48:39.090
Chen Arie: We need to move systematically inventory all relevant assets and in the process to be labeled origin isolation.

00:48:39.570 –> 00:48:51.630
Chen Arie: and which also including an important part is extending your your your view and extending your threat a perception to also include this this fat under your scope.

00:48:52.380 –> 00:49:06.930
Chen Arie: and few words about Enzo and then done so no is an application security posture management solution it’s a platform that lets see that we fear not have integrations to data that you already have into activities that you already conduct brings a lot of.

00:49:07.560 –> 00:49:22.170
Chen Arie: Information about your application asset inventory and we follow a very nice boat i’ll let you manage the all the activities and all the processes to lead a very strong and systematic application security program that can scale as your company’s can.

00:49:23.190 –> 00:49:25.620
Chen Arie: also check out the object map.

00:49:27.060 –> 00:49:33.540
Chen Arie: Community driven a project to share information about different vendors, in application security.

00:49:34.050 –> 00:49:53.010
Chen Arie: And that a tenant where everybody out there, find the security solutions that they need and, and this is built, based on external submission So if you are vendor or if you miss find any to missing in the map, please share and and.

00:49:54.240 –> 00:50:04.500
Chen Arie: And we will included in the map and that’s it for my side, thank you very much for listening and copy I get a ticket back to you, unless there are any questions.

00:50:04.860 –> 00:50:17.400
Kobi Levi: Yes, yes, as you can see, we have several a question in the Q amp a and the first one is from a yuval Sinai a can elaborate how you can find dark features.

00:50:17.880 –> 00:50:30.000
Kobi Levi: etc loopholes back doors logic bombs red button unicode I don’t know if it’s related to you, maybe says, some of the other panelists can take it, but if you can answer it will be happy to answer.

00:50:32.490 –> 00:50:33.420
Chen Arie: yeah give us a call.

00:50:36.330 –> 00:50:37.920
Chen Arie: Okay it’s a good question but.

00:50:38.880 –> 00:50:42.030
Chen Arie: yeah we can follow up on a separate call on this.

00:50:42.450 –> 00:50:53.040
Kobi Levi: Okay, so next one by SEC scott’s is there a source for a newly understand domains list of fields, not talking about a Jewish domain.

00:50:54.960 –> 00:50:59.580
Chen Arie: So I tried to find the question myself, so I can actually read it.

00:51:02.370 –> 00:51:14.340
Chen Arie: So a source for finding for finding domain information that can be used to follow up with this kind of assessment is you can you can run project discovery tools.

00:51:14.760 –> 00:51:29.040
Chen Arie: And there are a lot of open source databases that have information about the kind of names and the kind of you know where you are words that exist on different domain, so you can go to things like am.

00:51:31.230 –> 00:51:33.630
Chen Arie: I missing the name right now.

00:51:36.390 –> 00:51:44.430
Chen Arie: So, if you look into project discovery tools many different tools to acquire such information and then you can follow up with the research.

00:51:45.420 –> 00:51:52.290
Kobi Levi: Okay, thanks y’all so now we’ll move on to Jonathan Thank you, and it was very enjoy for hearing you.

00:51:52.800 –> 00:51:55.560
Chen Arie: My Thank you very much for listening right.

00:51:55.620 –> 00:52:02.820
Kobi Levi: So next one would be a Jonathan such a long for J frog a Jonathan is the director of threat research Jeff a security.

00:52:03.180 –> 00:52:11.370
Kobi Levi: is very close to 30 years of cybersecurity with experience in security research reserves engineering and malware analysis.

00:52:11.880 –> 00:52:22.980
Kobi Levi: He currently leads the threat research team in J frog security specializing in vulnerabilities analysis threat intelligence T shirts and automated threat detection Jonathan the stage is yours.

00:52:24.420 –> 00:52:27.420
Jonathan Sar Shalom: Thank you Connie Thank you, it was great.

00:52:29.730 –> 00:52:31.530
Jonathan Sar Shalom: So where Can you see my slide.

00:52:34.770 –> 00:52:36.060
Kobi Levi: Okay, yes.

00:52:36.090 –> 00:52:40.110
Jonathan Sar Shalom: Great so Hello everyone again, my name is Jonathan.

00:52:41.130 –> 00:52:44.670
Jonathan Sar Shalom: said i’m the director of threat research at DJ for security.

00:52:45.120 –> 00:52:52.770
Jonathan Sar Shalom: So we already started mentioning a little bit on supply chain attacks risk, but I would like, in this presentation to.

00:52:54.630 –> 00:53:02.370
Jonathan Sar Shalom: To actually explain why malicious packages become such a popular attack method in supply chain attacks in the last couple of years.

00:53:02.940 –> 00:53:11.880
Jonathan Sar Shalom: So we will take a look on supply chain attacks from the attackers point of view and and explain on technical on a technical level how to identify and prevent.

00:53:12.210 –> 00:53:28.980
Jonathan Sar Shalom: An infection by a malicious package and, often, they will will take a look on real code examples of malicious packages when the majority of the examples will be from real malicious packages that were found by Jay for security, researchers and we’re publicly disclose.

00:53:31.740 –> 00:53:40.680
Jonathan Sar Shalom: So we’re probably already introduced me so nowadays i’m leading the threat research team in J frog security, we do have some kind of.

00:53:41.430 –> 00:53:46.440
Jonathan Sar Shalom: Researchers in vulnerabilities analyses with intelligence and automated threat detection.

00:53:47.130 –> 00:53:54.600
Jonathan Sar Shalom: And as for the agenda, we will first introduce the security threat in inherent in supply chain and learn the key role that.

00:53:55.080 –> 00:54:01.350
Jonathan Sar Shalom: malicious packages playing it then we’ll dive into the technical details of malicious packages infection that those.

00:54:02.070 –> 00:54:07.260
Jonathan Sar Shalom: Common payload using malicious packages and how attackers hi malicious scolding them.

00:54:08.100 –> 00:54:21.060
Jonathan Sar Shalom: Finally, will present techniques to detect and prevent malicious packages both known and unknown and we show the best practices for secure code development to avoid the risk of family issues packages.

00:54:22.050 –> 00:54:32.100
Jonathan Sar Shalom: So when we talk about malicious packages security threat, we first need to understand the bigger problem that malicious packages are a part of this is the software supply chain attacks.

00:54:33.390 –> 00:54:42.510
Jonathan Sar Shalom: In modern software development many applications integrate third party software and especially open source software in the record and trust the third party to.

00:54:42.810 –> 00:54:51.090
Jonathan Sar Shalom: supply a secure and stable software and general, this is, this is a good practice because we don’t want to reinvent the wheel every time we write code.

00:54:51.990 –> 00:54:59.550
Jonathan Sar Shalom: But in reality, unfortunately, there is this practice also involves some danger of course because third party software might contain vulnerabilities.

00:55:00.150 –> 00:55:05.610
Jonathan Sar Shalom: or malicious code that that will be delivered through the supply chain.

00:55:06.000 –> 00:55:15.930
Jonathan Sar Shalom: of third party software, together with the software itself so, so this is our abilities and malicious code will eventually affect the end product that depends on them, and so there are no.

00:55:16.170 –> 00:55:23.610
Jonathan Sar Shalom: You can already understand that there is no single targets that are being involved in this attack, because when you attack our supply chain.

00:55:24.690 –> 00:55:33.510
Jonathan Sar Shalom: By infecting the software package in the supply chain, for example, you will eventually end up with attacking all of the end consumers of of this supply chain.

00:55:34.050 –> 00:55:43.560
Jonathan Sar Shalom: So you can understand already The first reason of wine attack it would go for this software supply chain approach and that’s because of the high distribution of the attackers listen.

00:55:44.130 –> 00:55:48.540
Jonathan Sar Shalom: let’s talk now and on the effort that an attacker need to invest in supply chain attacks.

00:55:49.500 –> 00:55:55.590
Jonathan Sar Shalom: You know, compared to classic targeted attack attacks that we’ve seen in a lot in the last 20 or 30 years.

00:55:56.340 –> 00:56:08.670
Jonathan Sar Shalom: And it, it will help you to understand why the sacramental became so popular recently so in a classic attack the attacker had to invest a lot of time and money for compromising a single target and it becomes even harder when.

00:56:09.090 –> 00:56:20.910
Jonathan Sar Shalom: The target is known software platform, because those platforms are highly maintain and secured compared to a relatively small open source software packages that are out there.

00:56:21.570 –> 00:56:28.560
Jonathan Sar Shalom: So for a targeted attack an attacker would need to, we need to have high technical skills, because essentially it involves.

00:56:28.920 –> 00:56:39.300
Jonathan Sar Shalom: Finding a vulnerability and developing the working exploit for it so take a look on the pricing table here on the right, taken from zero down, which is soft which is.

00:56:39.900 –> 00:56:51.450
Jonathan Sar Shalom: exploit acquisition platform, you can see that are remote code execution experts can cost up to $1 million for a single exploit when when the most expensive one is is zero day RC click.

00:56:52.560 –> 00:57:05.460
Jonathan Sar Shalom: Zero and click RC exploit for windows so so when attacking malicious open source software in the other side that the options are endless and you don’t have to invest a lot of.

00:57:05.850 –> 00:57:13.650
Jonathan Sar Shalom: effort to do it for them, because there are many packages out there, so the attacker simply have to find a single package to attack or to publish a single.

00:57:13.980 –> 00:57:30.150
Jonathan Sar Shalom: malicious software package and it’s a game over for the entire consumers of the of the supply chain of this package so as we send eventually did this abuses that the trust that exists between parties in the supply chain, making this attack metals so effective.

00:57:32.430 –> 00:57:40.500
Jonathan Sar Shalom: So there are three different types of software supply chain thread so two of them are based on the software vulnerabilities whether an intentional or unintentional ones.

00:57:40.950 –> 00:57:48.270
Jonathan Sar Shalom: And those who interviewed is usually referred to a software bugs which each bug is normally assigned with a CV identifier.

00:57:48.930 –> 00:58:06.540
Jonathan Sar Shalom: civvies is common standard to describe vulnerabilities and exposure and they are widely used to document and truck vulnerabilities in software and the third type of software supply chain threat, and this is the one that we’re going to focus on today is the malicious component or the.

00:58:07.620 –> 00:58:18.000
Jonathan Sar Shalom: malicious software package and usually city is not assigned to this type of threat and the entire package or specific version of the package or simply tablet as as malicious.

00:58:19.140 –> 00:58:29.760
Jonathan Sar Shalom: let’s see if you real life example for it so for the unintentional, but we have, of course, the famous spring show vulnerability that was found this year in the popular Java frameworks.

00:58:30.450 –> 00:58:38.580
Jonathan Sar Shalom: called spring the spring framework package is highly used by Java project, so the you know the global effect of this vulnerability.

00:58:39.270 –> 00:58:48.210
Jonathan Sar Shalom: was very high and for the intentional bagger, we can see the famous solar winds attack when when solar winds or Ryan software.

00:58:48.960 –> 00:59:00.480
Jonathan Sar Shalom: was attacked and in a backdoor was injected to it actually thousand consumers of this software was affected by the attack leading do even more follow ups attacks that were carried out later.

00:59:00.990 –> 00:59:07.350
Jonathan Sar Shalom: So this is was was very a huge and famous attack for the for intentional vulnerability.

00:59:08.040 –> 00:59:22.560
Jonathan Sar Shalom: And in this presentation, of course, we are going to focus on malicious component rights, and here we can see an example from one of our publications or malicious and bm package nba and packages that we found and and disclose.

00:59:24.270 –> 00:59:33.600
Jonathan Sar Shalom: So after introducing the software supply chain attacks and how malicious packages play a key role in it let’s dive into the technical details so first we’ll start with the.

00:59:36.000 –> 00:59:50.310
Jonathan Sar Shalom: With the with the infection methods sorry sister infection methods, then we go to payloads used by by attackers and we will go into some technical details about them and we show our findings on those.

00:59:51.690 –> 01:00:05.850
Jonathan Sar Shalom: So let’s start with with infection model, so how attackers cause malicious target is to get installed in practice will talk on that type of squatting attack method masquerading Trojan package dependency confusion or name squatting and, of course, the.

01:00:07.410 –> 01:00:11.400
Jonathan Sar Shalom: packages hijacking which which we saw a lot in the news recently actually.

01:00:12.990 –> 01:00:22.290
Jonathan Sar Shalom: The first affection method, called the type of squatting so that was squatting is the practice of obtaining or or squatting popular name with a slight typographical error.

01:00:23.160 –> 01:00:33.030
Jonathan Sar Shalom: This practice apply to many different resources such as web pages executable names and also software packages names in our case that we’re that we’re going to talk right now.

01:00:33.690 –> 01:00:44.670
Jonathan Sar Shalom: So let’s take one class classic example that probably everyone knows that buying the domain name google.com instead of the legitimate google.com hoping that users will.

01:00:45.450 –> 01:00:50.670
Jonathan Sar Shalom: Occasionally make typing arrows and originally illegitimate domain, this can.

01:00:51.180 –> 01:01:03.900
Jonathan Sar Shalom: be further be used for any kind of attack payload such as fishing and code injection attacks so so actually in a trend that we’ve seen recently, some maintainer and developers take an active role and actively reserve.

01:01:04.320 –> 01:01:21.300
Jonathan Sar Shalom: type of squatting names for the projects to prevent attackers from taking control of them so regarding to our example with Google Google actually register this domain, specifically the domain google.com and if you browse the global.com you will be referred to google.com.

01:01:22.470 –> 01:01:31.230
Jonathan Sar Shalom: And here, you can see, an example of analysis package that use the type of squatting infection method, this package was detected in a recent research.

01:01:32.160 –> 01:01:38.940
Jonathan Sar Shalom: That we conducted in Jeff of security, so this malicious package name is is employed live.

01:01:39.750 –> 01:01:59.970
Jonathan Sar Shalom: You can see so his his his employer lava and actually the user tried here to install em flatly by simply made a typo error, you can see that even though we made a typo arrow the package simply installed and and it was actually the malicious package that that was installed on his machine.

01:02:01.260 –> 01:02:05.580
Jonathan Sar Shalom: You can see that we have the console here and the package was successfully installed.

01:02:09.570 –> 01:02:19.950
Jonathan Sar Shalom: Beside type of squatting there is an interesting thread of another infection method in which our orders completely duplicate a well known back in the out the authors or the attackers duplicate.

01:02:21.540 –> 01:02:31.800
Jonathan Sar Shalom: Both the Code and the nadir that off of the original project which will they would like to impersonate and then also add some small piece of malicious code to this.

01:02:32.430 –> 01:02:41.160
Jonathan Sar Shalom: To this duplicate essentially building a Trojan package this infection method is similar to the type of squatting reflection Magdalena in a way that.

01:02:41.580 –> 01:02:54.660
Jonathan Sar Shalom: The attackers user names, similar to the legitimate package name, but the difference is that they end to deceive developer through a similarity to delegitimize package, rather than aiming for accidental us.

01:02:55.800 –> 01:03:04.140
Jonathan Sar Shalom: Because of titles, this is an example of the malicious package my ibs which was found in one of our researchers.

01:03:05.220 –> 01:03:13.170
Jonathan Sar Shalom: This is his package actually masquerade a very known package called mark to you can see the name mark J s here so.

01:03:14.010 –> 01:03:20.850
Jonathan Sar Shalom: Maybe it Maybe you can see it already right now, but there is something very strange about this, this package again it’s a very popular package.

01:03:21.210 –> 01:03:37.260
Jonathan Sar Shalom: So you can see that the weekly downloads here are very, very low, and this package is is very known and popular so it looks a little bit weird so let’s take a look on the on the on the comparison of both packages, so you can see that the.

01:03:38.520 –> 01:03:49.440
Jonathan Sar Shalom: malicious packages on the top and legitimate packages on the bottom of course you can see the download rates of them and, and you can see, also, that the original name and metadata of.

01:03:50.340 –> 01:03:55.230
Jonathan Sar Shalom: Mark J s malicious package were copied from the original marks package.

01:03:55.680 –> 01:04:11.100
Jonathan Sar Shalom: Making the it’s very hard to distinguish between the two, so the URL of the rapport is is the same as well as the homepage and and the description, so that makes so hard for for developers to you know, to find the right package, the one that they want to install.

01:04:12.660 –> 01:04:17.250
Jonathan Sar Shalom: So when comparing them malicious package among js code, with the original package mark.

01:04:17.760 –> 01:04:28.260
Jonathan Sar Shalom: We can see that the only difference from the original package is one line in a single file, and this is the longer black than one is Martin black here.

01:04:28.950 –> 01:04:37.230
Jonathan Sar Shalom: You can see that this line does not contain any readable code any realize between other legitimate and read about life, and this is actually the obfuscated.

01:04:37.530 –> 01:04:47.520
Jonathan Sar Shalom: malicious code, which is the only addition to the original legitimate package, making this modified package to be fully functional, but also of course malicious.

01:04:47.880 –> 01:04:55.500
Jonathan Sar Shalom: So it is important to know that, because of this line is buried inside the rest of the package, which contains, as we said a lot of legitimate code.

01:04:56.100 –> 01:05:08.100
Jonathan Sar Shalom: It will be very difficult for for a human being to find this this line this legitimate line is malicious code without automated scanning or or definitive.

01:05:09.870 –> 01:05:19.680
Jonathan Sar Shalom: Another infection matter, this is a Trojan packaging this infection metal the attacker publishes a fully functional library, but also hide the malicious.

01:05:20.820 –> 01:05:37.050
Jonathan Sar Shalom: code in it that the same is that is in the masquerading metal the malicious code is usually smaller obfuscated Therefore, it is hard to detect and differentiate between eight and the legitimate functionality on the package, so this is actually a publishing a real package, but.

01:05:38.190 –> 01:05:47.070
Jonathan Sar Shalom: Putting some malicious code in it, so in this screenshot you can see, an example of readme file of a very interesting Trojan package called lemme.

01:05:47.940 –> 01:05:57.810
Jonathan Sar Shalom: Which is a package that we found in one of our researchers this malicious Trojan package was caught by by our scanners, and then we we.

01:05:58.320 –> 01:06:07.440
Jonathan Sar Shalom: Research that the further and we found that these packages that utility for for rent and hacking discord accounts for stealing this card accounts token.

01:06:08.190 –> 01:06:19.320
Jonathan Sar Shalom: intended for use by malware authors to hack this code account, so this package actually is malicious but the funny thing is that inside this package, there is a code that still the.

01:06:20.550 –> 01:06:33.480
Jonathan Sar Shalom: The tokens that were stolen by attackers and it’s still that from the attacker So if you use this library to steal a discord tokens it will still exist for tokens from you, if you are an issue an attacker or or a malicious.

01:06:35.670 –> 01:06:36.180
Jonathan Sar Shalom: person.

01:06:38.760 –> 01:06:46.800
Jonathan Sar Shalom: So let’s go to the next infection method called dependency confusion, a very popular one that we’ve seen a lot in the in the last year, specifically.

01:06:47.100 –> 01:06:54.300
Jonathan Sar Shalom: It exploits and vulnerabilities in a way that many package managers download dependencies during the build process.

01:06:54.930 –> 01:07:01.230
Jonathan Sar Shalom: So the vulnerability resizing the fact that most package manager, such as beeping and bn do not distinguish between.

01:07:01.770 –> 01:07:06.600
Jonathan Sar Shalom: Internal packages hosted on you know internal companies servers and experiment one.

01:07:07.470 –> 01:07:18.270
Jonathan Sar Shalom: that’s a simple command, such as pip install my package would grab the the package, either from the internal or the public server so in the dependency confusion method, the attacker.

01:07:18.570 –> 01:07:25.770
Jonathan Sar Shalom: uses a specific package name of internal package of a target of you know, like like a very big company want to compromise.

01:07:26.190 –> 01:07:41.730
Jonathan Sar Shalom: and publish malicious package on in turn on an external sorry public repository with this exact name usually the attacker also assign a very high version number two this publish package, making the internal servers to.

01:07:42.540 –> 01:07:50.010
Jonathan Sar Shalom: do think that there is a new version of this internal package on external server so so in this scenario, most.

01:07:50.580 –> 01:07:57.030
Jonathan Sar Shalom: default package managers configuration will prefer to download the external malicious package because of the high version number.

01:07:57.480 –> 01:08:06.600
Jonathan Sar Shalom: And we can see here in the screenshot a nice example from from our research that was published last year by security researcher named Alex barson.

01:08:07.230 –> 01:08:17.280
Jonathan Sar Shalom: What we can see in this dimension is a publicly available package in IP and by the Ai, which is the repository of Python packages, the most popular one.

01:08:17.880 –> 01:08:27.960
Jonathan Sar Shalom: With a name that looks like an internal package of netflix you can see here the MTF Alexia with a very high version and number so so we this attack actually.

01:08:29.370 –> 01:08:43.920
Jonathan Sar Shalom: burson managed to successfully exploit netflix, so there are various as well as also other big companies such as apple Microsoft by by making simply by making their service to download the malicious external package, instead of the legitimate internal one.

01:08:46.110 –> 01:08:53.340
Jonathan Sar Shalom: We go to the last infection method which is package package hijacking again something that we see a lot recently.

01:08:53.850 –> 01:09:05.520
Jonathan Sar Shalom: This metal involves taking over a legitimate known decades and pushing malicious code into it, then what Well, this is not an easy task, it is very effective, because it can take advantage of the popularity of very known.

01:09:06.210 –> 01:09:14.610
Jonathan Sar Shalom: packages for for high infection rate, so the hijacking usually performed by hacking maintainer and developers account or by injecting.

01:09:15.180 –> 01:09:24.630
Jonathan Sar Shalom: He didn’t offer skated malicious code is part of seemingly legitimate code contribution to an open source project, but actually malicious code in it.

01:09:25.530 –> 01:09:36.060
Jonathan Sar Shalom: Several months ago it was detected that few notable legitimated packages were attacking hijacked by taking over them in 10 years account in pushing malicious code.

01:09:37.410 –> 01:09:44.520
Jonathan Sar Shalom: To to the repositories and he will give one example, which is you a power surge as a very popular one.

01:09:45.540 –> 01:09:52.020
Jonathan Sar Shalom: And we can see here that we can see that there is an announcement by the developer of this package, saying that.

01:09:52.350 –> 01:10:04.020
Jonathan Sar Shalom: He believes someone hijacked is packaged and published and malicious version of it this incident, specifically actually made the github to enforce to stop factor authentication for.

01:10:04.590 –> 01:10:12.600
Jonathan Sar Shalom: maintain owners and admins of popular mpm packages, so this is was a very famous.

01:10:13.140 –> 01:10:24.780
Jonathan Sar Shalom: case and they’re also Okay, there are also cases when developers hijack their own projects and intentionally sabotaging them and and we have two very interesting cases here.

01:10:25.620 –> 01:10:33.540
Jonathan Sar Shalom: So so understand that you know package hijacking is not only something by by third party, but also the first part of the maintainer can do it.

01:10:33.990 –> 01:10:50.100
Jonathan Sar Shalom: So first is the publicize the incident of as to mpm packages failure and colors when they’re maintainer intentionally sabotages popular packages I didn’t get an infinite loop to the record which bricked thousands of projects that depends on them just just for the purpose of.

01:10:51.210 –> 01:10:59.220
Jonathan Sar Shalom: protesting against something like corporations that use open source, but do not give back to the Community, so that was the story in this case.

01:10:59.730 –> 01:11:11.400
Jonathan Sar Shalom: And then another more recent incident that happened actually three months months ago developer added the code to his package to the node IDC and package that corrupts.

01:11:12.150 –> 01:11:22.380
Jonathan Sar Shalom: The file system of Russian and Belarussian machine and that was the to protest against the 2022 Russian invasion of Ukraine.

01:11:23.130 –> 01:11:36.450
Jonathan Sar Shalom: When they executed malicious code detected that the machine has an IP address located in Russia or Bella lose the code started to override arbitrary files in the in the machine file system so that was a very famous case than three months ago.

01:11:38.400 –> 01:11:52.260
Jonathan Sar Shalom: i’m still talking on hijacking methods, what about hijacking a software package by registering an expired domain, and this is something that is, it will be related to what I talked about earlier.

01:11:53.850 –> 01:12:06.300
Jonathan Sar Shalom: So, so he we talked about registering the expired domain name of the containers email address, so if we have some expired domain name, of course, the attacker can simply exploit that to.

01:12:07.620 –> 01:12:20.700
Jonathan Sar Shalom: to register this domain and and initiate password recovering and pm, and then, when you open an email address in this domain and maintainer email address, for example here, you can see that we gave.

01:12:22.080 –> 01:12:35.280
Jonathan Sar Shalom: email address in in the in the mdm package configuration there, he will able simply to recover the password and take over the the package so this case is interesting because we saw some cases that there are.

01:12:35.940 –> 01:12:48.090
Jonathan Sar Shalom: Some forgotten user and emails in the maintainer list so if there is one that is new and the other one is a little bit older than the meters forgot about it, so this one actually.

01:12:48.570 –> 01:12:58.530
Jonathan Sar Shalom: can be used for exploitation by attackers we actually published a thorough analysis on this attack method on the mtn ecosystem last month.

01:12:59.010 –> 01:13:17.880
Jonathan Sar Shalom: And we found more than 3000 vulnerable packages with with expired containers email domain names, this is the last trend in malicious package and affection method, and we see rise in those attacks in the in the past, now so so expect to see more of this same there in the near future.

01:13:20.490 –> 01:13:31.200
Jonathan Sar Shalom: Okay, so so now that we presented the infection methods that are used by malicious packages, we can continue to the last phase, which is the payload phase what attackers want to do after a successful.

01:13:32.220 –> 01:13:48.330
Jonathan Sar Shalom: exploitation, so we will present some very common payloads that are executed in malicious packages, those are pretty much similar to to malware then, like other models that you see out there more classic one not not in source code, for example.

01:13:49.500 –> 01:14:05.610
Jonathan Sar Shalom: But, but there are some differences and we will talk about it and mention a few of those we will take a look on sensitive data steers connected back Shell download and execute and, of course, the very popular payload of executing a crypto minor on the victim machine.

01:14:07.620 –> 01:14:15.270
Jonathan Sar Shalom: So you can see here the first one, the first table, which is a sensitive data stealer this is simply for for stealing.

01:14:17.220 –> 01:14:32.730
Jonathan Sar Shalom: credit card or password or any sensitive data from from the user browser So you can see here that this exploit the the auto fail, or the password they save and credentials and and.

01:14:34.230 –> 01:14:45.990
Jonathan Sar Shalom: credit cards storing of web browsers and attackers lie to to to steal that you can see here code small called snippet from from anomalous malicious back end that we found.

01:14:46.500 –> 01:14:58.770
Jonathan Sar Shalom: We try to connect to do chrome database and get all the credit card information from it, and also, at the same the same example in in in edge browser actually and.

01:14:59.130 –> 01:15:03.360
Jonathan Sar Shalom: attacker here tries to get the credentials that are saving edge.

01:15:04.260 –> 01:15:11.490
Jonathan Sar Shalom: Of course, another thing that is interesting, and we see a lot in this in the ceiling, the environment, variables, and this is.

01:15:11.700 –> 01:15:18.900
Jonathan Sar Shalom: Something that is more related to production environments, because most of the time environment variables, we can see some sensitive data, some.

01:15:19.230 –> 01:15:30.420
Jonathan Sar Shalom: credentials, for example, here we can see aws credential secret access keys are kept in environment variables, so this is a very interesting, the target for attackers to take over.

01:15:32.160 –> 01:15:38.670
Jonathan Sar Shalom: um let’s see let’s take a look at another payload example the CONNECT book Shell, this is pretty much normal.

01:15:39.720 –> 01:15:53.790
Jonathan Sar Shalom: Connected with Shell like a reversal, so we have first year to receive the commands to execute send up the execution results to the server even the code snippet you can see from actual malicious package that we found cold hdd.

01:15:54.600 –> 01:16:06.540
Jonathan Sar Shalom: That there is a an execution of the received Shell command stirring here, and then the the results from the execution are encrypted and send you to the attacker and she.

01:16:08.250 –> 01:16:17.670
Jonathan Sar Shalom: um okay let’s take a look on on another, this is the last payload that we’ll talk about that, which is a crypto and minor payload the payload utilizes.

01:16:18.270 –> 01:16:30.480
Jonathan Sar Shalom: The victim system resources for for the mining of cryptocurrency so as you remember, most of the time malicious packages are not using targeted attack, but rather by spreading them to as many victims as possible.

01:16:31.080 –> 01:16:35.190
Jonathan Sar Shalom: When we don’t all the infection mentors that we mentioned earlier, so utilizing.

01:16:35.820 –> 01:16:47.820
Jonathan Sar Shalom: Many system resources for many victims is a good idea for a profitable payload in malicious packages and this one crypto minor is a is a very good one, and you can see here that there is.

01:16:48.240 –> 01:17:03.120
Jonathan Sar Shalom: In the in the payload services from the install script or from the malicious package, we can see that the managers package download that best script and then inside the best way we can see here, there is also downloading and executing.

01:17:04.230 –> 01:17:07.950
Jonathan Sar Shalom: crypto mining called phonics minor, which is actually crypto.

01:17:09.990 –> 01:17:14.100
Jonathan Sar Shalom: crypto currency, so it mines, a cryptocurrency called you big.

01:17:15.180 –> 01:17:20.940
Jonathan Sar Shalom: So here we can see the execution, so this is very popular payload in malicious packages.

01:17:21.630 –> 01:17:32.970
Jonathan Sar Shalom: Okay, so after we talked about the infection that those and the payloads that are used let’s talk now about you know, defending against it, detecting malicious packages, how we can as developers or security.

01:17:34.620 –> 01:17:50.220
Jonathan Sar Shalom: Researchers can detect and avoid malicious packages so so the general idea let’s let’s take with detecting unknown malicious packages, we will we will also talk about unknown but let’s start with detecting unknown malicious packages, those are ones that are already.

01:17:51.240 –> 01:17:58.440
Jonathan Sar Shalom: disclosed and there is public information on them, so what we want to do is essentially the thing that we do most of the time when we.

01:17:59.880 –> 01:18:02.250
Jonathan Sar Shalom: The same process that we do for.

01:18:04.080 –> 01:18:13.740
Jonathan Sar Shalom: For for detecting vulnerability so first of all, is scanning the project dependencies detecting the install software and versions, based on it and creating software a bill of material.

01:18:14.970 –> 01:18:22.800
Jonathan Sar Shalom: Then fetching security information from public repositories and ask them if I have you know malicious package X inversion why.

01:18:23.130 –> 01:18:34.590
Jonathan Sar Shalom: Is it malicious, but the problem is that many repositories don’t say historical data actually and they were here, we give example on the IP and then vm on IP malicious packages are are.

01:18:35.490 –> 01:18:39.630
Jonathan Sar Shalom: are being removed actually from the repository when the actors malicious.

01:18:40.050 –> 01:18:51.600
Jonathan Sar Shalom: leaving no way to tell if a package or specific version of it was detected as malicious sometime in the past and it mpm malicious packages or replaced with dummy code, you can see here this.

01:18:52.230 –> 01:19:07.470
Jonathan Sar Shalom: This readme here which actually says that it’s a security holding package, but the thing is that that this is good from from one side, but for the other side is not useful to track specific malicious versions of packages because they’re simply being removed.

01:19:08.700 –> 01:19:09.150
Jonathan Sar Shalom: So.

01:19:11.370 –> 01:19:22.110
Jonathan Sar Shalom: This, this is what another another challenge, and if you want to know if you want to rely on this data, even if you want, then then using some open source or some external.

01:19:23.460 –> 01:19:33.330
Jonathan Sar Shalom: Security auditing tools, this is actually not not not enough because, for example, mpm audit, which is the the tool for detecting mtn vulnerabilities.

01:19:33.750 –> 01:19:40.650
Jonathan Sar Shalom: We can see here that was scanned our project that contains this malicious package called colors are the ones that is here.

01:19:41.160 –> 01:19:55.110
Jonathan Sar Shalom: and actually found zero vulnerabilities so, so this is, this is a problem, because this is a malicious package and the reason that it doesn’t work because mpm or they simply support only vulnerabilities and not malicious packages detection.

01:19:56.430 –> 01:19:58.890
Jonathan Sar Shalom: So, so what what is that what is the solution.

01:20:00.420 –> 01:20:07.320
Jonathan Sar Shalom: The solution here is simply to use a software composition analysis tool that have the ability to detect.

01:20:08.100 –> 01:20:17.880
Jonathan Sar Shalom: malicious packages so because all of this, difficulties and because performing this process we just described in scale as part of the software development lifecycle.

01:20:18.450 –> 01:20:21.810
Jonathan Sar Shalom: In your project that we need to automate the process by using.

01:20:22.530 –> 01:20:32.610
Jonathan Sar Shalom: static composition analysis tool and we went we need one that collection store malicious packages names and actually have the ability to detect malicious packages.

01:20:33.360 –> 01:20:41.910
Jonathan Sar Shalom: So here we can show examples from our product Jay for the X Ray and he, we can see a detection of unknown malicious that package.

01:20:42.330 –> 01:20:55.050
Jonathan Sar Shalom: So let’s quickly we don’t have a lot of time let’s quickly jump to detecting unknown malicious packages so generally the idea here is to create some heuristics and scan the popular repositories the external repositories.

01:20:55.590 –> 01:21:04.230
Jonathan Sar Shalom: for finding new unknown malicious packages, this is something that we do in Jeff of security, every day, actually, we have an automation that.

01:21:04.800 –> 01:21:06.810
Jonathan Sar Shalom: That straight to scan and detect.

01:21:07.440 –> 01:21:19.290
Jonathan Sar Shalom: This kind of activity so actually you can scan for any kind of activity, you can scan in any kind any phase of the attack the infection methods, the payload phase and also some obfuscation to connect so let’s take one example.

01:21:20.100 –> 01:21:38.190
Jonathan Sar Shalom: For example, in type of squatting you can simply search for similarity between name, so if we have a very popular package, we can we can simply try to find other names that looks like this package that are closed and similar to this name and alert on new publish their packages that are.

01:21:39.270 –> 01:21:49.500
Jonathan Sar Shalom: Similar to very popular one in the payloads detector let’s take one one example download and execute, for instance, or we can simply analyze source code of.

01:21:51.570 –> 01:22:06.300
Jonathan Sar Shalom: Third party libraries of open source libraries in mtn by API or any external repository and actually find patterns of downloading and executing binary so we can try to find the you know some functions that.

01:22:07.590 –> 01:22:10.020
Jonathan Sar Shalom: john downloading binaries and followed by.

01:22:11.550 –> 01:22:16.110
Jonathan Sar Shalom: executing them, so this is one example for payload detective so we have we have.

01:22:16.650 –> 01:22:25.170
Jonathan Sar Shalom: This list of course this is just you know for for the general idea of what what we do with what can be done, you can come with with other ideas.

01:22:26.160 –> 01:22:32.130
Jonathan Sar Shalom: First, if you’re interested in hunting unknown malicious packages, this is the approach that we developed.

01:22:32.910 –> 01:22:37.560
Jonathan Sar Shalom: best practices for secure development and essentially you want to defend against.

01:22:38.190 –> 01:22:49.590
Jonathan Sar Shalom: Those kinds of threats, so, as we said, the most important thing is to use a software composition analysis to define policies based on that, so we want to, for example, break the build if we find a malicious package.

01:22:49.980 –> 01:22:59.400
Jonathan Sar Shalom: And there are some other useful practices, you can read them in in in our blog and actually in mpm those are for.

01:23:01.230 –> 01:23:06.090
Jonathan Sar Shalom: Building system to exclude remote repositories for DEMO packages for the dependency confusion.

01:23:06.510 –> 01:23:15.390
Jonathan Sar Shalom: attack and we also want to mention just one minute about the new project that J frog announced one month ago called the person.

01:23:15.780 –> 01:23:26.460
Jonathan Sar Shalom: And this is a new open source initiating for creating secure distributed peer to peer packages repository for provide for providing integrity of software components, this is.

01:23:26.730 –> 01:23:43.680
Jonathan Sar Shalom: What we want to do to deal with the with the software supply chain problem, the project uses blockchain technology to establish our chain of provenance for open source components, so you can read more in depth on on on this website have a bad person.

01:23:45.270 –> 01:23:52.920
Jonathan Sar Shalom: We also would like to encourage the use of open source tools that can help you to deal with them malicious packages and prevent them from infecting your project.

01:23:53.250 –> 01:24:04.350
Jonathan Sar Shalom: Some of them are ours, some of them are from third parties, but, but all of them are very practical and helpful we don’t have time to go on each and every one of them, but you can take that from Madison slide later.

01:24:06.600 –> 01:24:07.020
Jonathan Sar Shalom: So.

01:24:07.050 –> 01:24:07.560
Jonathan Sar Shalom: Jonathan.

01:24:07.830 –> 01:24:10.710
Kobi Levi: Yes, sorry for interrupting you need to wrap it up.

01:24:10.770 –> 01:24:11.880
Jonathan Sar Shalom: So yeah that’s.

01:24:11.880 –> 01:24:13.470
Jonathan Sar Shalom: that’s the last slide so.

01:24:14.520 –> 01:24:15.810
Jonathan Sar Shalom: Opening for a question.

01:24:16.410 –> 01:24:21.450
Kobi Levi: Right so yeah tree a question in the q&a if we can quickly answer them, it would be great.

01:24:21.960 –> 01:24:22.380

01:24:23.490 –> 01:24:27.690
Jonathan Sar Shalom: So, with what source and emasculating entering our.

01:24:29.070 –> 01:24:35.970
Jonathan Sar Shalom: packages so i’m not sure what what is a source here, but you know when when there is this kind of.

01:24:37.110 –> 01:24:38.880
Jonathan Sar Shalom: Attack it’s actually.

01:24:41.640 –> 01:24:48.690
Jonathan Sar Shalom: You know, there is, there is the the place when the package is published and there is malicious.

01:24:49.290 –> 01:25:06.390
Jonathan Sar Shalom: Code into it, so the sources actually and different package and that the try to you know look like another very popular package and, if it is installed by the developer it’s simply in the developer machine so not sure if that answers the correct great.

01:25:07.710 –> 01:25:15.690
Jonathan Sar Shalom: What about different security controls that you implement on tp ends before incorporating them into your product i’m not sure this is a.

01:25:16.110 –> 01:25:34.560
Jonathan Sar Shalom: This is a relevant for my presentation so maybe someone else will try to answer that are there any different controls between binary packages and the source code that you include yeah I guess that you know we think we try in the in the recent year to to.

01:25:35.940 –> 01:25:47.640
Jonathan Sar Shalom: shift left like going to the developer machine and scan those threads in the source code in the ID of the developer, so not just by scanning the binary, which is what what J frog.

01:25:49.230 –> 01:25:59.040
Jonathan Sar Shalom: Does the best we can also you know scan in very early stage of development in the in the developer machine for those kind of activities.

01:26:00.330 –> 01:26:00.990
Jonathan Sar Shalom: that’s all right.

01:26:03.030 –> 01:26:07.260
Kobi Levi: A yes thanks a lot Jonathan it was very much for.

01:26:08.010 –> 01:26:20.070
Kobi Levi: The next one will be pleasure next one will be a, we could save it will a whale is an author of a antivirus bypass the techniques book.

01:26:20.730 –> 01:26:31.830
Kobi Levi: Experience security researcher who lives, both on the offensive and defensive France is a passionate about malware research and red teaming while providing real world security solutions.

01:26:32.370 –> 01:26:51.870
Kobi Levi: Contributing through creating content on YouTube and writing blogs, while also leading the best advisory red team leading various courses and mentoring people, both on the offensive and defensive front and more so thank you a janitor know real estate is yours.

01:26:53.040 –> 01:27:02.550
Uriel Kosayev: Thank you very much guys, so thank you very much, Jonathan for a great presentation, thank you for presenting me it’s a great honor for me so that you just shared screen.

01:27:04.320 –> 01:27:06.120
Uriel Kosayev: yeah this one.

01:27:07.830 –> 01:27:14.250
Uriel Kosayev: it’s quoted here slightly Can you see the presentation, can you hear me, can you hear me everything’s fine.

01:27:16.800 –> 01:27:17.730
Kobi Levi: Yes, we can you.

01:27:17.940 –> 01:27:32.700
Uriel Kosayev: Yes, amazing, thank you very much, so thank you for coming for presenting me it’s an honor for me to be in this in this meetup so with the help of God let’s start so today we’re going to talk about writing and supply chain.

01:27:34.080 –> 01:27:43.860
Uriel Kosayev: So it’s gonna be present me, and it was real Messiah the founder of malware analysis code website, which provides the Community with our analysis and research.

01:27:44.340 –> 01:28:02.100
Uriel Kosayev: Resources also the outgrow the antivirus bypass techniques book, which presents how to research and find detections flaws and vulnerabilities in antivirus and ED ours and, of course, how to improve the controls the security controls on diversity drs.

01:28:03.210 –> 01:28:08.880
Uriel Kosayev: Also, directing tech leader in a company named ABM bed, which is the largest beer company in the world, basically.

01:28:10.080 –> 01:28:13.290
Uriel Kosayev: And yet, so this is basically.

01:28:14.640 –> 01:28:26.670
Uriel Kosayev: about me so basically the three guiding things that they want to start with the presentation, or the end presentation is first of all ask the hard questions.

01:28:27.990 –> 01:28:29.430
Uriel Kosayev: wrecking your supply chain.

01:28:30.450 –> 01:28:42.780
Uriel Kosayev: In order to understand your supply chain so basically Jonathan and others already talked greatly about supply chain and what it is and how it can be leveraged by attackers.

01:28:43.170 –> 01:28:57.690
Uriel Kosayev: I will present it from directing perspective, how we can as a red teamers understand the threat or the threat level on a business or in the company and how it can actually simulate threat actors.

01:28:58.320 –> 01:29:03.720
Uriel Kosayev: That actually mentioned the threats to this specific business and related to the supply chain.

01:29:05.340 –> 01:29:18.120
Uriel Kosayev: So, first of all, before going to supply chain attacks and also have a very simple and straightforward DEMO to present what is already being all about because it’s like a lot of buzz around it and a lot of stuff.

01:29:19.890 –> 01:29:30.780
Uriel Kosayev: So, first of all, reading is not about achieving that the we’re doing it okay so like a lot of people being yeah you know you have read them it’s an unconstrained that.

01:29:31.380 –> 01:29:48.450
Uriel Kosayev: An iteration desta can call it, and the basically the target or the goal is to achieve a domain admin, so this is not the case, raping is actually about simulating real world threats Okay, so what the heck is real or threat let’s explain.

01:29:49.950 –> 01:29:57.570
Uriel Kosayev: So readings purpose is to provide real world picture of business related threats, basically, you want to.

01:29:58.080 –> 01:30:14.220
Uriel Kosayev: present the business or the organization here you go, this is the threats you’re facing this is the problems you can have, and this is the things or the scenarios that we need to simulate in order to evaluate the risks that you have as a business, and of course to do it practically.

01:30:15.990 –> 01:30:32.550
Uriel Kosayev: Writing act like the adversary based on on accurate threat intelligence, and this is one of the things that I want to elaborate here real reading is based on great reconnaissance and great threat intelligence so talk about it more next slide.

01:30:33.570 –> 01:30:52.470
Uriel Kosayev: Reading simulate potential threat actors and DPS basically whereas regiments need to know and understand what kind of tactics techniques and procedures or the bees are relevant to simulate on our business, for example, if i’m if i’m a big company which.

01:30:53.880 –> 01:31:06.060
Uriel Kosayev: which has a lot of resources and cloud and use of office related products, for example, maybe the best for me is to simulate group, like lapses.

01:31:06.600 –> 01:31:16.260
Uriel Kosayev: Okay, which is kind of funny I liked a lot of guys like laughing at them they’re just a bunch of 16 years old they’re doing a bunch of stuff but.

01:31:16.980 –> 01:31:27.870
Uriel Kosayev: As a reminder, they actually hacked Microsoft and open other big companies just with simple stuff like finding passwords bank passwords or using an insider threat.

01:31:28.350 –> 01:31:38.070
Uriel Kosayev: to buy from them some kind of access, whether through a remote access our utility or to the password it has three is it a jury instance, or whether.

01:31:39.570 –> 01:31:46.560
Uriel Kosayev: records purpose is to help the organization grow its security posture and not like you know mark the blue team or say.

01:31:47.040 –> 01:31:55.890
Uriel Kosayev: you’re an upgrade as as you need to be or you need to be a better incident response, but we as a red teamers has have the you know, the goal.

01:31:56.220 –> 01:32:06.990
Uriel Kosayev: And the responsibility to make organization better and their security and also help other teams to become better in detecting us and eventually detecting the bad guys.

01:32:08.820 –> 01:32:19.740
Uriel Kosayev: So let’s like understand the base Okay, the essence of reading it’s called dynamic thinking okay so what’s what’s up during the thing.

01:32:20.580 –> 01:32:30.360
Uriel Kosayev: So alternative thinking or actually red teaming is the capability, or the way of thinking, which will help you to solve complex problems in the cyber security world.

01:32:30.960 –> 01:32:42.000
Uriel Kosayev: Reading thinking will help you to determine business technology problems and will help you to provide possible alternatives and applicable security solutions, so this is why why the reason.

01:32:43.200 –> 01:32:59.850
Uriel Kosayev: i’m using the scholars, because as a red team, I take and and like simulating a specific threat after finding problems and then i’m providing all this data and all the stuff that learned about the security on the organization and help the blue team to.

01:33:01.200 –> 01:33:09.270
Uriel Kosayev: be better basically okay will not talk about how to do it because it’s a you know it’s a thing of its own, but let’s continue.

01:33:11.040 –> 01:33:14.970
Uriel Kosayev: Okay, so where can readings and alternative thinking help.

01:33:17.820 –> 01:33:28.080
Uriel Kosayev: So the way we can help as red teamers is the challenging the way things are working with an organization not like Okay, so we have this kind of security protocol.

01:33:28.440 –> 01:33:42.330
Uriel Kosayev: Or we use using DNS SEC on our DNS servers or we do we use the best a Dr solution other than there is no such thing, of course, there is no best er because everyone has its own vulnerabilities and problems.

01:33:43.620 –> 01:33:56.190
Uriel Kosayev: But rather ask what is the culture of the organization Okay, so one of the biggest problems of organization today is like the security awareness of employees.

01:33:56.640 –> 01:34:07.560
Uriel Kosayev: Because you can go like, finally password, for example, to an employee or whatever, in whatever weight and you can try to log in and you go, you have MFA multi factor authentication.

01:34:08.160 –> 01:34:19.050
Uriel Kosayev: But there were a lot, a lot of funds for my experience we’re just bombarded this guy or this person with a lot of MFA requests and eventually he accepted.

01:34:20.700 –> 01:34:35.760
Uriel Kosayev: And here we are, we are inside and from there, you know it’s a we mostly so it’s not only about the technology it’s about the way of how people are thinking and how they operate in their daily basis.

01:34:37.170 –> 01:34:45.060
Uriel Kosayev: Also, as a red teamers were mapping the ways that at the various series like the brackets, the real medalists can get initial largest organization.

01:34:46.380 –> 01:34:56.190
Uriel Kosayev: So this point explains like we need to understand which of our assets are exposed to the public exposed to the outside world.

01:34:56.790 –> 01:35:03.240
Uriel Kosayev: We need to map them and after we met them understand the risk they impose on our organization.

01:35:03.930 –> 01:35:15.420
Uriel Kosayev: And, of course, helping to mitigate them with the relevant beans like go and literally sit with the blue things or do a purple thing or whatever, whatever name or or color you want to use.

01:35:15.960 –> 01:35:25.020
Uriel Kosayev: and explain them the problem and literally try to put yourself in their own shoes like try to think as a defender.

01:35:25.350 –> 01:35:33.990
Uriel Kosayev: For once and for the different, I will say the opposite try to think as an attacker because a great that there is one that understand the defender side and the opposite is true.

01:35:36.270 –> 01:35:45.270
Uriel Kosayev: Everything it in blue things to get better by educating them not only how to implement the gorgeous and process better but also giving them the ways of.

01:35:45.660 –> 01:35:53.730
Uriel Kosayev: Thinking to challenge themselves like literally give them the way of thinking, how to think of their anatomy how to sit for the truth, how to ask the.

01:35:54.540 –> 01:36:04.380
Uriel Kosayev: hard questions and I call it actually a context switch thinking, for example, when I want to bypass ADR i’m thinking okay.

01:36:05.250 –> 01:36:12.570
Uriel Kosayev: I want to execute a reversal or I want to do an lcs down for meds now how can I bypass the do so, I tried and.

01:36:13.170 –> 01:36:26.340
Uriel Kosayev: tested do leave gathering understand what kind of process thread yeah the other and eventually I go and Okay, I try to understand if I were a detection engineer or a defender, how would I detected.

01:36:26.820 –> 01:36:35.490
Uriel Kosayev: And after that I switch my thinking into how to bypass the same detection and it goes on and on.

01:36:37.440 –> 01:36:47.880
Uriel Kosayev: And, of course, the fact that we need to help the blue teams and doesn’t make us better than them Okay, but gives us more responsibility.

01:36:49.890 –> 01:36:52.140
Uriel Kosayev: So required skills for ethics.

01:36:54.120 –> 01:36:56.790
Uriel Kosayev: If you want to join us, you can join avian.

01:36:57.810 –> 01:37:19.140
Uriel Kosayev: First of all, great in and out of the box thinking things like a cycle, but think like a person that want to gain money think like an ATT group that one to wreck havoc on a company take like a an adversary that tries to like do an espionage think differently think like a psychopath.

01:37:20.820 –> 01:37:29.940
Uriel Kosayev: Collaborative and team player mindset, this is the second thing that you need to have because it’s like it’s actually a red team, not the right person that goes and.

01:37:30.510 –> 01:37:34.650
Uriel Kosayev: You know gets a domain admin but actually read things you need to be a team player.

01:37:35.460 –> 01:37:49.890
Uriel Kosayev: good idea networking knowledge also basic thing today a lot of times people try to go, and I want to do, cyber and cyber insider, but you have the basics of the you know the fundamentals, you know how the protocol works know how.

01:37:51.480 –> 01:38:05.190
Uriel Kosayev: Our specific things and and works and operating system how computers are communicating with each other, of course, each understanding has its own level of understanding and it goes much, much deeper.

01:38:07.560 –> 01:38:13.740
Uriel Kosayev: security architecture planning and analysis, if someone has this you know this ability or this you know.

01:38:14.340 –> 01:38:23.760
Uriel Kosayev: experiences can be amazing because it can help blueprints to plan better their security on this one of my favorite ones malware research and coding skills.

01:38:24.210 –> 01:38:33.810
Uriel Kosayev: And you say what the hell away everything will need a malware researcher building skills yeah you go you take home what strength or medicine or.

01:38:34.440 –> 01:38:40.560
Uriel Kosayev: All of this, all of the of the shelf tools, as you type some comments or use the some fancy boy at.

01:38:41.220 –> 01:38:48.630
Uriel Kosayev: Your regimen bullshit it’s not a regimen read them a great reader knows how to take out of the box and also to provide.

01:38:49.020 –> 01:38:58.590
Uriel Kosayev: and understand the technical aspects Okay, and this is one of the things I want to say you don’t need to actually do more analysis read rumor.

01:38:58.770 –> 01:39:09.120
Uriel Kosayev: But if you have this ability in the team not not all of the team Members need to know how to do our research, but if you know how to do mallory So if you can learn, for example, about.

01:39:09.420 –> 01:39:26.280
Uriel Kosayev: malware over, for example, County the ransomware county and you can reduce lemon in your own simulations on your own networks, and in that way you can understand how much we prepared against company.

01:39:27.750 –> 01:39:39.240
Uriel Kosayev: And of course coding skills for automation and stuff like this report, writing and presentation skills will need to explain a understanding of what versus 30 copies like literally go to attack mater and start to play with things.

01:39:40.980 –> 01:39:46.830
Uriel Kosayev: Okay, so red beams and synergy with other things so reading is not like a no it’s Lambda.

01:39:47.580 –> 01:39:57.270
Uriel Kosayev: it’s live to be a symbiotic thing which helps each other and and, for example, you have one guy that good than malware analysis coding, one day, that is an actual operator that knows how to do stuff.

01:39:57.930 –> 01:40:15.960
Uriel Kosayev: And it’s like a symbiotic they teach each other okay so synergy with other things, so a real adversary simulation not this mumbo jumbo cyber stuff like we’re doing readings, but it’s actually a penetration this Okay, there is a huge difference between penetration test and read.

01:40:18.270 –> 01:40:28.440
Uriel Kosayev: The combination over rating and a threat intelligence equals 10 adversaries in relation to an actual actual anniversary relation because.

01:40:28.710 –> 01:40:42.660
Uriel Kosayev: You need the tribe intelligence, you need the information, for example, it is a threat intelligence, I want to go and understand what sector my business is working, what kind of threats and threat actors are targeting my business and.

01:40:43.230 –> 01:40:49.860
Uriel Kosayev: and afterwards I will take all this information and provide directing a ready what’s up yeah are you doing.

01:40:51.090 –> 01:40:59.430
Uriel Kosayev: These are the actors that you need to simulate because they’re targeting our or potentially can target our company so go and simulators.

01:40:59.790 –> 01:41:08.280
Uriel Kosayev: In this way, in that way, of course, it for the ratings decision on what which tools and techniques to use everything else.

01:41:09.150 –> 01:41:22.320
Uriel Kosayev: Okay, so you finished with your adversary simulation blah blah blah which you’re writing and you get this fancy report this fat while report with the devil in this blah blah blah and.

01:41:22.920 –> 01:41:35.520
Uriel Kosayev: Okay So what do you do, what do you do so, go and cooperate to the things Okay, of course, it can take a lot of time like resources, not all organizations prefer to search corporations or a way of work, I don’t know.

01:41:36.540 –> 01:41:46.530
Uriel Kosayev: But if you take and research simulation team already and and and say for the blue team, you get what’s it called purple team, or I should call it better security monitoring.

01:41:47.010 –> 01:42:01.230
Uriel Kosayev: Okay, for example, I found that I can bypass any Dr I don’t know I can do meds down for the domain control Okay, so what how it can detect it Okay, maybe let’s try and sit and you know right the detection.

01:42:02.070 –> 01:42:09.750
Uriel Kosayev: Logic for it, if you have an empty vs exit for, for example, process, running from seeing your power shell.

01:42:10.440 –> 01:42:22.350
Uriel Kosayev: Something not right or make so Okay, so this is from the detection perspective now i’m switching to a rating now I say okay if you’re dictating this as from a cmt or from power shell.

01:42:23.040 –> 01:42:34.800
Uriel Kosayev: So how can I bypass it, so I can execute meds not from simple form a powerful can detach it from experiment Okay, I have a have a lot of ideas that get a giggle four hours on it.

01:42:35.640 –> 01:42:47.970
Uriel Kosayev: And how can I do detection, for it for this bypass and goes on and on it’s only about the hours, but your mail gateways and firewalls and lot of other stuff they so.

01:42:49.080 –> 01:42:57.810
Uriel Kosayev: That, of course, you need to have fun, because if you’re if you want to do something good, you need to do it with with farm with passion.

01:42:59.160 –> 01:43:00.300
Uriel Kosayev: And that’s it.

01:43:01.530 –> 01:43:15.780
Uriel Kosayev: So where do we meet like reading and as dlc okay so security software development lifecycle I think Jonathan and others are already spoken about it, so no need to go too much too much details but, for example.

01:43:17.520 –> 01:43:19.440
Uriel Kosayev: I found a bug in some.

01:43:21.420 –> 01:43:29.220
Uriel Kosayev: automation rumble core which led me to execute some partial command on shore or I found some code repository.

01:43:29.850 –> 01:43:37.380
Uriel Kosayev: You know, with the which is exposed to the public and I found as I read the more I found it so we can go to developers hey my man, how are you.

01:43:38.070 –> 01:43:48.120
Uriel Kosayev: Can you please close it to make it private yeah Okay, maybe we’ll find another vulnerability Okay, so you know exploited some csrs for school injection or whatever.

01:43:48.780 –> 01:43:56.640
Uriel Kosayev: or some remote code execution, so can can we actually close it Okay, can we operate with the application security thing with the objective.

01:43:57.090 –> 01:44:16.290
Uriel Kosayev: yeah, of course, why not how we can not only prevent this attack or you know fix the vulnerability, but how we can also monitor it with the blue team, how you can monitor for access loves you know, a for code changes and pipelines like Jenkins and stuff like this.

01:44:17.370 –> 01:44:31.620
Uriel Kosayev: How can do it so directing will provide the posture the current position or the current security posture and afterwards it go test it automated fix stuff and of course monitor stuff.

01:44:32.730 –> 01:44:34.710
Uriel Kosayev: This word record can help.

01:44:36.270 –> 01:44:37.800
Uriel Kosayev: Okay, so basically.

01:44:39.270 –> 01:44:47.730
Uriel Kosayev: We got through to miss will be here in our supply chain meetup so when you’re doing kind of understand how to read them like a related to supply.

01:44:48.960 –> 01:45:02.100
Uriel Kosayev: So again, great presentation, but Jonathan you already presented some stuff that can be somehow related, for example, if i’m as a decorative find some supply chain, like a baby or some you know.

01:45:03.000 –> 01:45:10.950
Uriel Kosayev: repository or C or package management system and can infect X, I can mastery, then I can change them like an apple new packages to make.

01:45:11.280 –> 01:45:22.230
Uriel Kosayev: Users of those packages to be infected, but this is one case, I want to talk about a different scenario I want to talk about solo in sexual experience or add but from a different approach.

01:45:22.890 –> 01:45:34.890
Uriel Kosayev: Okay, so i’ll do a quick recap, of what this all means ran and what actually happened, or what supposedly happened because nobody actually knows what happened yet.

01:45:37.980 –> 01:45:39.720
Uriel Kosayev: So yeah so basically.

01:45:41.580 –> 01:45:44.430
Uriel Kosayev: let’s talk about first of all.

01:45:45.600 –> 01:45:55.860
Uriel Kosayev: Like as from the reading perspective let’s first of all talk about how we can actually attack from like external assets and then we’ll talk about stories.

01:45:56.190 –> 01:46:06.240
Uriel Kosayev: So basically when you do a reading, you can start to do recon on basically developers QA devops you can try to get their passwords.

01:46:06.540 –> 01:46:15.450
Uriel Kosayev: or gifts so, for example, I found a geek lab instance or a Gita now I can try to target developers QA devops or whatever, maybe I trade, I can try to download.

01:46:15.690 –> 01:46:24.840
Uriel Kosayev: Give a public github repositories and or B or B, the bucket, for example, and do deep leaks search to find some secrets or bathrooms or whatever.

01:46:25.650 –> 01:46:39.360
Uriel Kosayev: And byproducts, of course, so after I did my reconnaissance I go into the credential access okay so basically I can go to public schools credential fishing at that on those developers or devops engineers.

01:46:40.530 –> 01:46:53.280
Uriel Kosayev: After i’m inside the computer I can try and steal the cookies or do some sessions dealing and access the repo this specific developer, for example, I know that in from 8am to 12pm.

01:46:53.610 –> 01:47:05.220
Uriel Kosayev: He works on get up, I can you know go have just computer sound, of course, and still at school keys but yeah you have MFA everything will protect you know everyone not protected, because if you have the cookie.

01:47:05.940 –> 01:47:19.560
Uriel Kosayev: And you literally dumped it from the from the memory and injected to your own attacker website their browser excuse me, you can refresh the page and here we go your bike is the the nfl we’re inside now okay.

01:47:21.420 –> 01:47:25.080
Uriel Kosayev: So after we are inside a computer have a developer, or some.

01:47:25.590 –> 01:47:37.620
Uriel Kosayev: are, for example, pipeline product or github or something like this we started with situational situational awareness with try to understand what kind of permissions where what kind of controls, what do we have.

01:47:38.610 –> 01:47:50.940
Uriel Kosayev: and basically from there, we try to discover the code injection or comic entry point basically and from there injured or panel which is basically what happened in solar winds, so we will do it fast.

01:47:51.480 –> 01:48:01.470
Uriel Kosayev: So short store recap of solomon’s around which is basically you know, implemented and deployed on a lot of organizations to want it or and do some it management and some security stuff.

01:48:02.610 –> 01:48:11.970
Uriel Kosayev: The stories, which basically supply chain, and there are lots of solar winds clients were affected more than 3000 organizations, if not more suspected nations, they packers that.

01:48:12.270 –> 01:48:16.800
Uriel Kosayev: has no value Russian based the implement burglaries referred as sunburst.

01:48:17.640 –> 01:48:30.960
Uriel Kosayev: The and there is another web show, I will not talk about it, and it is estimated that actual insightful at least a year before detected, so they actually learned from where we inject their malicious payload where is the entry point.

01:48:32.070 –> 01:48:38.700
Uriel Kosayev: Okay, so go true facts, basically, what the cold dead is to basically.

01:48:39.570 –> 01:48:53.250
Uriel Kosayev: executed under the business layer host dll, which is the dll, which is actually deployed on the solids around server in the client side, after the code was inject to the github repository from where the code was.

01:48:54.120 –> 01:49:00.450
Uriel Kosayev: You know, a compiled and download it as an update for the effective or ineffective clients.

01:49:01.290 –> 01:49:11.610
Uriel Kosayev: Basically, then it goes and generate some do some dga domain generation algorithms random do some random The sub domain creation and then.

01:49:12.000 –> 01:49:20.520
Uriel Kosayev: do some situational awareness gets the basically formation of the computer the domain, the IP and stuff like this builds a configuration file and.

01:49:21.480 –> 01:49:40.140
Uriel Kosayev: sends it to the sea to France to proceed the server and even the sequel server like likes like the organization in the deck it will go and download another payload, which is a different one, so we got to the DEMO point, let me just share it here quickly.

01:49:41.730 –> 01:49:43.230
Uriel Kosayev: switch my screens.

01:49:46.230 –> 01:49:53.400
Uriel Kosayev: yeah I think it’s right and go for the this guy Okay, can you see the video.

01:49:54.870 –> 01:49:56.130
Kobi Levi: Yes, we can see it.

01:49:56.670 –> 01:49:59.280
Uriel Kosayev: amazing so Basically, we can see here.

01:50:00.510 –> 01:50:06.840
Uriel Kosayev: We loaded the dll file the beat the legitimate dll file with inserted or injected malicious code.

01:50:07.620 –> 01:50:26.160
Uriel Kosayev: into to we basically be compiled it using a.net the composer named DNS spike okay it’s like an either pro for.net basically like the C sharp stuff like this would go into the dll itself and basically now i’m going to.

01:50:27.510 –> 01:50:35.970
Uriel Kosayev: go through the functions that the malicious function actually starts the entry point of the malicious function it’s under.

01:50:36.720 –> 01:50:44.100
Uriel Kosayev: Basically orion improvement business layer blah blah blah tomato which under this metal do this function called initialize.

01:50:44.610 –> 01:50:53.310
Uriel Kosayev: The initials function will go and buy this hash, as you can see here it’s an FN V blah blah ash, which will be compared to the.

01:50:53.700 –> 01:51:05.550
Uriel Kosayev: owner or parent process of solar winds orion and in basically checks that actually execute from the original solar winds process they’re not under a malware sandbox or something like this okay.

01:51:06.240 –> 01:51:17.340
Uriel Kosayev: After this, it will check how much time it’s actually executed between 12 and 14 days, I think, then it will go and check order.

01:51:17.970 –> 01:51:33.000
Uriel Kosayev: There were an array the execution like a kind of like an engraving a mute X, but it will read the report status on the config file it builds for the sequel server and here if of course if all of those functions are.

01:51:34.350 –> 01:51:50.910
Uriel Kosayev: Basically false So it goes for the update function and the function will track for process, it will check whether you have some security product antivirus your some you know you know malware analysis tools and stuff like this.

01:51:53.130 –> 01:52:03.210
Uriel Kosayev: Of course, are doing very straightforward it’s a very interesting go it gets the address family whether it’s ipv4 or ipv6 takes all the interface information.

01:52:04.260 –> 01:52:16.650
Uriel Kosayev: rights, of course, the report or the config file will be sent to the cto and of course it will go and check other stuff like the domain name of the compromised a solar winds are server.

01:52:18.030 –> 01:52:23.970
Uriel Kosayev: It will check other stuff based on our be 64 encoding basically it will check.

01:52:26.100 –> 01:52:37.020
Uriel Kosayev: It will check process and other services installed on your computer and the last thing, basically, I will now show you where that is the actually entry point color.

01:52:37.560 –> 01:52:49.170
Uriel Kosayev: which they actually understood, because they analyze lab of like they analyze this code and they needed to decide where is the actual entry point that they need in order for the.

01:52:49.650 –> 01:53:01.230
Uriel Kosayev: initialized malicious function to always be executed, while the malicious code is deployed on the client side Okay, so if I go I do a back trace functions here I go.

01:53:01.860 –> 01:53:11.280
Uriel Kosayev: do some back trace, basically, and you can see that the start function calls the refresh, which was the refresh interval and goes on.

01:53:11.820 –> 01:53:31.410
Uriel Kosayev: So basically, this is the execution function kill chain that goes on and on till it gets and calls the actual malicious function so it’s I can say it’s genius basically um, let me just showing in the screen of the presentation right.

01:53:32.550 –> 01:53:33.150
Uriel Kosayev: We clear.

01:53:36.510 –> 01:53:46.410
Uriel Kosayev: So some less towards what we can do about it Okay, so we can do practice called security analysis manual automated con analysis with well do commit school.

01:53:46.980 –> 01:54:01.800
Uriel Kosayev: And stuff like this another manual and automated review before client updates release and in the writing style social publicly exposed reports and assets of third parties, if possible, of course, and if it’s like you know find by the companies are doing this for them.

01:54:03.150 –> 01:54:07.320
Uriel Kosayev: So again, as our questions regular supply chain understand your supply chain.

01:54:09.540 –> 01:54:18.150
Kobi Levi: Thank you, real maybe we can spare a couple of minutes to the questions you can open the Q amp a chat and try to answer well.

01:54:18.720 –> 01:54:19.800
Uriel Kosayev: yeah, of course.

01:54:20.970 –> 01:54:24.690
Uriel Kosayev: So you have two years which one language can nail so security.

01:54:25.650 –> 01:54:38.130
Uriel Kosayev: So, which probably language is it can be helpful, cyber security, you know it very advanced, you can use by them to automate high level stuff or even right now, our or security directions, but you know era.

01:54:38.640 –> 01:54:48.270
Uriel Kosayev: For example, they use C c++, of course, because they need low level they which will give them the controls and the ability to access the memory and cpu in more level or a fashion.

01:54:49.020 –> 01:54:57.390
Uriel Kosayev: So it’s very the bands, I will say if it’s endpoint it will be C c++ will be more high level, it will be stuff like you know beta node js stuff like this.

01:54:59.310 –> 01:55:06.810
Uriel Kosayev: And they give it a thanks for the grip will love to hear your opinion about writing entities in old environment or maybe the question.

01:55:07.920 –> 01:55:13.050
Uriel Kosayev: Basically yeah you need to be very careful in Monte all the environments, but.

01:55:13.590 –> 01:55:31.440
Uriel Kosayev: You need to do it because you have one example of the Iranians, which actually have not had they didn’t literally next door water implants in Israel, which is a shame, it was an human or whatever I don’t know yeah so do it if you can and be very careful.

01:55:32.640 –> 01:55:38.460
Uriel Kosayev: um yeah This is basically the questions if you have any questions and we’ll be more than glad to answer it.

01:55:40.290 –> 01:55:50.460
Kobi Levi: Okay, thank you very much real, though, and now we move on to shadow militia a shahar is a senior directors here to assist J frog.

01:55:51.180 –> 01:56:03.000
Kobi Levi: responsible for leading the various security research team focusing on zero the research CV analysis and Melissa packet switches shahar the stage is yours, thank you very much.

01:56:11.220 –> 01:56:13.590
Shachar Menashe: Alright, I hope, it’s showing up well.

01:56:13.800 –> 01:56:15.150
Kobi Levi: Yes, yes, we can yes.

01:56:15.900 –> 01:56:18.930
Shachar Menashe: Wonderful so thanks for the intro.

01:56:20.700 –> 01:56:35.520
Shachar Menashe: My name is xiaomi NASA said director of security research a J frog so I managed several teams, what we do is in depth ctv analysis, which is the topic that i’ll be concentrating on today.

01:56:35.880 –> 01:56:45.990
Shachar Menashe: But some other things that we’re doing is finding the old Mr abilities and fixing them in open source finding malicious packages, but I know not was a known ones and.

01:56:47.100 –> 01:57:01.710
Shachar Menashe: disclosing them basically everything to do with the security research, but today I want to talk about our CV analysis aspect and actually a problem that plagued us and.

01:57:02.580 –> 01:57:08.940
Shachar Menashe: Like does this researchers and I believe that play a lot of researchers and piece or teams that.

01:57:09.930 –> 01:57:23.820
Shachar Menashe: Well, basically you’re you’re using our software composition analysis or you know you’re going on CDs completely manually and you have a list of components and basically you’re going over the CDS and you’re seeing a ton of CDs.

01:57:25.110 –> 01:57:31.050
Shachar Menashe: But you’re actually starting to understand that not all of them can actually be exploited in your instance.

01:57:32.520 –> 01:57:53.220
Shachar Menashe: This is a very well known issue in the research world, and I wanted to open it up and talk about how you when you look at a CD you can spot these little fallacies that will show you oh this there’s actually more to see on the TV and the TV may actually not be.

01:57:54.360 –> 01:58:04.110
Shachar Menashe: Vulnerable on all configuration and trying to understand, on which configuration, it will be vulnerable and how rare or not, where the configurations on.

01:58:05.280 –> 01:58:15.570
Shachar Menashe: So we’ll talk about first of all like define the basic way to evaluate TVs the way that almost all software composition analysis tools you.

01:58:16.140 –> 01:58:32.190
Shachar Menashe: And then we’re going to dive a bit into where these software companies composition analysis tools and even manual researchers what they’re not looking at and what we should be looking at when you’re evaluating CV.

01:58:34.650 –> 01:58:46.590
Shachar Menashe: So let’s start with defining how the basic TV evaluation usually works so let’s say you know you’re doing a manual audit or you’re using our software composition analysis to.

01:58:47.640 –> 01:59:02.490
Shachar Menashe: So 99 times out of 100 what that does is or what you’re doing manually is you’re creating a component list of every component, you have so you know Python packages javascript packages.

01:59:03.720 –> 01:59:11.850
Shachar Menashe: packages binaries on the device you’re creating an entire component this and you’re determining the version of each of these components.

01:59:12.450 –> 01:59:21.900
Shachar Menashe: And then, when you have that data, the component list and and the version basically you’re correlating it with various databases.

01:59:22.650 –> 01:59:32.040
Shachar Menashe: have known vulnerabilities usually CDs, but doesn’t have to be CDs, for example, red hat use their own identifier and get help us their own identifier, etc.

01:59:32.760 –> 01:59:44.670
Shachar Menashe: But TV or the most well known one so, then you can just correlate you can say okay yeah I see that there’s a CV on the docker test or package for IBM.

01:59:45.180 –> 01:59:57.900
Shachar Menashe: On versions different that so so you cross reference with your component list and you’re saying Okay, I have Dr tests or version one zero so i’m affected by the CV.

01:59:59.220 –> 02:00:08.640
Shachar Menashe: And that’s a the basic way that basically all these tools work, and also the the basic filtering that you do manually.

02:00:09.990 –> 02:00:12.630
Shachar Menashe: To try to determine what CDs.

02:00:13.860 –> 02:00:19.680
Shachar Menashe: Your image or is susceptible to could be a docker image a dump of a file system, etc.

02:00:21.030 –> 02:00:37.110
Shachar Menashe: So in this presentation, I actually want to go over various cases where showing this CV and vulnerable would be a false positive and I want to, I want to show you how to look out for these cases.

02:00:38.160 –> 02:00:43.740
Shachar Menashe: In various types of CDs so we’ll go over three major example and examine.

02:00:45.060 –> 02:00:57.630
Shachar Menashe: What he did in the CD data sometimes it’s more hidden and sometimes it’s less hidden but, but I want to show you the broad categories, at least this is all research to see it.

02:00:58.800 –> 02:01:06.480
Shachar Menashe: So the idea is that i’m not just looking i’m not just uploading you know the docker tests are packaged in a specific version.

02:01:07.050 –> 02:01:23.220
Shachar Menashe: i’m not just uploading it through some tough competition analysis tool i’m uploading my entire file system or docker image, so I have additional data on the context of where this package is running and not just the package itself, and that will allow me to determine.

02:01:25.440 –> 02:01:30.330
Shachar Menashe: It to an extent, if this is actually exploitable in this context.

02:01:31.530 –> 02:01:54.480
Shachar Menashe: Alright, so let’s look at the first example so first let’s look at code prerequisites that CDs my cab and we’ll look at these breck with it and then we’ll try to figure out how common all of these prerequisites are in terms of all the CDS that we’re seeing so let’s look at the CV 2021 23337.

02:01:55.650 –> 02:02:08.310
Shachar Menashe: So basically so on ability in the low dash library it’s on utility library for it’s a in mpm know jazz utility library and it says a lot of experts and versions prior to.

02:02:09.450 –> 02:02:13.320
Shachar Menashe: 417 21 vulnerable to command injection via the template function.

02:02:14.370 –> 02:02:18.240
Shachar Menashe: And, of course, you get the CP for that TV.

02:02:19.260 –> 02:02:36.930
Shachar Menashe: So my question is, and this is the question that it will be recurring through all these configurations is okay, so if I have a load and it’s a 417 20 can immediately say that my machine is exploitable to the CD.

02:02:40.410 –> 02:02:40.860
Shachar Menashe: So.

02:02:42.180 –> 02:02:46.650
Shachar Menashe: that’s the question and, as a depression, and this will be kind of our recurring.

02:02:48.600 –> 02:02:59.580
Shachar Menashe: In our presentation, but so for for this example, the answer is no, and this is actually relevant for all libraries TV celebrities.

02:03:00.300 –> 02:03:12.660
Shachar Menashe: are always what we call context dependent TV so, even if the CBS s might say yeah it’s remote exploitable it’s actually a fault in the CSS and it’s not correct to say that.

02:03:13.560 –> 02:03:33.060
Shachar Menashe: Because for this vulnerability to be exploitable you must have some other code in your environment that imports low dash and, in this specific case uses the template function, because the CV is only on the template function of load so it’s not enough for you to just import loaded.

02:03:34.320 –> 02:03:50.190
Shachar Menashe: And the most restricted a case here is that you need to pass attacker control inputs to a specific argument of this function So here we on the right hand side, you can see code, that is, that is vulnerable.

02:03:51.480 –> 02:04:03.300
Shachar Menashe: decision because first of all, it requires a low dash and then you can see, it called the template function and it passes the name argument and we can see that name is coming from.

02:04:04.500 –> 02:04:14.670
Shachar Menashe: Remote so, for example, in this case is a function argument, though we’re not going to dig deeper and see if it comes from a socket or anything but supposedly from remote ID.

02:04:15.420 –> 02:04:35.880
Shachar Menashe: So only in these kind of cases, it will be vulnerable and the idea is that once once you see a CV that CV in a library and it’s not a demon or a client or something that immediately that makes the CV context dependent and you cannot say for certain that.

02:04:37.050 –> 02:04:48.600
Shachar Menashe: That just by having the package installed the CV is exploitable you always have to use a specific function and usually you also have to pass attacker control data.

02:04:51.240 –> 02:05:00.420
Shachar Menashe: So this is again for library vulnerabilities this will always be the case, you must, you must have some someone that uses the library some other code.

02:05:01.440 –> 02:05:03.150
Shachar Menashe: Either first party code or third party.

02:05:04.740 –> 02:05:21.090
Shachar Menashe: So this is not the only cause based prerequisite actually there could be other prerequisites which are kind of hidden in the CV description one is just in the vulnerability was backward patch in that specific environment someone just asked it so that could also be the case.

02:05:22.500 –> 02:05:37.590
Shachar Menashe: The second one is what we saw is the vulnerable function even called and wasn’t called with a specific arguments that triggered this vulnerability, so it could either require attacker control arguments and some arguments might need to have a specific.

02:05:38.640 –> 02:05:44.100
Shachar Menashe: Constant like, for example, the third argument must be true or be equal to some specific strength.

02:05:45.330 –> 02:05:56.160
Shachar Menashe: In some cases there’s actually a different function, where, if you call it mitigates this TV, for example, let’s say there’s an sql injections to be.

02:05:56.490 –> 02:06:02.190
Shachar Menashe: There could be a different function in the same library, that if you call it mitigates the city.

02:06:02.850 –> 02:06:19.950
Shachar Menashe: The problem is that this data will not always be present in the city description, you will usually need to go to a technical right off if there is something like that, but but try to look out for it, because sometimes it will be, if you remember, invest in the city description result.

02:06:30.960 –> 02:06:33.600
Shachar Menashe: Also, sometimes it’s not a vulnerable function that’s.

02:06:34.620 –> 02:06:36.000
Shachar Menashe: Vulnerable it could be.

02:06:37.590 –> 02:06:43.260
Shachar Menashe: Vulnerable class that’s so you need to look out for first party code that inherits from that path.

02:06:45.900 –> 02:06:51.420
Shachar Menashe: So that was the first example now let’s look at a second example, so now i’m looking.

02:06:52.500 –> 02:07:02.670
Shachar Menashe: Not at a library vulnerability, because we said library is complex defendant and you know I want to move on to a different example so let’s look at the demon vulnerability.

02:07:03.210 –> 02:07:18.510
Shachar Menashe: So, with a demon vulnerability in some cases, you know there’s a demon running and the owner and if the demons running the vulnerabilities exploitable so there there’s actually in some cases there’s you don’t have to look deep but but in many cases, you do.

02:07:19.740 –> 02:07:35.580
Shachar Menashe: Okay, so let’s look at a different one early and i’m not going to go over the whole description, but this is good in Apache Cassandra it’s a very well known database like a distributed database like an sql based database.

02:07:37.260 –> 02:07:54.210
Shachar Menashe: And there’s another vulnerability here and again it says that it’s all remote vulnerability etc and we’re gonna ask the same rhetorical question okay if i’m Apache Cassandra installed in the vulnerable version, am I vulnerable and this time it’s a demon so it might be.

02:07:55.320 –> 02:08:05.070
Shachar Menashe: Again, the answer is no, because what we’re trying to elaborate here, so in this case the CV was actually very descriptive, which is also a bit rare.

02:08:05.610 –> 02:08:19.350
Shachar Menashe: But there might there definitely might be a case that even with a demon normally it’s only exploitable in a specific configuration and actually I would say, this is not a rare case but it’s even the common case.

02:08:21.150 –> 02:08:31.800
Shachar Menashe: Because usually you know when you’re running a demon the default configuration very highly audited, but especially if it’s you know.

02:08:32.820 –> 02:08:46.800
Shachar Menashe: maintain demon which is older it’s it’s already been audited a few times Open Source the default config is always more heavily audited and some nice configuration so usually if it’s a.

02:08:48.210 –> 02:08:50.430
Shachar Menashe: If it’s a vulnerability in a demon.

02:08:51.720 –> 02:09:01.620
Shachar Menashe: Which again again like robust project it’s probably going to be a rare configuration, or at least not the default configuration.

02:09:02.520 –> 02:09:14.580
Shachar Menashe: The problem with TVs and CSS is there is no format that field to say listen, this is only exploitable on this in this configuration or this is.

02:09:15.090 –> 02:09:33.120
Shachar Menashe: Even context dependent there’s no fields for that so, even if the CEO wants to say this information, it can only be said in three days that’s why currently you have to look out for these things in Jackson you know researcher advisors, etc.

02:09:36.150 –> 02:09:49.050
Shachar Menashe: So sorry, so I didn’t elaborate, but specifically on Cassandra, this is only exploitable in a non different configuration, there has to be a yellow file and it has to have these specific configuration.

02:09:50.850 –> 02:09:55.800
Shachar Menashe: So i’m more examples of configuration prerequisite.

02:09:57.450 –> 02:10:04.320
Shachar Menashe: Sometimes the configuration, even in compiler timing compile time like you give a configuration compile time.

02:10:04.680 –> 02:10:12.240
Shachar Menashe: whether to include the code that has the vulnerability, for example, open ssl has a million of config options to support different protocol.

02:10:12.750 –> 02:10:23.970
Shachar Menashe: It might be that open ssl was wasn’t even compile with the vulnerable code so so that’s one way it’s also very common in Linux kernel vulnerabilities because it’s very modular.

02:10:25.440 –> 02:10:30.780
Shachar Menashe: Sometimes there’s a patch or workaround but the component isn’t configured to take advantage of that.

02:10:32.190 –> 02:10:41.280
Shachar Menashe: And when we’re looking at you know configuration values that enable the vulnerable functionality or not we actually have to look at many different places.

02:10:41.820 –> 02:10:50.340
Shachar Menashe: The configuration might be fed through environment variables and might be fed to command line and it might be fed through config files resigned Cassandra.

02:10:52.020 –> 02:11:12.330
Shachar Menashe: example, but even in the config file, it might be through a hard coded path, or it might be through like a path that you specified through a command line or environment etc so even there there’s a lot of nuance to what you have to look for, but always again general tip with a demon.

02:11:13.680 –> 02:11:26.970
Shachar Menashe: With a demon vulnerability I would always try to see if it’s exploitable the default configuration, not because you’re not going to get this information on CSS it’s just I wouldn’t be able to specify it, even if I wanted to.

02:11:28.380 –> 02:11:31.890
Shachar Menashe: So currently you just have to look for it in the free text.

02:11:34.350 –> 02:11:49.020
Shachar Menashe: Okay, and the last example that we’re going to see is a prerequisite on the environment itself so not really a configuration or code, but here there’s a vulnerability in a bunch of the hadoop.

02:11:50.580 –> 02:12:05.520
Shachar Menashe: The Apache RDP server and it’s a board and our function so here it’s not a library that call this function, you can actually send a request to the server and make it on tar.

02:12:06.990 –> 02:12:10.140
Shachar Menashe: All sorts of things extracted all sorts of places.

02:12:11.700 –> 02:12:13.590
Shachar Menashe: With you know the specific requests.

02:12:15.720 –> 02:12:20.610
Shachar Menashe: And again, the question is your it’s also a demon so it’s not going to be a library.

02:12:22.440 –> 02:12:27.510
Shachar Menashe: And the question is this a question Okay, so I have a plan to do open 320.

02:12:28.980 –> 02:12:31.080
Shachar Menashe: Is my machine 100% vulnerable.

02:12:32.550 –> 02:12:35.370
Shachar Menashe: And here it’s not even it’s not a matter of configuration.

02:12:37.980 –> 02:12:47.250
Shachar Menashe: So, again, I hope you read a bit about the description yourself, but here it’s also I deliberately chose descriptions that are.

02:12:47.760 –> 02:13:02.520
Shachar Menashe: more obvious just, of course, that we can see the you know we can see obvious examples, because a harder one are harder to explain, but here it’s very obvious from the description that actually.

02:13:03.780 –> 02:13:18.780
Shachar Menashe: can be installed both on windows and Linux and other operating systems and actually the vulnerability only manifests on windows and not only on Linux though there’s checking code, but it only did a correct check on Linux and windows.

02:13:19.320 –> 02:13:22.770
Shachar Menashe: So, because there is different code branches or different environments.

02:13:26.010 –> 02:13:32.430
Shachar Menashe: it’s something it’s another thing that you have to check regarding the CD.

02:13:33.840 –> 02:13:47.310
Shachar Menashe: So this time it was explicitly specified in the CV that’s actually less rare than the previous examples like a lot of times if it’s a configuration if it’s an environment directors and it will be specified.

02:13:48.480 –> 02:13:50.040
Shachar Menashe: Because it’s a bit more rare.

02:13:53.010 –> 02:14:02.280
Shachar Menashe: For the code to actually have different branches pair environment again there’s no CD for edit fields or you again like you have to look for it in the free text.

02:14:04.080 –> 02:14:20.490
Shachar Menashe: Usually, like most of the CDS are exploitable under all environments so like I said, this is a bit more rare than the other ones, which are very common so because it’s more rare it’s usually specified in the CD textbook it doesn’t happen.

02:14:22.800 –> 02:14:29.880
Shachar Menashe: So let’s look so just to look at some others environment prerequisites so again the operating system so.

02:14:30.600 –> 02:14:44.280
Shachar Menashe: Here we saw different code that runs on different types of operating systems, but it can also depend on the distro like, for example, debbie and in a boon to Linux have a lot of different default security mitigation.

02:14:45.570 –> 02:14:51.330
Shachar Menashe: So what works on a boon to use might not work on debian, which is a bit more hard than.

02:14:53.010 –> 02:15:04.470
Shachar Menashe: The big level of the operating system like it a lot of vulnerabilities Walker on 32 bit, but not on 64 because of address space randomization and things like that.

02:15:05.970 –> 02:15:11.550
Shachar Menashe: Something obviously that sometimes is missed like is the vulnerable process even run in this environment.

02:15:12.060 –> 02:15:26.820
Shachar Menashe: Is it running on sorrow, is it, it can be triggered by some internal or external event, if it’s a demon maybe the mobile port is blocked by a firewall that could be an external firewall or a host firewall like IP table.

02:15:28.680 –> 02:15:36.000
Shachar Menashe: Some vulnerabilities, for example, like Poland get they depend on a specific binary from the package to be installed.

02:15:37.590 –> 02:15:49.770
Shachar Menashe: On the system, so it doesn’t matter if you have an entire packages like a package installed, you need to have a specific binary from the package, and not all software composition analysis tool account for that, of course.

02:15:51.030 –> 02:15:58.470
Shachar Menashe: You might have like an open ssl client, but you don’t have they open ssl server that’s actually a very common one.

02:15:59.730 –> 02:16:10.140
Shachar Menashe: So that’s also an environment correct with it, and sometimes you even need special privileges on the horrible binary if it’s a local privilege escalation.

02:16:10.590 –> 02:16:25.860
Shachar Menashe: It might only be exploitable if the borrower binary is set to ID and if it’s not that you already it won’t be susceptible to local privilege escalation, for example, the ghost vulnerability also very well known one.

02:16:28.530 –> 02:16:36.930
Shachar Menashe: So these are just these are all the example categories that these are, this is the way that we chose to split it and.

02:16:37.290 –> 02:16:50.820
Shachar Menashe: I think that actually all the CV fall into one of these categories so for us it worked very well when researching and also when writing automated code in our system to categorize for all these.

02:16:52.530 –> 02:17:02.430
Shachar Menashe: But you know, a CV from 2022 I think it’s pretty safe to say that, in general, it will not be exploitable in the default configuration.

02:17:03.420 –> 02:17:14.430
Shachar Menashe: Without any context you know there, there are outliers like love for shadow, for example, which are what even though its context dependent the context was.

02:17:15.090 –> 02:17:25.500
Shachar Menashe: So common like you have to log a message with attacker input that it was you could almost say yeah exploitable in default config without any context.

02:17:26.130 –> 02:17:44.670
Shachar Menashe: But these are you know things that break the Internet and are very rare for 99.9% on CDs from 2022 this won’t be true so like I said before, for library vulnerabilities there has to be code that uses the library actually in some Honorable way and for client demons.

02:17:45.900 –> 02:17:57.270
Shachar Menashe: it’s usually the default configuration context is audited, to a much higher degree, so it doesn’t usually the vulnerabilities don’t affect the default config and context.

02:17:57.690 –> 02:18:05.400
Shachar Menashe: Unless, of course, you know it’s a very new DNA and it’s not pretty it’s not robust yet So these are kind of operational risk issues.

02:18:06.930 –> 02:18:07.680
Shachar Menashe: So basically.

02:18:08.790 –> 02:18:17.760
Shachar Menashe: Almost from our perspective if you’re using the basics of evaluation you’re almost always going to get a false positive in your environment because.

02:18:19.320 –> 02:18:22.170
Shachar Menashe: Most of these things are not exploitable by default.

02:18:24.690 –> 02:18:29.370
Shachar Menashe: So i’m just gonna repeat very quickly, what I said before.

02:18:31.710 –> 02:18:49.620
Shachar Menashe: Our tips for these deep sea evaluation is if it’s a library vulnerability just you know check out the component is a library or to find or the demon if it’s a library look for which functions specifically are vulnerable and which values in the in the arguments are horrible.

02:18:51.060 –> 02:18:51.540
Shachar Menashe: and

02:18:52.620 –> 02:19:04.890
Shachar Menashe: And wanting to look out for and one thing that we use in our severity ratings doesn’t even make sense that this function will receive outside input like if it’s an internal function not exporting one.

02:19:05.460 –> 02:19:19.740
Shachar Menashe: Like, what are the chances that it will even receive input from outside, so, then the severity, the actual severity will go down and CSS it will still be high, because he says doesn’t look at all these things, but just tips for researchers.

02:19:20.580 –> 02:19:37.350
Shachar Menashe: and on client even vulnerabilities you have to figure out what is the specific configuration, that is, actually, affordable and if it’s the default config then we rank it much higher, for example in our research and in our security tool we do from the X Ray.

02:19:39.120 –> 02:19:44.460
Shachar Menashe: A specific thing to look out for in the CBS s is that vulnerabilities with high attack complexity.

02:19:45.030 –> 02:19:54.900
Shachar Menashe: It usually means that the researcher can create an exploit that works on all targets the researcher has to do some research on like per target.

02:19:55.440 –> 02:20:03.990
Shachar Menashe: and understand specific context where, for example, the vulnerable function is cold and then only build an exploit made specifically for that target.

02:20:05.280 –> 02:20:14.520
Shachar Menashe: So if you see attack complex of the high it usually means it’s not going to be a drive by exploit and it’s gonna require a targeted attack basically.

02:20:15.330 –> 02:20:33.240
Shachar Menashe: So that’s something to look out for and what it says on the CV research side is that you have to understand if a specific function has to be call for the city to be exploitable or specifically what Tony specific information is relevant and then, if your blue team, for example.

02:20:35.010 –> 02:20:54.840
Shachar Menashe: After you figure that out, you know if you’re vulnerable, but this is like a highlight for you to say Okay, I need to look at this deeper it’s not if they attack complexity, how is how is 99.9% of the cases it’s smart exploitable on the default config and on the default context.

02:20:56.910 –> 02:21:07.560
Shachar Menashe: um yeah so that’s pretty much it, we have a bit more time for Q amp a we have a minute this care so i’ll be happy to answer any questions on the chat or accurate.

02:21:08.250 –> 02:21:13.560
Kobi Levi: Thank you sure how there is one question in the q&a if you can address it is.

02:21:16.530 –> 02:21:26.220
Shachar Menashe: yeah so i’ll read it for library vulnerabilities how the job, whether it is vulnerable for those third party libraries, for example, if I include install node js.

02:21:28.140 –> 02:21:33.240
Shachar Menashe: will be considered exploitable for those transitive dependency libraries.

02:21:35.280 –> 02:21:47.700
Shachar Menashe: So i’m assuming so if i’m understanding the question correctly as writer properly, but it’s a very good question, so there might be a case that.

02:21:48.720 –> 02:21:59.760
Shachar Menashe: there’s the library there’s some library one ability, but actually it’s exploitable by default if i’m using some other third party library.

02:22:00.810 –> 02:22:10.680
Shachar Menashe: So, for example, let’s say there’s a command injection in loaded but like I said before, and there’s a different.

02:22:12.240 –> 02:22:14.190
Shachar Menashe: Live third party library you.

02:22:14.370 –> 02:22:16.170
Shachar Menashe: For example, shut us or.

02:22:16.980 –> 02:22:25.500
Shachar Menashe: whatever name that uses loaded but but called exactly the specific function that is required for for command injection.

02:22:26.670 –> 02:22:34.380
Shachar Menashe: So that’s a very good question, there is no easy way actually to determine that.

02:22:35.550 –> 02:22:43.590
Shachar Menashe: Usually, what happens is one of two things either the other library sometimes open.

02:22:45.120 –> 02:22:54.840
Shachar Menashe: A separate TV for that it says we open CD this or that and we open this because we are vulnerable to you know the original TV.

02:22:57.060 –> 02:23:09.330
Shachar Menashe: And in that the easy way, and then you will just catch that TV on you know the parent third party library, but let’s say that there wasn’t a CV open on that.

02:23:10.710 –> 02:23:34.440
Shachar Menashe: I what I usually do I search for the original TV name in github and see if there are issues open on the parents third party library that says, you know by dependable or things like that that that say Okay, we fixed it because we’re actually borrowed to it.

02:23:35.640 –> 02:23:48.060
Shachar Menashe: it’s a really good question because it’s a tough question like you have to look manually and most sometimes there’s a separate TV mobile on the parents third party library, but sometimes you just have to look for yourself.

02:23:49.770 –> 02:23:50.940
Shachar Menashe: Yes, it stuff.

02:23:53.640 –> 02:24:00.360
Kobi Levi: Okay, great Thank you shuffle So if you can release the share screen, I will.

02:24:00.390 –> 02:24:02.250
Kobi Levi: Get mine.

02:24:06.180 –> 02:24:14.730
Kobi Levi: Okay guys, so we hope you all enjoyed today’s meetup follow up, we have two amazing and Community events up.

02:24:15.090 –> 02:24:22.740
Kobi Levi: The first one is actually tomorrow J frog Kevin introduction to supply chain security hands on workshop which you can attend.

02:24:23.310 –> 02:24:40.350
Kobi Levi: Please scan the qr code on the slides for you to register so then rebuilt developer advocated for Jeff I will be reinforcing some of what you learn about today, and how you can and show you some hands on approach to get started.

02:24:43.350 –> 02:24:53.610
Kobi Levi: Okay, and on July 18 a Gala devops 2022 it’s a one day in person devops event will be happening at the beautiful five star hotel in Tel Aviv.

02:24:54.300 –> 02:25:04.260
Kobi Levi: We also have a discount for you, for those of you would like to attend this will be an amazing full day hands on Community session from industry experts.

02:25:04.680 –> 02:25:15.930
Kobi Levi: And you’ll also learn how to level up your skills with devops security practices and modern ci CD package management software, distribution and device management.

02:25:16.440 –> 02:25:28.110
Kobi Levi: We will also have other speakers from organization like Microsoft GTE risk field up nine and many more, we will then and the day with a wonderful lippy hours well.

02:25:28.740 –> 02:25:39.750
Kobi Levi: So don’t miss up in a sick day scan the qr code for register to devops calm and use code meetup 545 percent discount of our published price.

02:25:40.920 –> 02:25:49.200
Kobi Levi: So thank you all for joining us and hopefully we’ll See you in our next meetup and folks as well.

02:25:50.520 –> 02:25:51.690
Kobi Levi: Thank you very much.

02:25:52.080 –> 02:25:52.500
Thank you.

02:25:53.700 –> 02:25:54.060
Kobi Levi: bye bye.

02:25:57.330 –> 02:25:58.020
Uriel Kosayev: Thank you very much.