šŸ“Š NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

šŸ“Š NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

How to Snare Software Supply Chain Hackers with Honeytokens - Mackenzie Jackson at InfoSec London

Learn from Mackenzie Jackson, Developer Advocate at GitGuardian, about software supply chain attacks. Deploy honeytokens to track attackers and enhance supply chain defenses. Discover vulnerabilities missed by traditional security tools. Visit GitGuardian's product webpage, read the announcement post, or book a demo for more information.

Video Transcript

hello I'm Anna Delaney with ismg I'm very pleased to be joined by Mackenzie Jackson security Advocate at git Guardian hi MacKenzie hi great to be here so let's talk about software supply chain how has the software supply chain risk evolved over the past few years it's yeah and it's a really challenging Topic at the moment um and we can look at it from multiple different angles but the software supply chain is certainly becoming much more complicated much more in the cloud and it's really shifted how adversaries Target organizations and it's changed the economics because we have to stop thinking about these adversaries as individual people and start thinking they're more like organizations that operate on risk reward structures that have employees but now that we have this complex supply chain that so much is integrated into instead of targeting a victim specifically we can Target a in this armor the supply chain and potentially get into hundreds if not thousands of victims so it's changed the economics that they operate onto it means that they can be more sophisticated in their attacks invest more resources in it which is much harder to defend against and it's changed the types of ultimately victims ultimate victims that you have so before if an organization was too small they kind of protect a little bit by this risk reward right I mean you know the the the reward of the risk of attacking them is is but now we can do potentially hundreds at the same time these different organizations now have the same risk as a large one potentially because we've seen a whole slew of attacks over the past year LastPass Uber Toyota and the the attackers have managed to either publicly expose Secrets or exploit them just talk to us more about what you're observing and the challenges that organizations are facing yeah it's it's such an interesting topic this too because when these attackers Target supply chain you know they're quite predictable in what they want to do right so they're when an attacker breaches into an organization they've often found a vulnerability at weak point some way but you know something in the supply chain that they're able to get into or some other vulnerability that they've exploited all their hopes and dreams at this point rely on that window remaining open and it's not they know it's not going to stay open forever so what's the first thing that they're going to try and do persist their access try and find additional ways to remain inside these organizations networks inside so that they have much more time and when we look at all the attacks you kind of mentioned a lot of them involved Secrets credentials and that's because attackers predictably are going to get into a network or get into some kind of systems and try and find credentials to elevate their privileges to persist their access and so that's what we're really seeing and how a lot of these attacks are unfolding is that okay you have a a vulnerability and supply chain it's being exploited you have hundreds if not thousands of potential victims how do you persist from here well let's try and find the ones that have the lowest hanging fruits that we can persist our access that we can move into different systems and that's typically what we're really seeing is a big Trend and because of this we've seen that technical employees like developers are really being targeted by these attackers because they have privileged access to a lot of these different interesting resources you know that may contain these secrets that may help them move into different systems so what's wrong with traditional decisions why are they not working to prevent these sort of attacks yeah the the golden question right security remains a very human problem so I mean we're here at infosec Europe you can walk into the exhibition Hall and you see wonderful vendors they have wonderful tools that can help prevent all this but perhaps we're not thinking really enough about the the human element because you know we've I talked a little bit about Secrets before let's say that you have an amazing Secrets manager but if you're not using it correctly if you're if the humans if your employees aren't using it correctly then it's not going to do its job and and I think that's a lot where we're falling down particularly in the technology area you know of what we have a lot of the security challenges that we Face are potentially solved problems with the technology that we have if it's all implemented perfectly if we follow all the best practices all the time but I mean no organization is immune to a human problem and they're never going to be and I think it really involves a mindset shift in the tooling that we have about okay potentially we need to move away from this Ultimate Security perspective and look at more malleable types of security tools and following on from that what do you think it is that enterprises are missing in terms of blind spots I think ultimately it's a mindset shift a mindset shift we're a lot of security is about putting up this big strong wall preventing attackers from getting in to your infrastructure making sure that everything's configured perfectly and then going back to the supply chain attacks you can do everything perfectly as an organization but a in your supply chain can cause a vulnerability that gets an attacker in there if you have invested all your eggs into this wall security preventing them in what happens when they're in I mean what happens when they actually have broken into your systems and this is this is the troubles that we're relying too much of keeping them out and we're not thinking about okay what actually happens if they're in there how can we contain it how can we prevent them from moving on how can we can limit their access to what we can do because ultimately in a supply chain and when you look at them the ultimate victims in here are are not the ones that have done anything wrong they've used a reputable tool they've used a reputable dependency and because of a vulnerability they're now the victims of this so we need to stop thinking about it as let's make sure they never get in and let's contain them when they're in here and I think the industry is missing that a mindset shift to actually focus on if we can't prevent this we can't guarantee to prevent it what's the next best thing contain it well I think this is where honey tokens come in so talk to us about honey tokens and how they can help supply chain defense yeah the honey tokens are our amazing concept uh and they're not entirely new but they've never really been leveraged in a potential way so when are we talking about uh these attackers you know I said that attackers are quite predictable in their movements they want to persist their access so they're looking for credentials and what a honey token is it's a credential that will pass any sniff test you know it will be checked off as valid of their if they're testing them but it's not going to provide them access to anything and what it will do is alert you when they're in your systems so if we go back to a lot of these attacks that we've mentioned then a lot of the problem was that it's taken weeks and sometimes even several months before anyone's even knowing there was a problem before we even knew that attackers were in all these different infrastructures and that's the nature of Supply chains what a honey token will do is it will let you know immediately when an attacker will come into your systems and that's because we can leverage on the predictability of what they're going to try and do persist their access so they're going to come in they're going to start scanning for these secrets and just by scanning for them just just by looking for them they're going to trigger them and we're going to know that they're in their systems and then we can actually start taking defensive access and it's not going to take months it's going to be immediate and so that's why these honey tokens are so powerful we're utilizing this change in my mindset we're not trying to completely prevent them or no we're not putting all of our eggs in that basket we're saying hey if they all get in there we need to know we need to know quickly and we need to be able to do something about it so we can put honey tokens and everywhere they're a very lightweight asset you know there's a honey pot it's a concept that's been around in security but it's often you know an application something heavy honey tokens sit there dormant super light so we can put them everywhere and we can track where the attackers go we can find information about them what tools they're using how they're trying to exploit us and we can use all of that and turn the tides against them and know when our systems have been breached so talk to about to us about get guardian's role helping your customers obviously Implement these money tokens tell us about that relationship and what you do yeah so I mean good Guardian has been around for a long time and we've been traditionally involved in detecting where these secrets are in your in your infrastructure you know because the problem lies is that secret sprawl is is this concept that we call it when you have these secrets these API Keys these credentials credential peers security certificates But ultimately they're meant to be stored centrally but they sprawl everywhere so git Guardian has traditionally been about helping organizations identify where their secrets have sprawled too and in that regards we've always been on the side of you know if a breach happens we need to make sure that there's no low hanging fruit for attackers we need to contain them making sure you don't have secrets in your systems very good way of doing that but now we're also adding to this tool set for our customers and saying hey so we've been able to help you you know detect these secrets now we're going to create some but they're but they're the opposite they're going to alert you they're going to trip up the attackers so it's part of this process where we're kind of building out at get Guardian you know all the tools that not just help your organization build its walls because you want to have a good strong wall and keep Guardian helps and that will let you know if you have secrets exposed publicly in source code but it's also about enabling you to go down this mind shift change of saying hey we may not be able to present prevent 100 of the attacks but let's make sure that we don't have credentials inside there let's make sure everything's configured properly so that we we don't allow them to move between systems and let's target and put trackers and these honey tokens so that we know alarms that we know once they're in so immediately it turns the tables it helps us move down this mindset shift and really Empower us to prevent the damage of Supply chains to tax because we may not be able to prevent it right but we can prevent the damage we can contain it and git Guardian is really kind of along this journey of helping that well McKenzie it's me brilliant talking to you thank you so much for your Insight it's been fascinating well thanks for having me it's been great thanks so much for watching for isng I'm Anna Delaney