Watch the stream
The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, thankfully, this was caught early on, but the next time it might go unnoticed for much longer. This talk picks up where we left off last year, and we tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks. This time we've adapted MITRE's ATT&CK framework for CI/CD environments. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding proving why this has become Red Teamer's favorite new soft spot.
The session introduces practical methods for predicting and identifying threats before they materialize by mapping build pipeline tactics to our adapted ATT&CK model. Real-world case studies, based on our forensics of the recent Kong Kubernetes Ingress Controller and Ultralytics YOLOv5 ML library compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.
This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.
François Proulx ,
François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.