Supply chain attacks, vendor email compromise, and impersonation attacks have all become commonplace techniques used by threat actors to leverage accounts and access gained during an initial attack to gain further access to downstream organizations. We’ve seen this in the last few years in many ways where attackers compromise a third-party vendor and leverage the initial malicious access to further infiltrate customer organizations. The SolarWinds and Kaseya attacks we’ve all heard about in the news within the last two years are perfect examples.
But it’s not just software vendors that are part of your organization’s supply chain; it can simply be an organization your company does business with; all that’s initially needed by a threat actor is the implied trust between the two organizations. There’s no way for your organization to know when orgs within your supply chain have been compromised, but there are indicators of compromise that exist that, when correlated by a security vendor, can enrich your organization’s detections of downstream attacks.
In this Real Training for Free session, 4-time Microsoft MVP, Nick Cavalancia takes my seat as he first discusses:
- The reality of supply chain / trusted vendor compromise attacks today
- The value of types of specific cyberattacks in attacking downstream organizations
- Mapping attack techniques to MITRE
Up next, you’ll hear from Tyler Starks, Senior Incident Response Consultant at Rapid7 and Jonathan Woodward, Senior Detection & Response Analyst at Rapid7. Tyler will discuss the common attack chain and attacker techniques frequently used within compromised vendor intrusions.
Tyler will conduct a chronological walkthrough of the techniques, showing examples of each technique’s real-world execution, and show the impact and significance of each activity. He’ll also highlight techniques that may be used by security professionals to extract the bad from what otherwise would be trusted activity originating from a vendor.
After Tyler, Jonathan will do a demo focused on ingested data within the InsightIDR platform and will be used to show the following:
- Tracking authentications across systems in a SIEM and following the trail of authentications to find the initial ingress point
- Using alternate evidence sources, such as process start events, to rapidly scope an incident
- Using account logon events to track attacker activity in areas of the network where there is poor monitoring and visibility
Tyler will also show how such IOCs are extracted and used for greater detection of other customer environments throughout the RAPID7 MDR/IDR service.
This Real Training for Free session will be full of practical real-world educational content.