1、#SECTORCA BlackHatEventsWhat If We Caught SUNBURST in CI/CD?Rewriting the SolarWinds Playbook with AI-Augmented DevSecOpsAleksandr Krasnov#SECTORCA BlackHatEventsWhy?Anatomy of SUNBURST is a masterclass in evasionErosion of Trust and the Rise of Assume BreachTrust as a VulnerabilityZero TrustAI can
2、help if you use it righttraditional SIEM/EDR limitationsbehavioral anomaly detectionsthreat hunting#SECTORCA BlackHatEventsDont forget about NXThemeSUNBURSTNXTakeawayTrust=New VulnerabilityTrust in a legitimate software vendor is exploitedTrust in a legitimate maintainers token and public GitHub pro
3、file is exploitedZero Trust principles should be adoptedAdversarial Tactics:Stealth-AutomationManual and patient human operationMalicious payload used victims AI tools to perform data theftSecure AI tools,deploy AI-powered security to counter AI-driven threatsDev Pipeline=New FrontierAttacks are fas
4、ter and more destructiveInfiltrating the build environment is highly effective for wide-scale compromiseCI/CD pipelines and devs local machines are primary targets“Shift Left”is no longer a best practice,its a fundamental strategyAI-powered automation for defense-in-depthHigh-volume,automated blitz
5、that compromised thousands in a matter of hoursLong-term,low-and-slow cyber-espionage campaign#SECTORCA BlackHatEventsTimeline of SUNBURST2019 Initial Compromise&ReconSep-gained accessOct-SUNSPOT is injected,“dry run”2020Malicious Code InjectionFeb-SUNBURST is injected into SolarWinds.Orion.Core.Bus
6、inessLayer.dll fileDistributionMar-Jun-SolarWinds released multiple versions of its Orion platform containing the backdoor(e.g.,versions 2019.4 HF 5 and 2020.2)Counter-ForensicJun-attackers remove SUNSPOT implant from build serversPost-ExploitationMar-Dec-malware is affecting thousands of customers(