Abhay Bhargav - Attacking the Application Supply-Chain: 2024 Edition $2,800 (early 2,600)

Trainer bio:

Abhay Bhargav is the Founder of the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. AppSecEngineer delivers hands-on security skills that companies are actually looking for.
Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps
He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. In addition, Abhay has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook.
Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His training programs have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He's authored two international publications on Java Security and PCI Compliance as well.


Trainer social media links:

twitter.com/abhaybhargav
twitter.com/appsecengineer
linkedin.com/in/abhaybhargav



Full description of the training:

Supply Chain Security risk is the top contributor to attacks against applications. This has been made painfully obvious in the last couple of years, that have had a burst of supply-chain exploits against organizations. Companies have had billions of dollars of damage done financially and reputationally because of these attacks. Supply-chain security and implementation is essential, and in some cases, required by regulation. However, it is important for pentesters and red-teams to understand how they can leverage supply-chain attacks against applications, to further strengthen their defense and blue-team implementations against it.

This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently deep-dive into story-driven scenarios of exploiting different supply-chains like exploiting CI systems, build systems. Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS and Azure.


This training is essentially a set of detailed stories and real-world scenarios. We believe that people learn better with stories and hands-on labs. This training explores an intense hands-on training experience along with specially designed stories that help explain multiple topics and walkthrough post-exploit and lateral-movement cases after exploiting application supply-chains
The training commences with an understanding of Application Supply-chain risks. We explore a history of application supply-chain attacks. After that we'll be mapping Application supply-chains against frameworks like the MITRE ATT&CK to ensure that students can map these tactics, techniques and practices against well-known frameworks.


Subsequently, the training kicks into high-gear with a hands-on story-based exploration of each scenario, where the student works through a real-world CTF style approach, where they are identifying vulnerabilities in various supply-chain elements, perform exploits against them and look at lateral movement scenarios against target environments. With our dedicated cloud-labs and sandboxes. Each student gets dedicated environments that they will be deploying and exploiting, giving them a 360 degree view of the attack, and in many cases, the defense as well.

The supply-chain stories that we'll be exploring will be explored through an inside-outside view of application supply chains from the infrastructure environment, right through to the server-side and client-side supply chains related to the application. The following supply-chain scenarios, exploits and lateral movement scenarios will be explored in this training:


* Application Supply Chains:
   * Client-side Supply Chain attacks ranging from magecart-style attacks to other client-side exploits
   * Server-side dependency attacks
   * Build System Attacks and Package Manager focused attacks
   * Dependency Confusion Attacks
   * Cross-Build Injection Attacks
* Container Supply Chains
   * Container Build System Attacks
   * Container Registry Attacks
   * Trojanizing Containers
* Attacks against CI Services:
   * Attacks against on-prem CI services like Jenkins, Bamboo, etc.
   * Webhook Boomerang Attacks against CI/CD Systems
   * Dependency attacks and template attacks against Github Actions and Gitlab CI
* Cloud-Native Supply Chain Attacks:
   * Attacking Kubernetes Supply-Chains (Helm, Admission Controllers) etc
   * Attacking Continuous Deployment Services for Kubernetes and Cloud-native environments
   * Supply Chain Attacks and Lateral Movement with AWS and Azure


In the 2023 version of this training, we're bringing even more interesting attacks in the form of:
* Attacking Kubernetes clusters through malicious Operators
* More Azure Supply-Chain Attacks with Azure DevOps and Attacks against Function Apps and Storage
* More deep-dive attacks against Jenkins and Github Actions
* More Container Supply-Chain Attacks


In addition, we aim to dedicate 90 mins at the end of the class to a CTF style session called "Challenges". Here we're going to have the audiences work through a series of challenges designed for them to purely figure vulnerabilities out, and work through it themselves. This provides a lot of validation for what they have learned in the class

The training is a hard-core hands-on experience with these concepts are enmeshed to form a powerful and real-world set of scenarios

Students get access to the labs and platform for a period of 2 months post-training. This includes access to the slides, cloud-labs and dedicated sandbox environments for attack and defense learning.

To see how our cloud-based lab system works, please watch the video in this URL: https://www.youtube.com/watch?v=RfvbRzpIhB0


Short description of what the student will know how to do, after completing the class:

Outline of the class:

Day-1
Introduction to Application Supply Chain
* Understanding the supply chain landscape
* An overview of supply-chain attack vectors
* MITRE ATT&CK framework for supply-chain compromise
* A brief history of supply-chain attacks
Pre-Build Supply Chain Security
Threat modeling for supply chain - A red-team perspective
Application Dependencies - Stories and Hands-on Labs
This section of the class is where we do a couple of case studies (stories) on identifying vulnerabilities against Application Dependencies and compromising them. Once compromised, we'll be looking at possibilities of post-exploitation and lateral movement against these dependencies. In these stories, we'll be showcasing the following type of attacks and exploits:
* Attacks against Client-side Dependencies:
   * Magecart-style and other JavaScript client-side attacks leading to user compromise, browser-hooking and so on
   * Attacking client-side supply chain elements by attacking private CDNs, static stores, etc.
   * Exploring additional client-side exploit possibilities with CSP Bypasses, etc.
   * Attacking CDN infrastructure like Cloudfront and S3 with CSP bypasses to perform client-side supply-chain exploits
* Attacking Applications by compromising Server-side dependencies:
   * Leveraging vulnerable components to perform application exploits and Lateral movement. This includes:
      * Remote Code Execution
      * XXE
      * SSRF flaws
      * And more to perform exploitation and post-exploitation
* Attacking Package Manager Behaviour against the Application Supply-Chain:
   * Typo-squatting flaws
   * Dependency Confusion attacks
* Exploring Defense Possibilities against all attack types showcased in the stories and exploring the defense implementations through hands-on labs
Attacking CI Services
Overview of CI Services
* A brief overview of commonly used CI services
   * Jenkins
   * Bamboo
   * GitHub Actions
   * GitLab CI


Attack Stories against CI Systems
In this section we'll be covering multiple attacks and exploit scenarios around attacking CI Services. These attacks specifically look at approaches where adversaries compromise the CI tools to be able to inject malicious code or otherwise taint the build process and environments of organizations. The case studies and stories that we'll cover as part of this module include the following:
* Build system dependency - Attack vectors
   * Cross build Injection attacks
* CI Service dependency - Attack vectors
* CI based Webhook exploits
* Vulnerabilities and exploits against Jenkins using Jenkins Plugins
* Github Actions exploits using malicious actions and misconfigured Github actions
* Attacking Gitlab using Templating systems and Dependency chaining


Day 2
Cloud-Native Supply Chain Attacks
Cloud-native environments are a massive source of supply-chain risk. With Infrastructure-as-Code, to Continuous Deployment Systems, to Cloud-native package management, there's tremendous scope for attacking, exploiting and escalating privileges against cloud-native environments. In this section we'll be looking at case studies and stories of supply chain security risks against Kubernetes and AWS environments as a reference point. Naturally, these will be replete with deep-dive hands-on labs that will walk you through the multi-step flaws and exploits against cloud-native supply chains
Attacks against cloud-native environments
* An overview of cloud and microservices
* A brief intro to Cloud-native environments
   * AWS
   * Azure
   * Cloud
   * Kubernetes & Microservices
* Threat landscape in cloud-native environments
   * Common attack patterns


Attacking Kubernetes Supply-Chains
* An overview of kubernetes and cluster components
* Attack vectors in a kubernetes cluster
* Leveraging vulnerable registry to upload trojanized image(s)
* Compromising the cluster network
* Helm-Chart based attacks
* Performing Person-In-The-Middle attack to compromise package installations
* Permanent backdoor to a kubernetes cluster through malicious packages and CRDs
* Leveraging Kubernetes Webhooks to perform Cluster Privilege Escalation Attacks


Compromise AWS environments
* Overview of AWS components
* Introduction to AWS Lambda
   * Understanding layers
* Compromising Lambda with excessive privileges
* Performing lateral movement to gain access to s3 and manipulating sensitive objects
* Compromising cloud environments through malicious executables
* Injecting malicious scripts in s3 CDN to mine crypto - for fun and profit
* Attacking ECR registries with faulty IAM privileges


Compromising Azure Environments with Supply-Chain Attacks
* Understanding the Azure Services and IAM Model
* Attacking Azure Function Apps to compromise underlying container infrastructure and escalating privileges into the Azure Account
* Attacking Azure DevOps implementations for Account Compromise Scenarios



Technical difficulty of the class (Beginner, Intermediate, Advanced):

Intermediate to Advanced




Suggested prerequisites for the class:

* Good knowledge of Application Security Vulnerabilities
* Working knowledge of DevOps, CI and Cloud-Native platforms
* Some familiarity with coding will help
* Some background with offensive security will help


Items students will need to provide:

* A laptop or a tablet(with keyboard) with a browser installed
* Github Account. Not a work-related Account
* Gitlab Account. Not a work-related Account