30 May 2022 Line

Doctor StrangeFormat: How I learned to be an archeologist for SBOMs

Ron Brash at the industrial security conference talking about sboms

Ron Brash is the VP of technical research and integrations at aDolus Technology, and he is one of the keynotes at the international industrial security conference the 14-15-16 November. At the conference he will be talking about SBOMs and how he manages security in the organization.

 Read an interesting article from Ron her.

 How do we create accurate SBOMs?   

One of the biggest challenges facing supply chain security is how to secure legacy products while identifying hidden cyber risks buried deep in their subcomponents. Creating accurate Software Bills of Materials (SBOMs) is the critical first step, but how do we do that when the OT legacy software market is a story of abandoned, unbuildable, or lost source code?

Often all the OT industry has to work with, is binary images (hotfixes included). And that means working backwards from binaries using Binary Composition Analysis (BCA) and Metadata Composition Analysis (MCA). Using these techniques, the OT professional can address crucial challenges when identifying third-party/supply chain flaws, work with a myriad of file format types, research undocumented/proprietary designs, and execute real-world file-format sleuthing.

Threat hunting

Using samples from an anonymized vendor, this session will explore the challenges experienced when decomposing files to address supply chain transparency. We’ll do this by identifying several types of files based on patterns (flash vs. bootloader vs. update package), distinguishing various attributes or markers of interest, spotting security problems with minimal effort, and exploring how to research a file format that is decades old. It’s not a trivial art, but rather a demonstrable skill that requires the combined experiences of people from differing backgrounds to achieve success. In other words, think of it as threat hunting but for OT/ICS files.

At the conference you will learn about:

  • Introduced to why Software Composition Analysis (SCA) doesn’t work to reduce the plethora of ICS issues today with regards to vulnerabilities and third-party components
  • Provided an overview of the filetype bucket corpus that can be used when spelunking samples
  • Walked through a few file system and embedded image formats to see how the patterns or details can slowly be taught as human-readable patterns
  • Provided examples of key areas to look for that can hint to implementation vulnerabilities (particularly with respect to low-effort bricking attacks, such as Viasat modem attacks in 2022)
  • Delighted to see that a legacy 20+ year old file format can still be deconstructed despite limited documentation

Understand risk from both sides

And we’ll pull this all together to truly understand risk from both the community and product perspectives for the purpose of securing yesterday’s, today’s, and tomorrow’s critical infrastructure. Whether you are a security researcher, asset owner, or vendor, there will be something for everyone in this talk.

Do you want to learn more about SBOMs from Ron?

At the international industrial security conference the 14-15-16 November in Copenhagen, Ron will be giving an interesting keynote presentation about understanding risk from both sides, SBOMs. And much more!

Join the international Industrial Security Conference. Read more here and sign up here.