Threat models are often used by security champions to discover flaws in application environments. Many threat models are built thru defensive lens, foregoing realistic attack patterns that reflect adversarial goals vs. simply using a limited, non-mutable threat category.
This talk will focus on applying a more adversarial threat model to supply chain systems that are integrated into client environments.
Supply chain software is highly attractive to cyber criminals due to being implicitly trusted by many of the [vendor] respective client infrastructures.
Threat actors in this area include nation states, competing corporations, and private hacker syndicates. Emulating realistic offensive attack patterns in threat models yields better results for defensive measure by providing attack patterns that are more realistic based upon criminal cyber trends.
Goals for this talk will be as follows: