Last week’s Black Hat conference marked the 25th anniversary of one of the top security conferences in the world. As information security practitioners and vendors gathered to share research, present technologies, exchange ideas, and reminisce about how far InfoSec has come, some ideas emerged as recurring themes. Here’s what stood out to us from the Las Vegas security extravaganza.
In her keynote, investigative journalist Kim Zetter hearkened back to 2006. That’s when a source from the cyber-criminal underground described the inner workings to her—threat actors selling access to hacked systems, laundering money through digital currency (then e-gold), and trafficking in hacking tools, stolen identities, and bank card numbers.
“There is nothing substantially different today about how hackers run their criminal enterprises,” Zetter said. “They still organize in underground forums, they still operate as businesses in a hierarchical structure, and they still make money. Lots of it—which they launder through digital currency.”
The main difference, Zetter said, is that they’ve had more than a decade to perfect their operations and become more professional, offering salaries and even paid vacation.
Of course, when it comes to ransomware, the ransoms are much bigger. The Gpcode ransomware Trojan released in 2006 demanded a ransom fee of $100 to $200; nowadays, $1 or $2 million is typical. Threat actors then preyed on individual users, while modern ransomware criminals go after organizations.
2010 brought the discovery of the Stuxnet computer worm, bringing to light the vulnerabilities in critical infrastructure. It was a turning point for the security community, which until then had mostly focused on IT networks, said Zetter.
Since that time, we’ve seen concerning and devastating attacks on organizations, some of which have brought down elements of critical infrastructure affecting the lives of ordinary people. One example is the Colonial Pipeline attack and the resulting fuel shortages.
The stakes are much, much higher today than they were years ago, and the tools are more sophisticated.
None of the major cyber attacks experienced have been a surprise, said Zetter. Not even the hack of SolarWinds, foreshadowed by the Operation Aurora attacks of 2009.
Operation Aurora attackers targeted source code repositories through source code management systems, said Zetter, which were vulnerable because no one had ever thought about securing source code management systems.
The 2020 attack on SolarWinds involved hackers injecting a backdoor into SolarWinds software during the build process. Leading up to that attack, software makers used various security controls to detect changes to source code in source code repositories. Still, nothing protected the build environment, said Zetter, because no one had ever injected malware there before.
“Do you spot the pattern? There is a lack of imagination, a lack of anticipation, about the next move hackers will make,” said Zetter. “This is often the case.”
Chris Krebs, former CISA director, also used his keynote to stress the importance of preparation, especially given the situation between China and Taiwan. Krebs said national security officials he speaks with are confident that the situation between the two sides will eventually come to a head.
“We need leaders to plan out beyond the next two quarters. You have to look three to four years out,” Krebs said. “Right now, every single company out there should be conducting simulations, scenarios, impact assessments, tabletop exercises at the executive level around what’s happening in the strait of Taiwan.”
Organizations should consider how a Chinese invasion of Taiwan could impact their business, their supply chains, their market—and the impact of political headwinds on IT operations, Krebs said.
“If you want to be in a position to de-risk your operations, to manage risk to your organization, you have to start that yesterday,” Krebs said.
Over the years, the security industry has seen countless cybersecurity startups enter the industry and countless new tools developed to attack various problems in the environment, often marketed under buzzwords such as next generation, machine learning, and zero trust.
But whatever shiny new tool is out there, there’s no substitute for getting the basics right. Cisco Talos researchers underscored this while sharing what they observed helping to defend against attacks in Ukraine. With cyber attacks flashing back and forth between Ukraine and Russia and aided by supporters on both sides, cyber defense still comes down to tried and true security principles.
“Nothing we have seen in Ukraine changes our recommendations,” said Cisco Talos’ JJ Cummings. “Have as much visibility as you can. Do the basic things. Record as much as you can at both endpoint and network level. Revisit where critical data lives in your environment. And remember, people will always click the links.”
Defending your estate involves understanding threat actors’ tactics, techniques and procedures. Cummings said basic red flags can be missed when security personnel are not up to date with adversaries’ methods.
“This sounds trivial, but time after time, when we get involved with some type of incident response effort, there was an early warning indicator. There was an EDR that said, ‘Hey, Mimikatz just ran. Understanding what these behaviors are is so important when you’re looking at those logs,” Cummings said.
A former child hacker, Paul Dant is now director of cybersecurity strategy at Illumio and understands attacker methods firsthand. Dant shared some of his childhood exploits, in which flat company networks allowed him to move laterally between systems. As a youth in the 90s, Dant hacked into a public-school network, using its modems to make long-distance calls. He also achieved unrestricted remote access to a bank data processing center with elevated privileges.
“We’re leaving pathways in place for an attacker to compromise one of these systems, eventually move into all of these systems, identify your critical assets, and ransom them,” Dant said in his argument for network segmentation. “We need to make sure that that first compromised system is the last compromised system in the environment so that spread is not able to go any further.”
Technologies change through the years, but the constant is people. Facilitating communication between teams and team members at every level is crucial in protecting from threats.
Rich Mogull of FireMon spoke to the operational level. “The problem with security operations is that when we break down any security operational process, multiple teams will be involved,” he said.
Mogull advocated ChatOps as a way to help security teams better interface with other teams, reducing friction at an operational level. With ChatOps, security analysts can delegate alerts to colleagues in other teams who are responsible for the alert’s associated environment, ensuring that the people with the most knowledge of the environment engage with the issue.
Rob Phillips of Splunk’s internal audit function spoke of the importance of building alliances and strong communication between security and audit functions.
“If you’re a security professional and you’re working with an auditor, it’s okay to ask them why they are asking certain questions,” Phillips said. An auditor’s gaps in understanding of security can mean the questions asked are not always the right ones. A better understanding of the intent behind the question can help security professionals steer auditors in the right direction.
For Ashlee Benge of Cisco Talos, communication is why Cisco’s program successfully fights cyber threats with Ukraine. Threat hunters have clear, defined communication paths to know where to turn when they need something.
“It is program leadership’s job to make sure that we are handling all the communications between partners, between Talos leadership and Cisco leadership, to make sure that if there’s something we need, we can go get it. And really to sort of shake a fist if we need to,” said Benge. “The goal for us is to remove anything that can get in the way of our (threat) hunters doing their thing.”