Over 6,000 security executives, analysts, hackers, academics, and government staffers from 140 countries flocked to the Mandalay Bay Convention Center in Las Vegas, while 14,600 logged into the virtual platform for Black Hat USA 2021.

Now in its 24th year, the conference presented a unique hybrid experience after a pandemic-forced hiatus. In-person attendance was down, but spirits were high as security professionals eagerly returned to networking and learning about the latest cybersecurity research, threats, trends, and technologies.

The Battle for Cyber-Immunity

Black Hat founder Jeff Moss (@thedarktangent) kicked off the conference without his signature sparkly shoes. After dedicating a moment of silence to the passing of two great minds—former Qualys CEO Philippe Courtot and security researcher Dan Kaminsky—he urged the audience to work together to address cybersecurity challenges in the same way present-day doctors help mitigate COVID-19.

Moss drew parallels with three “modes of immunity.” In the first, no one is immunized. The networked world equivalent, he said, is “no systems are maintained, patched and updated. There’s nobody watching the logs. So, the malware spreads unchecked through the network.”

In the second, some of the population is immunized. “The contagious disease spreads through some of the population, and some networks, and some systems are not maintained. So malware is sometimes noticed and sometimes spreads through some of the population.” It is in this mode Moss believes the cybersecurity community is stuck.

In the third mode, most of the population is immunized. What that looks like in the digital world, he said, is when “most networks and systems are maintained, malware is noticed most of the time [and removed most of the time], and actions are taken to protect other systems besides your own system.”

The end state we should be striving for, Moss stressed, is full immunization, “where you’re actually conferring immunity to those around you.”

Keynote Highlights

This year’s keynote speakers included Matt Tait, Chief Operating Officer of Corellium, Alejandro Mayorkas, Secretary of Homeland Security, and Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA).

In his opening keynote—pre-recorded in the UK—Tait focused on the extreme difficulty of safely managing the integrity of the software supply chain.  He highlighted the destructive nature of supply chain attacks; the only way to address them, he says, is to fix the underlying technology. Platform vendors need to step up.

Easterly brought a unique style to her first major speech as CISA Director. Wearing a partially covered “Free Britney” t-shirt and colorfully embroidered jeans, she demystified her agency’s pronunciation—it’s “SIHSA,” not “SEESA”—before announcing a Joint Cyber Defense Collaborative (JCDC).

With music referencing AC/DC in the background and a Rubik’s Cube in hand, she stressed the power of imagination, technology, and collaboration as she pushed for more cybersecurity talent and outlined the JCDC’s mission: bringing together government and private-sector organizations with four central goals.

• Sharing insights into the threat landscape
• Developing cyber defense plans
• Exercising the plans
• Working together to implement the plans in operations

Closing out the conference, Mayorkas compared modern-day cybersecurity to the 19th-century conflict known as “The Great Game.”

The “game” has shifted from land to cyberspace, he said, and the stakes are high. Following up on Easterly’s plea to help build up the cyber workforce, he invited the cybersecurity community to “lead the charge on the inside” by getting involved in one of two ways:

1. Apply for CISA and/or DHS positions through the Cybersecurity Talent Management System (CTMS) launching next month. It cuts the time it takes to hire cybersecurity professionals, redefines how the government evaluates cybersecurity skill sets, and facilitates competitive pay rates.
2. Those not interested in working for the government can still use their expertise to help bridge the gap between the hacker community and the federal government by participating in public/private collaboration.

Announcements

Continuing the theme of collaboration, a partnership of cybersecurity and IT providers—including Exabeam, Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope, and SentinelOne— announced The XDR Alliance.

The goal of the alliance is to define an open XDR framework and architecture that works for end users, help SecOps teams integrate and better align with new and evolving applications and technologies, ensure interoperability across the XDR security vendor solutions set, and collaborate on XDR market education and awareness.

According to its press release, the Alliance has already developed a three-tier model composed of the core components of the XDR technology stack.

NOC Recap

Unfortunately, Black Hat attracts malicious hackers and cybercriminals determined to prey on vulnerable devices, making the Network Operations Center (NOC) a popular point of interest. While the NOC was closed to attendees this year, it was streamed live.

IronNet Threat Analysis Lead Peter Rydzynski’s recap for Security Boulevard provides first-hand insight into the experience of monitoring the conference’s network. His blog post can be found here.

Pwnie Awards

This year’s Pwnie Awards continued the Black Hat tradition of celebrating (and making fun of) the latest achievements and failures of the security community.

Microsoft won the Most Epic Fail award for its handling of the PrintNightmare Print Spooler vulnerability, which led to a problematic patch and more questions about potentially vulnerable code. The Pwnies’ description sums up the dubious victory:

In a humorous twist, the award for Best Song went to “The Ransomware Song” by @forrestbrazeal. Pwnie organizers describe it as “A fantastic song about the (ab)use of math in creating the wonderful world of cybersecurity, with a catchy, well-composed, Broadway-style flair. Finally, a use for math!”

A complete list of Pwnie Award winners can be found here.

Notable Sessions

More than 90 sessions, or “briefings,” spanning 18 tracks took place during the conference. Here are a few that caught my attention.

Getting Real With Deepfakes

In “Deepfake Social Engineering: Creating a Framework for Synthetic Media Social Engineering,” University of Central Florida Research Professor and cybersecurity consultant Dr. Matthew Canham noted that social engineering capabilities are transitioning us away from being able to trust what we experience with our own eyes and ears.

Cybercriminals have been using synthetic audio in vishing attacks to impersonate executives and convince employees to wire funds in recent years. Text-message-based deepfake attacks have also been reported, in which “bots” contact employees and impersonate executives with spoofed mobile phone numbers.

The bot exchanged a few messages with Dolores to establish trust, and then a human took over to complete the scam. Canham believes deepfakes on Zoom or other video conferencing apps—which he calls “zishing”—are next.

An alarming example, said Canham, was the “I’m not a cat” Zoom video in which a Texas lawyer was stuck with a kitten avatar during a court hearing.

Unlike the 2018 Jordan Peele video impersonating former President Obama, the kitten avatar perfectly mirrored the Texas lawyer’s mouth and eye movements in real-time. Similar overlays and avatars may soon make videoconference participants appear to be completely different people. After that, Canham speculates, the next frontier could be biometric-based phishing attacks.

During the session, he proposed a Synthetic Media Social Engineering Framework to describe these attacks along with easy-to-implement, human-centric countermeasures.

Targeted policies, for example, are a low-tech way to help combat deepfakes:

• Shared Secret Policy, such as a code word
• Never-Do Policy (Canham noted the example of a CEO that told his team he would never ask them to buy gift cards)
• Multi-Person Authorization Policy
• Multi-Channel Verification Policy

Canham’s Black Hat slides and a related white paper can be viewed here.

The Job That Was Too Good To Be True

In “Whoops, I Accidentally Helped Start the Hacking Branch of a Foreign Intel Service,” former NSA analyst and founder of StandardUser LLC David Evenden (@JediMammoth) shared the story of his inadvertent foray into the United Arab Emirates’ Project Raven—a clandestine team engaged in the surveillance of governments, militants and human rights activists critical of the monarchy.

Evenden described transitioning out of his role at the NSA in 2014, when a Washington D.C.-based recruiter presented him with an incredible opportunity: earn a lucrative salary while using threat-hunting skills to support coalition forces in the fight against Isis and Al Qaeda in the Middle East.

He eagerly accepted, and for the first few months worked alongside other former U.S. intelligence operatives with complete confidence, focusing primarily on social media chatter and keyword analytics. Things went sideways when operations shifted to a converted mansion in Abu Dhabhi known as “The Villa.”

Intel requests started deviating from his mission plan, and he discovered the “cover story” that he would be working on defensive measures was false. He would be working with NISSA—the UAE’s NSA counterpart—on offensive initiatives that were never to be disclosed to the public.

In late 2015, a local entity called DarkMatter took over Project Raven, and he realized he was being asked to help the UAE hack into the phones and computers of its enemies, including fellow Americans.

He closed the session with lessons learned (pictured below) for other security professionals considering moving abroad.

Evenden’s slides—including technical details of his work for the UAE—can be viewed here. More of his story is available in episode 47 of Darknet Diaries.

Time for Zero Trust

The latest Cost of a Data Breach Report found organizations that implement zero trust are better positioned to deal with data breaches, but only about a third have done so.

In “Frictionless Zero Trust: Top 5 CISO Best Practices,” CrowdStrike VP of Identity & Zero Trust Marketing Kapil Raina outlined recommendations security teams can use to get started:

1. Use industry definitions from sources like NIST 800-207, Forrester, DISA and NSA/CISA.
2. Make adoption frictionless for IT, Security, and User principles.
3. Recognize that zero trust is a journey, not a product. Work with trusted advisors to map out a multi-year journey that fits the needs of your business.
4. Leverage cloud-first, cloud-based solutions that can stitch together on-prem and cloud-based environments and reduce complexity.
5. Take a platform approach. Look for well-integrated platforms (which can include an alliance of multiple vendors) rather than disconnected point solutions.

Uniting Our Efforts

There are more Black Hat highlights than I can mention on various other topics, including AWS vulnerabilities, breaking network segmentation, building diverse security teams and more, not to mention all of the tools and products showcased at the Arsenal! While there was a vague feeling of emptiness in the Business Hall and the usual swag was replaced by hand sanitizer and face masks, the spirit of togetherness was strong.

Everyone I spoke with was grateful to connect in person, and the theme of collaboration was taken to heart. No matter how it is presented—virtually, in-person or as a hybrid event—Black Hat continues to provide valuable insight into our community’s maturity, the challenges we face, and how we can work together to overcome them.

References

• IBM Security & Ponemon Institute: 2021 Cost of a Data Breach Report
• XDR Alliance Press Release
• Security Boulevard Blog: Black Hat USA 2021 Recap