The 20th edition of Black Hat USA (BHUSA) did not disappoint, if your expectations were the largest exhibit floor, the most lasers, and the biggest attendance ever. Black Hat USA has become one of the most anticipated infosec conferences of the year, and anchors a week that has become affectionately known as Infosec Summer Camp, bookended by Security B-Sides Las Vegas and DEF CON at the beginning and end of the week, respectively. Hats off to anyone able to attend all three events, as the sheer scope and size of Black Hat alone is enough to exhaust anyone over the course of three days of Black Hat alone.
Caption: Me, at Black Hat USA 2017
It is quite literally impossible to take in all of Black Hat, with full days of Trainings, Briefings, the Arsenal, as well as sponsored workshops and sessions. In addition to the official agenda, there are many informal gatherings of old friends and meetups of like-minded professionals. With that in mind, I’ll share the highlights of my experience at this year’s conference.
Prior to the opening keynote, I was fortunate to attend a breakfast organized by Jeremiah Grossman of Sentinel One. Grossman is passionate about the burgeoning cyber insurance and warranty market, and what it means for the future of information security. Among the two dozen or so people gathered, I got share a few words with Sean Sposito who is an analyst compiling research on cyber insurance and warranties. Sean definitely sees this market going “up and to the right” as he put it. Look out for his report in the future. Craig Dods, an architect at Juniper Networks/, is seeing a sharp increase in demand for warranties from customers. I also spoke with Adrian Sanabria whose work at Savage Security demystifying security directly intersects with this exploding market. The strong consensus among all in attendance was that insurance and warranties have the potential to dramatically alter the cyber security landscape, by setting clear standards for effective security practices.
After breakfast, Black Hat USA 2017 kicked off in earnest with the keynote by Alex Stamos, CISO of Facebook, amidst a laser light show and arena-like atmosphere, setting the tone for the conference. Stamos emphasized the need to shift toward a safety-oriented approach to information security. As Chris Wysopal of Veracode put it in his BSidesNYC talk back in 2016, doing business on the Internet is an inherently dangerous act. Rather than focus on militaristic paradigms of attack and defense, shifting our mindset to providing more safety measures for users and organizations alike can reveal new methods engineer security solutions. Stamos closed on the point that to achieve the goals of a safer Internet, we must strive to be more inclusive of when recruiting, hiring, and working in the security and technology fields.
There are three briefings I attended that I’d like to highlight here.
The first was entitled “The Active Directory Botnet”, and the content was intriguing. The pervasive use of Microsoft’s Active Directory (AD) means that any exploit is likely draw huge interest. The research was presented by Ty Miller of Australian firm Threat Intelligence and drew a huge crowd. Since Active Directory servers often bypass all network access controls, gaining command and control of AD is a powerful exploit for doing massive damage to a typical infrastructure. According to the briefing synopsis, “the AD Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain.” Now, most AD servers are closely guarded, but even a small flaw or an insider threat could be incredibly dangerous, especially since detection post-compromise would prove very difficult.
The second briefing was entitled “Exploit Kit Cornucopia”, and walked through the many ways to detect compromised websites and gateways. Brad Antoniewicz and Matt Foley of Cisco Umbrella explained how they were able to detect the exploits on those compromised web sites that may be infecting browsers with drive-by downloads of malware or other malicious code. They dissected the code, and found some flaws they were able to use to detect other compromised sites and hosts. Among the most interesting tidbits was the number of compromised sites they discovered in what we think of as the “reputable” Alexa Top Million. The techniques they used to build their own botnet of scrapers to uncover these sites was also shared, and fascinating in the elegant methods they developed to fuel their research.
Lastly, a briefing on security usability testing was presented by Lorrie Cranor of Carnegie Mellon’s CyLab. The team at CyLab leveraged various rollouts of security policies at the university to gather empirical data on the usability of various common controls. Unsurprisingly, the more complex the password policy, the less people liked it. Multi-factor authentication rollouts also scored poorly in usability. Among the more interesting testing methods and results shared were around how easily users dismiss browsers warnings when phishing was detected. As noted in this column in the past, user experience (UX) is a key component to consider when deploying new security controls, and the data here was insightful validation of how usability really impacts security efficacy.
There was much, much more at Black Hat USA that I couldn’t get to or couldn’t cover in this column. While bigger isn’t always better, the 20th Black Hat did not disappoint in either quality or quantity. Infosec professionals and hobbyists alike should try to make it to Infosec Summer Camp in Vegas at least once. The community and the opportunities to learn haven’t slipped a bit, just be prepared to plan what sessions to attend, as there’s a lot to explore and discover.