14 Top Cybersecurity Trends To Expect At Black Hat Conference
As Black Hat Conference 2021 kicks off amid vendor cancellations and a surge in COVID-19 cases in Las Vegas, CRN speaks with 14 prominent executives to see what cybersecurity trends they expect to be the talk of this year’s event.
Security In An Unsafe World
Black Hat has grown over the past quarter-century into the premier stage for cybersecurity professionals to share cutting-edge research and insight through demos, technical trainings and hands-on labs, with 20,200 attendees and more than 300 cybersecurity vendors gathering in Las Vegas in 2019 to hear from more than 500 speakers and visit a bustling Business Hall.
But the recent Delta variant-fueled surge of COVID-19 cases in Las Vegas will keep in-person attendance at Black Hat 2021 to just 5,000 and prompted three high-level sponsors—Palo Alto Networks, Qualys and Trend Micro—to pull out of the in-person event entirely in the week leading up to the show. Black Hat keynotes and briefings will be available digitally for 30 days, and there will also be a virtual Busines Hall.
“In light of CDC guidance on the COVID-19 Delta variant and out of concern for the safety of Qualys employees, Black Hat attendees and residents of Las Vegas, Qualys has made the tough decision to forgo our in-person presence at Black Hat USA 2021,” Qualys wrote on LinkedIn Saturday. “We were very much looking forward to being at the event in person and will continue to support it through our virtual presence.”
As Black Hat Conference 2021 kicks off, CRN spoke with executives from 14 prominent cybersecurity vendors to see what they expect to be the major areas of focus at this year’s event. From ransomware, supply chain and critical infrastructure attacks to third-party risk management, zero trust architectures and AI-enabled threat intelligence, here are the cybersecurity trends experts are watching for at the show.
Federal Testing For Supply Chain Vulnerabilities
The U.S. government is expected to take action to defend the software supply chain in the wake of the SolarWinds attack, and insiders are wondering if the new regulations will be primarily symbolic or have teeth attached to them, according to Splunk Security Strategist Ryan Kovar. He’d like to see technology vendors go through a process to facilitate better detection of supply chain vulnerabilities.
Specifically, Kovar said technology companies selling to the government should be required to have their products tested beforehand and certified by NIST or another third-party entity. Having a centralized mechanism to examine the safety and quality of software consumed by the federal government akin to what the FDA does with medicine would also aid the security of software used in the commercial space.
Forcing technology vendors to go through security testing to sell to the federal government would create systemic change akin to how Walmart’s mandate that suppliers use barcodes made barcodes pervasive throughout the retail sector, Kovar said. Such a move would also centralize the financial and technical burden around securing the U.S. government, which would help agencies that get less funding.
Adversaries are increasingly using legitimate tools also employed by the victim organization to stay better hidden by blending into the victim’s traffic, according to Jon Clay, Trend Micro’s vice president of threat intelligence. Legitimate tools can be harnessed to carry out every piece of the attack chain from initial access, asset discovery and lateral movement to data exfiltration and credential theft, Clay said.
Living-off-the-land attacks are a counter-forensic activity since they force businesses to have a mechanism for examining the use of tools like Cobalt Strike, Mimikatz and PS Exec to determine if a particular instance is legitimate or illegitimate, according to Clay. Similar to stealing admin credentials, Clay said adversaries pursuing living-off-the-land attacks can engage in lots of activities that fly under the radar.
Threat actors engage in asset discovery and app discovery when scoping out potential victims to ensure they’re able to blend in by using the same apps and OS as the intended target, Clay said. Trend Micro has documented between 20 and 30 legitimate tools that can also be used by ransomware actors for nefarious purposes, according to Clay.
Attacks On Critical Infrastructure
Critical infrastructure vendors are not used to having to defend their assets against sophisticated cyber adversaries, and typically have small IT teams with limited security specialists, according to Anthony James, Infoblox’s vice president of product marketing. These companies don’t have large offices or data centers, and proceeds tend to be invested into ramping up electricity or oil production, James said.
However, critical infrastructure equipment is typically IP-enabled for manageability and centralized control, which James said makes it vulnerable to cyberattacks just like hospitals or medical equipment. Critical infrastructure environments are highly distributed with limited compute power, meaning that oil rigs don’t have an IT team tasked with ensuring the network connection isn’t attacked or compromised.
IP-enabled equipment should be separated from the core network whenever possible, James said, air-gapping devices that are critical to business operations but don’t require internet access. Critical infrastructure vendors should assess which devices actually need to connect to the management console and put policies in place to otherwise restrict what’s allowed to communicate with the console.
Third-Party Risk Management
Organizations are increasingly realizing that they need to invest more resources in ensuring that third-party vendors aren’t a source of endangerment, according to Colin Henderson, OneTrust’s vice president of security. Large multinational firms have been assessing third-party risk in a programmatic, mature way for some time, but smaller players that outsource their IT management need to take a closer look.
Organizations should start by reviewing vendor contracts to ensure their suppliers have the right people, controls and governance structure in place to address cyber-risk in a serious manner, Henderson said. Businesses should be able to audit their most significant third-party vendors, and Henderson said visibility is key when assessing whether or not the appropriate security policies are in place.
Companies should apply the most scrutiny to third parties that post the highest risk such as ones with direct access to the organization’s data, ensuring that they’re evaluated with the appropriate frequency and depth, Henderson said. And if a vendor doesn’t have a good risk management program, Henderson said the business should consider alternate options.
Zero Trust Architectures
Zero trust architecture ties into so many things the federal government has been trying to wrestle with and solve and can minimize the risk associated with supply chain issues and ransomware threats, according to Bill Rucker, president at Trustwave Government Solutions. Zero trust is both an area of focus and frustration for government leaders since it means very different things to different people.
At its core, Rucker said zero trust is about knowing where data lives as well as which users have access to what data since organizations can’t defend what they don’t know exists. As government agencies increasingly push to share more data with one another, Rucker said a zero trust approach is vital to ensuring the data in question doesn’t become vulnerable.
There are a variety of tools that can scan networks and determine where data resides, but Rucker said the quality of those tools varies greatly since some are purpose-built to solve the job while others clearly aren’t. Organizations are starting to make sure they have the right tools in place to assess data location and sovereignty, according to Rucker.
Weaponization Of Previously Stolen Data
A lot of user and organization data had already been stolen in previous breaches and is now being weaponized against them in subsequent attacks, said Barracuda Chief Technology Officer Fleming Shi. Adversaries leverage the personally identifiable information they’ve already taken to obtain a user’s credentials and password, and then target the SaaS applications where these people are logging in.
Adversaries are particularly focused on identifying ways to get into the infrastructure behind whatever is running a company’s web applications, according to Shi. Hackers are particularly well-positioned to inflict damage if they’re able to get into a company’s VPN since that provides access to a lot of the business’ internal systems, Shi said.
Hackers can gain access to reputable brands and hijack their networks and systems to carry out attacks by getting into their supply chain or build process and manipulating software updates that are applied automatically, Shi said. Specifically, Shi said adversaries that get into a victim’s infrastructure and change payloads during the update process can inflict damage without needing the end user to take action.
Use Of AI In Ransomware Reconnaissance
Cyberdefenders are increasingly using artificial intelligence to conduct reconnaissance and get visibility into how adversaries are weaponizing ransomware, according to John Maddison, Fortinet’s chief marketing officer and executive vice president of products. A single malicious DNS call can be the start of a ransomware attack, so Maddison said it’s critical that companies leverage AI to connect the dots.
Artificial intelligence can look across billions of pieces of data to connect honeypot or receptor activity in a particular geography or industry to a vulnerability the company is already familiar with, Maddison said. Artificial intelligence has made significant progress at a functional level, which he said has allowed organizations to make inferences or tie up loose ends within the endpoint, network or application itself.
But complex threats typically sit across the network, the endpoint and the application layers, meaning that artificial intelligence needs to be brought across multiple technologies to bear fruit for businesses, Maddison said. Artificial intelligence has the potential to look across people, processes and data and deliver insight at a scale that simply wouldn’t be possible manually.
Supply Chain Attacks
Adversaries have increasingly realized they can infiltrate hundreds or even thousands of customers at one by compromising a supplier they all have in common, said Gee Rittenhouse, senior vice president and general manager of Cisco Secure. Businesses must ensure they have visibility into their supply chain, the risk associated with each supplier, and a way to quickly remediate should an event occur, he said.
Supply chain attacks provide hackers with a good return on their investment since they only must break into a single strategic enterprise to distribute their malware across thousands of organizations, he said. Supply chain attacks have moved from being a weaponized attack carried out by a sophisticated adversary against a particular industry to being a more generic part of the malware commercial cycle.
Businesses where all employees are either working from the office or working remotely are the easiest to defend against a supply chain attack, Rittenhouse said. But safeguarding hybrid environments adds a degree of complexity, which employers are just beginning to realize as they think about mandating that some or all their workers return to the office, according to Rittenhouse.
Lack Of Control Over Sensitive Data
Adversaries are laser-focused on trying to find out where a business’ sensitive data is and steal it, and they’ve enjoyed a lot of success since attackers too often know where a company’s data is better than the company itself, according to Netskope Founder and CEO Sanjay Beri. Once companies find out where their sensitive data is, Beri said they need to put guardrails around it to control how it’s used.
Data is the intellectual property of most companies, meaning that it can be an existential threat to the company’s existence if that data gets out, Beri said. Regulators are cognizant of just how important it is for businesses to have visibility into their sensitive data, and aren’t afraid to issue fines if a company is holding customer data and doesn’t have adequate controls in place to safeguard it, according to Beri.
Companies on average use close to 1,000 cloud applications, 90 percent of which aren’t owned by IT, according to Beri. With more than half of all sensitive data living in the cloud, Beri said cloud-based data loss prevention (DLP) is vital for helping companies figure out which of their data goes where.
Use Of Zero Days In Ransomware Attacks
There has been an explosion in both the sophistication and volume of ransomware attacks, with cybercriminals exploiting a zero-day vulnerability to break into Kaseya’s remote monitoring and management (RMM) tool, said Sophos CEO Kris Hagerman. The increased use of zero days in ransomware attacks is a sign that the hackers are both more sophisticated and targeting certain organizations specifically.
On the flip side, Hagerman said the proliferation of Ransomware as a Service (RaaS) operations means that the affiliate groups actually carrying out attacks don’t have any technical expertise and sometimes don’t even know how to write code.
For instance, Hagerman said the Racoon Stealer technology can be rented out for as little as $75 per week, providing criminals with an effective on-ramp to begin harvesting victim information, payments and ransoms. From there, Hagerman said adversaries can move up the value chain to higher volume and more sophisticated attacks.
Hitting Up Both Vendors And Customers For Ransom
Ransomware has evolved from locking down a single device or server to debilitating an entire organization by inflicting widespread damage, said Tim Choi, Proofpoint’s vice president of product marketing. This can result in a disruption of service for employees, customers and members of the impacted organization’s supply chain, according to Choi.
Adversaries are no longer content simply encrypting victims and denying them access to their systems and have over the past few years pushed to exfiltrate the data of victims and threaten to publicly release it, Choi said. More recently, hackers have capitalized on the supply chain to tell customers that a vendor of theirs was compromised and threaten to leak that customer’s data if a ransom isn’t paid.
Hackers have increased their telemetry across the channel so that if a campaign if successful, they have visibility into the victim’s web traffic and command and control servers, Choi said. Businesses should examine their legal and regulatory landscape and conduct tabletop exercises to ensure they don’t end up making an incorrect decision during an actual security incident since they ran out of time, Choi said.
DevOps teams typically own API security and are trying to figure out how to do security as efficiently as possible while still meeting modern, post-agile development expectations, according to Mark Weiner, F5’s vice president of product marketing. Developers face a lot of pressure to get applications and updates out faster while still maintaining security, Weiner said.
But the increased use of microservice apps and libraries has fueled a dramatic expansion of the attack surface, Weiner said. In client-side attacks, Weiner said customers end up downloading bad code from a company’s e-commerce website, which can cause significant damage to a company’s brand and credibility.
Like account takeover, client-side attacks pose a huge liability to both a company’s brand and valuation, opening the business up to lawsuits from customers and potentially shutting down a huge portion of the business if the impact of the attack is known, according to Weiner. Meaning, Weiner said account takeover has gone from primarily bot-based attacks to often having human involvement in the process.
Increased Sophistication Of Commercial Cyber Crime
The knowledge that state actors have around cybercrime is spilling into the commercial world as nation-state groups increasingly target private commercial and civilian organizations for attack, according to Varonis co-founder, President and CEO Yaki Faitelson. As a result, Faitelson said there’s been a drastic uptick in the level of sophistication of adversaries as they target victim data.
Faitelson said cybercriminals are finding it easier to get paid for carrying out ransomware attacks due to the pervasiveness of cyberinsurance policies, according to Faitelson. The threat groups then in turn invest the proceeds from the ransom payments to acquiring more sophisticated hacking tools.
Bad actors are elevating their game and becoming more sophisticated by unleashing ransomware through supply chain attacks and seamlessly camouflaging themselves into the victim’s environment, Faitelson said. The productivity gains associated with digital transformation and being able to access data from anywhere are accompanied by much higher risk since the attack surface is now much bigger.
Broader Adoption Of Security Best Practices
Adversaries typically pursue the path of least resistance and would therefore much rather compromise someone in the supply chain and gain access to thousands of their customers rather than having to compromise each organization separately one by one, according to Secureworks Chief Product Officer Steve Fulton. Supply chain attacks provide the adversary with a target-rich environment, which spurs more activity.
Supply chain attacks have demonstrated that low-profile businesses can also attract the attention of hackers if they possess extensive customer access and data, Fulton said. But since these suppliers have historically been out of the spotlight, Fulton said they sometimes haven’t adopted basic security best practices like two-factor authentication and storing passwords in a vault.
Critical infrastructure organizations have in particular been outpaced and outmaneuvered by adversaries since they’re not living and breathing security around the clock and didn’t realize how big and expansive their risk was, Fulton said. These companies need more focus, visibility and accountability when it comes to security, according to Fulton.