Black Hat 2018: Election Hacking, Active Defense, and More…
Written by: Carolyn Crandall, CMO and Chief Deception Officer – With another busy Black Hat now behind us, we’re catching our breath and reflecting on some of the key themes at this year’s event. Prior to the show, I put together a list of activities and events for attendees to look out for. I expected to see a lot of buzz on privacy, mobile, and device security around critical infrastructure, IoT, and payment systems. I also expected to see a slew of new innovations introduced to address the expanding attack surfaces and evolving exploits that organizations must deal with in the modern threatscape.
Some thoughts and key takeaways from Black Hat 2018:
High-ranking U.S. intelligence officials across multiple agencies have issued consistent, dire warnings that the upcoming midterm elections are under active threat from a broad range of nation states and cyber adversaries. A group of kids proved the importance of these election security initiatives at DEF CON 26 last week, as they seemed to hack into voting systems with relative ease. According to PBS, “An 11-year-old changed election results on a replica Florida state website in under 10 minutes.” So, it was no surprise that the topic of election security made a lot of noise at this year’s show.
CNET reporter Dan Patterson joined CBS News live to share insights from several discussions with experts around election cybersecurity issues. He explained how AI is being used in new and creative ways to hack local campaigns by hiding malware in common applications. The malware can fend off typical virus scans and won’t activate until the target is identified via facial recognition technology to wipe a machine, potentially crippling an organization.
Attackers are also taking to social media to penetrate candidates’ inner circles by obtaining the credentials of someone the candidate trusts. Once they have stolen credentials, adversaries can send the candidate a malicious email that appears to be coming from someone familiar, giving the attacker relatively easy access to valuable campaign information. In response to these threats, security companies are beginning to offer free election security products and services nation-wide. McAfee joined Synack, Cloudfair and Centrify in announcing last week that they will be offering free cloud services to election officials in all 50 states for one year.
Connected and software-dependent voting machines are also increasingly targeted. A presentation by Carsten Schuermann from the IT University of Copenhagen examined the WinVote voting machine. WinVote’s machines, which were used during the 2004 and 2015 elections in Virginia, can be easily hacked to influence the results of an election. The session prompted calls for a more formal protocol for communicating election-related information to be put into place – so that any cyberthreat, or even the question of one, can be brought to the FBI and election officials immediately. Regulating these systems federally would also go a long way towards ensuring that devices are secured safely. Today’s state and local regulations leave these systems stored in everything from libraries to basements, clearly not the most secure form of protection.
Since many voting machines are running older, unpatched versions of Windows or Linux, any networked machines are susceptible to attack. One of the most efficient ways to derail attacks on these machines is to implement a deception solution that detects threats early, accelerates remediation, and collects valuable intelligence on the adversary that can be turned over to law enforcement. Securing these systems across all of the U.S.A. feels like a daunting task, however if we looked at focusing these extra security and early detection efforts at the swing states, we could curb the risk at the areas that would be most targeted.
I also found the autonomous car hacking presentation amongst the most discussed topics. In this session, two researchers, Charlie Miller & Chris Valasek, who have led security teams managing self-driving cars for many organizations explained how self-driving cars work, how adversaries might hack them, and how they can ultimately be secured.In the near future, we will quite possibly live in a world where human beings are no longer driving our cars. In this scenario, we will have to come to terms with the threat of increasingly sophisticated cyber-attacks on vehicles. With the wave of the future upon us, it will be imperative that, as an industry, we find ways to secure these cars from foul play.
Optimistic Dissatisfaction with the Status Quo
As noted in my Black Hat preview blog, the keynote session from Google’s Director of Engineering, Parisa Tabriz, generated a lot of buzz.
In the session, “Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes,” Tabriz deemed the industry’s approach to cybersecurity as “insufficient” and suggested that companies stop treating each hack as a game of “whack-a-mole” and learn how to:
1) Identify and tackle the root cause of attacks
2) Become more intentional in pursuing long-term defense projects
3) Invest in full, proactive defense projects
Although this session lacked some of the technical depth that attendees may seek for this conference, Tabriz brought up good points around vendors taking more accountability for their software and how we can work together to invoke change. I was pleased to see the number of issues that vendors have now responded to. That said, software will never be perfect and human errors will still occur. With this in mind, organizations should also still adopt and embrace Active Defense strategies that let them quickly identify, slow down, derail, and build proactive defenses against the enemy so they cannot advance or fulfill their attack. The aim of Active Defense is to increase the probability of an attacker making a mistake and revealing their presence within the network. Organizations that choose to solely rely on software vendors or implement prevention only security solutions must embrace a more comprehensive active defense approach. If companies take Tabriz’s advice to heart, cybersecurity hygiene across the industry will greatly improve overall, but from my viewpoint, must not be solely relied upon.
Cybersecurity Experts are Burned Out
This year’s conference had an increased focus on the wellbeing of those in the cybersecurity workforce as a result of the growing skills gap that continues to impact this industry. Many cybersecurity professionals have voiced concerns of being overworked, and our community has seen a number of tragic suicides and overdoses throughout its ranks as a result. Black Hat brought this dilemma to the forefront of conversation, dedicating an entire track to mental health-focused topics like burnout, addiction, and suicide.
According to Jay Radcliffe of Boston Scientific, who presented on “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community,” the major global staffing shortage across the information security industry is a large contributor. He noted that departments that should have 10 people are routinely staffed with 5, and employees are being asked to take on too much responsibility, which is leading to a lot of stress (and even post-traumatic stress disorder in some cases).
Cybersecurity vendors can take some of the strain off overworked employees by reducing alert fatigue and automating more tasks for their users. I am pleased to say that Attivo has been thoughtful about ease of use and operations in its design, and the ThreatDefend™ platform provides engagement-based high-fidelity alerts, inherently reducing alert fatigue and accelerating incident response time. Additionally, with machine learning capabilities, deployment, operation, and management of the deception environment is quick and easy.
We’re glad to see the industry finally acknowledging this as a challenge that needs solutions. Bottom line: there is no better time than the present, and the industry at large must find a way to help its workers strike a better balance for their own well-being and productivity. The volume and velocity of threats will continue to increase. If companies are having trouble filling open roles, they must realize the limits of their workforce and strive to find smarter tools and solutions that can better help security analysts see the forest for the trees. Beyond that, it’s time to talk with employees about mental health – and let them know that it’s OK to ask for help.
It is also an interesting observation that it appeared that many CISOs did not attend this year- a noticeable drop from prior years. I am wondering if this is a symptom of being overworked and the daily drains being too much, even to escape for the benefits of this conference.
Through the lens of Attivo Networks
I was pleased by the increased interest in threat deception this year, and although the formal event curriculum was light, the sessions they had were filled with interested attendees. Attivo Networks had a large booth, a joint party with McAfee at Top Golf, and 2 meeting suites to accommodate executive meetings. The booth didn’t disappoint as it offered people a deception hall of mirrors maze experience. I still laugh at how disorienting a mirrored maze can be. The perfect experience for creating an attacker “altered reality”. We also ran a survey with attendees at Black Hat on topic of security and detection concerns. Stay tuned for an upcoming news on the results. At a high-level the vibe on deception was very different than prior years and even the last RSA. There were lots of conversations on deception, talks of budgeted projects, and upcoming vendor evaluations. It was great to see that the tides are turning with respect to deception becoming mainstream. There was so much talk that in one recap of the event that reviewed overhyped technology, they included deception. So, the question is, is this overhyped or just generating a huge buzz as people start to realize the impact this technology is making?
Black Hat has grown by leaps and bounds in recent years, and it truly was a great experience to see the cybersecurity community come together to talk about the challenges we face – both as an industry and on behalf of our customers – and discuss how we can solve them. Organizations face a set of unique challenges around newly emerging attack surfaces and an ever-evolving threat landscape, and it’s great to see the strides our industry is making to provide and implement solutions and strategies for threat prevention, detection, and response.
What were some of the big trends and themes you noticed at Black Hat this year? What do you expect for to see at Black Hat USA 2019?