Reflections on “Hacker Summer Camp”
By: Carolyn Crandall, Chief Deception Officer and CMO
At this time of year, Las Vegas turns into what many refer to as “hacker summer camp,” and the moniker is certainly a fitting one. The Black Hat 2019 conference, held August 3-8, is now in its 22nd year and drew over 20,000 security professionals from all across the country for technical training, presentations, briefings, networking, and more. BSides Las Vegas also held its annual conference from August 6-7, drawing a similar (and often overlapping) audience to help disseminate security knowledge throughout the industry. And of course, DEF CON 2019 took place from August 8-11, with security workshops, training sessions, and demo labs. For security professionals, it doesn’t get much better than this.
Unsurprisingly, this is one of my favorite times of the year—and I was pleased to attend these events with Attivo CEO Tushar Kothari, CTO Tony Cole, and Chief Security Strategist Chris Roberts, and other members of the Attivo team. Over the week, we attended briefings, checked out demos, walked the floor, and caught up with other industry experts, plus we had the opportunity to host a few events.
To kick off the week, Tony Cole presented at the ISSA CISO Forum and shared more about cyber deception, how it impacts an enterprise, how its deployed, and why NIST and Gartner are both recommending deception as an integral component of a detection strategy to quickly identify and mitigate the impact of breaches. Meanwhile, Chris Roberts talked about how to balance the “cool hacking stuff” with where you want to go in your career at B-Sides Las Vegas.
Throughout the week, I met with a variety of industry experts and journalists. One of my favorite interviews was with Paul Asadoorian over at Security Weekly. During the interview, we discussed the company’s latest innovations, including the addition of the ability to secure Active Directory and make every endpoint a decoy. Now, regardless of the method used to advance attacks on compromised endpoints, attackers will not be able to move without being detected.
The keynote address, given by Dino Dai Zovi, head of security, Cash App, at Square, also deserves praise. His point that communication, collaboration, understanding, feedback, and automation are the keystones for cybersecurity was well made, particularly the idea the “automation in software can be a force multiplier.” As AI and machine learning become more widely available to attackers and defenders alike, the ability to automate security processes will only grow in importance.
Discussions on GDPR were no surprise, however, this year’s sessions shed new light on GDPR and other compliance challenges. Not only must you be able to provide systems around the right to be forgotten, but you also need to think through the processes and how to validate integrity. For example, if a person requests information to be removed, how many companies have the ability to verify the identity of the individuals requesting the information and how often are companies removing or, in some cases sending information that they shouldn’t?
I also ended up in a deep discussion about the new California Consumer Privacy Act, (CCPA) that is taking effect on January 1, 2020. This adds several new rights for Californians, including the right to know what personal information is being collected about them, whether their personal information is sold or disclosed and to whom, to say no to the sale of personal information, to access their personal information, to equal service and price, and even to exercise their privacy rights. Not only is the idea of compliance daunting to these laws, but actually supporting them has so many levels of complexity. At the ISSA CISO summit, I spoke with the CISO of a new company that was already at 80 employees that shared a primary charter of supporting the information access to this type of information. The most notable was access to medical imaging files, many of these need special readers to view them. Part of this organization’s service was to do the translation into readable files for consumers. I found this fascinating to see the new businesses popping up in preparation of these and many more expected legislative changes. The fines that can be levied for CCPA are staggering and could have been in the billions of dollars for many data breaches- potentially even more damaging than GDPR fines.
Deception Gains Added Prominence
It was great to see the escalating interest and momentum of deception technology, and this year’s IDG report on Security Priorities captured how much the demand for deception technology has evolved. When it comes to technology organizations are actively researching, deception technology now ranks as the second-highest priority, slightly behind zero-trust, and ranking ahead of other hot technologies such as blockchain and behavioral analysis. I often find the “brotherhood of secrecy” stifles awareness of the actual momentum of deception. The survey captured the often hidden reality with 43% of respondents using deception in production, 19% upgrading/refining, and another 32% either in pilot or actively researching. These findings left only a meager 6% that was not interested in the technology. What I also found noteworthy is that 62% of organizations indicated that they expect their deception technology budget to increase or remain the same over the next 12 months, demonstrating continued momentum.
With this report, IDG joins other well-known analysts in recognizing and reporting on the value of deception. Just before the Hacker Summer Camp began, Gartner published its first comprehensive review of cyber deception vendors, in which Attivo received 13 out of 14 high ratings, which is the highest score given to any solution. Our CEO, Tushar Kothari, offered his thoughts on the report here. Additionally, NIST officially began recommending deception for High-Value Assets holding sensitive information. The inclusion in the draft NIST report is quite timely as organizations are increasingly turning to security frameworks to help understand and assess their security models. Interested parties may download the Attivo mapping of deception technology to the NIST Framework
Encouraging Diversity While Ramping Up our Next Generation of Security Professionals
One of the most rewarding elements of hacker summer camp is getting to interact with the next generation of cybersecurity professionals. It’s great to see the excellent work that so many organizations are doing to encourage both young and older people to pursue careers in cybersecurity, particularly those working to promote diversity within the field.
Serving that goal was the first annual Wicked6 Cyber Games event, where Tony Cole served as emcee. The event was held to support the Women’s Society of Cyberjutsu, a nonprofit organization promoting the education and training for women and girls in the cybersecurity field. It was an impressive production and included Nevada Governor Stephen F. Sisolak stopping by to say a few words to the attendees. He struck a great tone, mentioning how exciting it was to see young people going into cybersecurity, and talking about the importance of setting an example for those to come.
The Cyber Games was far from the only event for young people. Formerly known as DEF CON Kids, r00tz serves an annual event where kids can learn white-hat hacking designed to better the world. The event features hands-on workshops and games and teaches kids skills like reverse engineering, soldering, cryptography, and more. Events like these genuinely drive home how important it is to teach the next generation of cybersecurity professionals how to approach problem-solving and why they should do so for the good guys.
I was also thrilled to see that Black Hat awarded more than 300 Academic Briefings Scholarships to deserving students from around the world. Black Hat and EWF also supported the Female Leaders Scholarship Program, which focusses on minimizing the gender gap among the InfoSec community and provides students the opportunity to learn, network, and collaborate with the world’s brightest minds.
Demonstrating the Good the Industry Can Do
Helping the next generation isn’t the only example of the positive impact the security summer camp events have on the community. We have watched open-source intelligence technologies find new applications, such as searching for—and identifying—missing persons. These technologies, which once made most people wary of the creeping approach of Big Brother, have demonstrated their utility as a means to do good in the world, improving and even saving lives. I particularly liked Bruce Schneider’s “Hacking for Social Good” session where he talked about the same methods attackers use to do evil can be used to do good and make the world a better place. DEF CON and BSides were also aligned with this effort.
The panel that spoke to feeling like an imposter resonated deeply. For me, and as it turns out many others, we can sometimes feel like we are imposters amongst so many very brilliant security minds. I am so glad this session encouraged people to confidently help others regardless of their current depth of experience. Every day I learn more and become stronger in the cybersecurity field, these words of wisdom were an encouraging shot in the arm, especially during some of the more challenging days.
Training events like CTF challenges have also created exciting and engaging ways for security professionals to solve problems. Events like these highlight the fact that the perception of hackers (or groups of hackers) can vary greatly. From the inside, it’s easy to assert that security professionals are working toward a more secure world, but it doesn’t always look that way from the outside. Public-facing training like this perfectly underscores the real-world good that hackers can do.
Additionally, organizations like Microsoft and Apple issued hacking challenges of their own during the event, inviting hackers to identify vulnerabilities in specific systems or products in exchange for cash prizes. Hack Microsoft’s Azure Public-Cloud Infrastructure and the company will reward you with $300,000 for the information. Find a specific bug in Apple’s iPhone, and you could win yourself a cool million. These challenges also serve as an important reminder that the purpose of hacking isn’t just to exploit vulnerabilities—often, it is to identify those vulnerabilities so they can be closed to protect others. That said, it was a bit disappointing to also hear about a $1,000 bounty for the first person to hack into and take over the monitors of the local hotels.
With 300 fellow boothmates, Attivo was a Bit Sheepish on the Show Floor
The Business Hall was abuzz with activity, though I did have to laugh a bit at how many booths preached about their solutions for APTs and advanced threats, which is interesting when you consider the majority of attacks are not that sophisticated. Nonetheless, I enjoyed some of the technical talks that took place on the floor in addition to the technical tracks.
With a theme of “Wolf in Sheep’s Clothing,” Attivo made a lasting impression with how deception can hide in plain sight to detect and stop cybercriminals. The team demonstrated the ThreatDefend portfolio and provided information on how Attivo can now effectively lock down the endpoint so that attackers cannot advance their attacks. The ability to detect live attacks on AD and turn every computer system on the network into a decoy effectively sets the ThreatDefend platform apart, and we were delighted by the amount of foot traffic that the booth received. We were also thrilled to see the interest in both the “wolf in sheep’s clothing” stuffed animals and in our newly released Deception-based Threat Detection – Shifting Power to the Defender Book. That we were giving them both away was undoubtedly a bonus. I also enjoyed the social media buzz related to naming the wolf and for the awesome pictures of him/her all over the event and world.
Looking Forward to Next Year
With so many significant events and presentations amid the multiple conferences taking place in Las Vegas, it would be impossible to touch on all of them in just one blog. It was great to see several training events include hacking for good and to see such a prominent focus on deception technology, and look forward to seeing this same momentum carry into Black Hat Europe 2019, the four-day event taking place December 2-5, 2019 at the ExCeL in London, England.