Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe
Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.
![time-elapsed photo of big ben and houses of parliament in london time-elapsed photo of big ben and houses of parliament in london](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2ef3e09c76f99b5c/64f15686e0df3a3f48778d40/BHEU-London-Simon_Belcher-Alamy-Slide1.png?width=700&auto=webp&quality=80&disable=upscale)
Source: Simon Belcher via Alamy Stock Photo
We stand on the brink of a new year, and true to form, contributors to Black Hat Europe 2022 took the opportunity to peer out on the horizon to see what might be emerging to keep security practitioners up at night — and what sorts of defensive innovations we might be in for.
At an event in London last week that saw record in-person attendance for the post-pandemic era, a slate of industry veterans and up-and-coming security researchers took to the stage to deliver briefings that covered the future-think waterfront.
Topics ranged from how to break some really cool stuff (like a Volkswagen EV), to manipulating billion-dollar NFTs and performing "social-engineering pen testing" — and much, much in-between.
In case you missed the show, Dark Reading has compiled this slideshow of some of the top talks at this year's Black Hat Europe conference. And don't forget, all of the sessions are now available on-demand, too.
Are we actually capable of building an open, transparent, yet secure Internet for all to enjoy?
That's a question near and dear to the heart of cybersecurity expert Daniel Cuthbert, who took to the stage for a keynote on the topic at Black Hat Europe 2022. And the answer is, well … "maybe."
As Cuthbert, head of cyber research at Banco Santander, told attendees in his talk, "Our Kryptonite: A Defendable Internet," the last half-decade has seen an evolution toward "data sovereignty." Since the open Internet is just not a safe space for anyone's information (he likened it as having "data smeared across the toilet walls of the Web"), the world has seen a rapid move to data localization on the Internet, where those with cash can build extremely safe browsing and working and living environments, while everyone else gets to deal with marauding gangs of nefarious jerks.
"There's a lot of centralization and data silos happening, and that goes against the nature of how the Web was meant to be open, transparent, usable," he said. "We've got environments that might be secure, but we're also moving away from the fact that today's Internet is not what Sir Tim [Berners-Lee] wanted."
He added that this becomes even more problematic when one considers the realities of global economics.
"The moment you venture outside the Western world, people cannot afford a $1,400 iPhone 14," he said. "They have to go and buy a cheap Android device that's maybe running Android 8, which has been end of life for a very long time. But it's $150. So inherently, they're now using an insecure device that's not supported."
Cuthbert noted that he spent time talking to a raft of noted security experts, from Google's Maddie Stone to Bruce Schneier, about how to fix the problem. The answers were wide-ranging: embracing the cloud, creating incentives for Internet of things (IoT), using content delivery networks (CDNs) to deliver security, embracing regulation, and using memory-safe coding languages.
But it's time to put money where the proverbial mouth is, he noted: "Fundamentally, are we insecurity in the business of solving security? Are we just here for the ride?"
For some time now, the cybersecurity industry has talked around — and over the heads of — consumers and small businesses. When consumers or end users fall for a phish or ignore advice to adopt multifactor authentication, they're often ridiculed or scorned by security experts, Jen Ellis told attendees in her keynote, "Cybersecurity: The Next Generation."
"We judge them constantly for it," said Ellis, a renowned cybersecurity advocate and community convener. "There are small things than can be done differently, to address consumer apathy" about security, she said. That includes things like taking out of users’ hands the security decision-making process for adding MFA and instead making it default for user accounts, as well as avoiding technical jargon and insider terminology when communicating with them.
“We don't talk to SMBs well; we talk to each other” instead, Ellis noted. “We have to stop confusing the hell out of people.”
The security industry can't just battle cyberattacks alone anymore, according to Ellis. That insular approach has failed, and security experts must become security advocates who share their security knowledge and encourage secure practices to all users. “What we’re doing is not working. We’re not winning,” Ellis said. “We have the potential to do things differently and do more.”
Let's face it: When it comes to categories of modern security tools, endpoint detection and response (EDR) has a bit of a halo around it in this age of remote work. What better approach for getting security arms around legions of employees that are off the corporate grid than tracking their behavior on their devices?
Unfortunately (cue The Exorcist theme music here), those angelic EDR systems could be harboring a demon inside that's ready to send your IT team to hell. A common vulnerability gives attackers a way to manipulate the products into erasing virtually any data on the endpoints they monitor.
Or Yair, a security researcher at SafeBreach, found a zero-day that allowed him to manipulate a vulnerable EDR into wiping almost any file on the system, including system files — with just the permissions of an unprivileged user.
"We were able to exploit these vulnerabilities in more than 50% of the EDR and antivirus products we tested, including the default endpoint protection product on Windows," he explained at a Black Hat Europe 2022 session, "Aikido: Turning EDRs to Malicious Wipers Using Zero-Day Exploits."
He described his "Aikido" proof-of-concept wiper as likely being effective against hundreds of millions of endpoints running EDR versions vulnerable to the exploit. Out of the ones he tested, vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne — among others.
Here's something you don't often see at Black Hat or any other security conference: researchers presenting their biggest mishaps and embarrassing oversights that initially derailed their hacking projects. But that's just what Trellix researchers Douglas McKee and Philippe Laulheret did in their talk at Black Hat Europe last week, "Fail Harder: Finding Critical Zero-Days in Spite of Ourselves."
McKee and Laulheret’s goal in sharing their real-world failures was to show other researchers how common mistakes such as failing to read documentation, or making assumptions about how a device is configured or secured, can set back efforts to root out zero-days and other security issues.
Among their retrospectively laughable mistakes: McKee realized months after he had unsuccessfully pointed a GPU password cracker at a medical patient monitor device that the passwords were actually included in the documentation text. The lesson there likely hit home for many researchers since skipping documentation is a common practice.
In another project, McKee ended up destroying the flash chip inside an infusion pump he was deconstructing after getting a bit aggressive in his hardware hacking. His advice: "Try to do the least invasive process first," he said, admitting that sometimes breaking "things is part of the hardware hacking process."
We all know the shadowy world of the Dark Web is a den of iniquity filled with parasitic, financially motivated cybercriminals of every stripe. What's less well known is the subeconomy of fraudsters and scam artists that feed on a very special kind of meal: other cybercriminals.
In a unique set of research into these "metaparasites" that fill Dark Web marketplaces, Sophos senior threat researchers Matt Wixey and Angela Gunn found that this cadre of uber-bottom-feeders successfully extract millions of dollars per year from their fellow cybercriminals.
Tactics are myriad and creative — like the "rip and run" (a Dark Web version of the dine-and-dash), hawking convincing-looking knock-off goods that don't deliver as promised, and even long cons where marks are directed to fake forums, where they're relieved of a hefty "joining fee" before being ghosted.
"It's pretty rich pickings," Wixey said during his Black Hat Europe session, "Scammers Who Scam Scammers, Hackers Who Hack Hackers." "Scammers scammed users of [just three] forums out of about $2.5 million US dollars over the course of 12 months. The amounts per scam can be as little as $2 on up to the low six figures."
To fight back, many forums have arbitration processes and other anti-fraud controls in place — which ironically offer threat researchers a rich trove of intelligence data, Wixey explained.
The three most pervasive cloud malware campaigns in the wild right now seem relatively benign. They mainly wage cryptomining attacks and exploit misconfigured cloud account settings and other cloud setup mistakes (not vulns). But a closer examination by researchers has uncovered unsettling signs of potential cloud security perils to come.
Matt Muir, threat intelligence engineer at Cado Security, warned in his talk last week at Black Hat Europe, "Real-World Detection Evasion Techniques in the Cloud," that while the CoinStomp, Watchdog, and Denonia cloud attack campaigns operate opportunistically in their cryptomining attacks, some of their techniques for avoiding detection could easily be redirected and repurposed for more serious attacks than mining cryptocurrency. And in a particularly concerning twist, he found that they are now targeting serverless computing and containers in the cloud, including AWS Lambda.
The attackers behind the cloud malware demonstrated a surprisingly astute knowledge of cloud technology that should serve as a red flag. "Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage," Muir said.
Among the more creative detection-evasion methods by the cloud attackers: running DNS over HTTPS (DoH) for command-and-control, time-stamp manipulation, and steganography to mask their malware.
Conventional wisdom says that training up a baby machine learning (ML) or AI algorithm for cyber-threat detection from the roots can take a lot more nurturing than most security teams can handle — plucking relevant data sets from a lake of security alerts — information and then confirming the model is focused on the right anomalies can be time-consuming and, at times, fruitless.
But one French bank decided to do just that, eschewing ready-made ML models and instead creating an internally developed tool trained in a novel way on log data. The results exceeded expectations: The model ripened to the point of detecting three types of exfiltration attacks that the company would not otherwise have detected with existing security appliances.
As Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), explained at Black Hat Europe 2022 in a session entitled "Thresholds Are for Old Threats: Demystifying AI and Machine Learning to Enhance SOC Detection," the team used a data-analysis approach known as clustering to identify the most important features to track in their analysis, and then employed a technique known as "isolation forest" to find the outliers in the data.
"We implemented our own simulation of threats, of what we wanted to see, so we were able to see what could identify in our own traffic," she said. "When we didn't detect [a specific threat], we tried to figure out what is different, and we tried to understand what was going on."
Even better for alert fatigue, about half the exfiltration attacks could be detected with a low false-positive rate, Boijaud says.
Conventional wisdom says that training up a baby machine learning (ML) or AI algorithm for cyber-threat detection from the roots can take a lot more nurturing than most security teams can handle — plucking relevant data sets from a lake of security alerts — information and then confirming the model is focused on the right anomalies can be time-consuming and, at times, fruitless.
But one French bank decided to do just that, eschewing ready-made ML models and instead creating an internally developed tool trained in a novel way on log data. The results exceeded expectations: The model ripened to the point of detecting three types of exfiltration attacks that the company would not otherwise have detected with existing security appliances.
As Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), explained at Black Hat Europe 2022 in a session entitled "Thresholds Are for Old Threats: Demystifying AI and Machine Learning to Enhance SOC Detection," the team used a data-analysis approach known as clustering to identify the most important features to track in their analysis, and then employed a technique known as "isolation forest" to find the outliers in the data.
"We implemented our own simulation of threats, of what we wanted to see, so we were able to see what could identify in our own traffic," she said. "When we didn't detect [a specific threat], we tried to figure out what is different, and we tried to understand what was going on."
Even better for alert fatigue, about half the exfiltration attacks could be detected with a low false-positive rate, Boijaud says.
We stand on the brink of a new year, and true to form, contributors to Black Hat Europe 2022 took the opportunity to peer out on the horizon to see what might be emerging to keep security practitioners up at night — and what sorts of defensive innovations we might be in for.
At an event in London last week that saw record in-person attendance for the post-pandemic era, a slate of industry veterans and up-and-coming security researchers took to the stage to deliver briefings that covered the future-think waterfront.
Topics ranged from how to break some really cool stuff (like a Volkswagen EV), to manipulating billion-dollar NFTs and performing "social-engineering pen testing" — and much, much in-between.
In case you missed the show, Dark Reading has compiled this slideshow of some of the top talks at this year's Black Hat Europe conference. And don't forget, all of the sessions are now available on-demand, too.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024