I attended the Black Hat conference last week and had a chance to listen to many of the security research briefings and walk the show floor. What did I come away with from this year’s conference? Here are my 5 key takeaways….
I know there have been demonstrations of hacks against IoT devices at prior shows, but this year there were more discussions than ever before. There were separate talks about—
Microsoft’s presentation expanded upon a blog posted a few days prior by the Microsoft Security Response Center titled “Corporate IoT – a path to intrusion”. Microsoft caught a nation-state actor known as “Strontium” attacking IoT devices in enterprise networks. The attackers were using VoIP phones, printers, and video decoding machines to gain initial access to corporate networks. From there, they would perform network scans to look for other insecure devices and move across the network in search of higher-privileged accounts that would grant access to higher-value data. The diagram below shows the kill chain.
The Microsoft presenter, Eric Doerr, posited that these unmanaged devices were attacked simply because they were the easiest way into the network. The devices had vulnerabilities and/or were misconfigured, and they ran no security agents to alert that they had been compromised.
Later that day, Armis’ presentation on URGENT/11 was attended by hundreds of people. In the session, Armis researchers Ben Seri and Dor Zusman demonstrated how a patient monitor running VxWorks could be easily compromised. While Ben was wearing the pulse monitor clipped to his finger, Dor was able to make the patient monitor show that Ben’s heart had stopped.
Besides the fact that it rained one day during the show (an extremely rare event in Las Vegas in August), there were clouds everywhere on the show floor. This broke down into two forms of cloudiness:
From the keynote speaker on Wednesday morning (Dino Dai Zovi) to the trade show floor, I saw and heard more emphasis this year on integration and automation. I honestly believe that security vendors have finally learned that standalone products that operate as silos are not what enterprises want to buy. Vendors are beginning to think more holistically. There is more information sharing between vendors and more integration of different data types and sources. We might have DevOps to thank for some of this change. Indeed, DevSecOps seems to now be firmly entrenched as a thing. It was mentioned by the keynote speaker, and there were two excellent presentations about helping security to “shift left” into the DevOps workflow.
The understanding of the value brought forth by the research community still appears to vary wildly among technology companies. Some companies place great value on the role that researchers play and the impact they have on preventing the exploitation of unknown vulnerabilities. For example:
But on the other side, some companies don’t seem to care much. For example:
My belief is that security researchers are one of the most powerful tools that we have in the fight against nation-state attacks in particular.
The growth of the show seems to be commensurate with the growth of everything else in the world of security. The exact number of attendees has not been announced, but the crowds definitely seemed bigger than last year. Queues for elevators and escalators were sometimes 5 minutes long—the first time I’ve seen such a thing.
Getting from one place to another was aided by a large number of “shouters”—people who are paid to shout instructions at the moving crowd, such as “Turn left for South Seas! Turn right for registration!” I really appreciated the hard work those people did.
I did not see any evidence of grasshoppers. Before the show, there were reports that Las Vegas had been overrun by grasshoppers. I didn’t see even one.
Were you at Black Hat? I’d love to hear your thoughts about the conference. Drop a note to [email protected].
Sign up to receive the latest news