Black Hat and DEF CON 2017: A Week to Reflect
Forty-two-degree heat (that’s 107 F), 11 hours on a plane, and 24,000 steps a day: It can only be the week of Black Hat and DEF CON. As the jetlag kicks in and the dust settles on another action-packed Vegas visit, I wanted to take a moment and reflect on some of the highlights of the week. I'll keep things general – this post isn't intended to critique the talks per se, but to comment on the themes that caught my eye. In no particular order:
Cyber is Big Business
A lot is written about the “cyber skills shortage.” Businesses across the United States last week surely experienced this: It felt like anyone and everyone was in Vegas!
In 2017, cyber is in the spotlight. When I used to tell people that I worked in infosec, the confusion and disinterest was palpable. Now, I’m the cool guy. Everyone wants to know what’s happening in our space. The increased numbers at the conferences support this. Black Hat and DEF CON were commemorating landmark anniversaries (20 years and 25 years respectively), and there was certainly sense of occasion around the conference halls. This was the year to be there!
Why the increase in attendance? As cyber security becomes an integral business function, people with a broader range of job roles attend the events. DEFCON wouldn’t be the spectacle it is without the mohawks and piercings, but year after year, more of the white-collar security folk are getting involved.
More people and increased diversity facilitates more fluid interaction and knowledge sharing. During his DEF CON keynote, @thedarktangent spoke about the importance of “corridorcon” and “watercoolercon,” suggesting that just being there and exchanging ideas provides intrinsic value. I’d suggest it’s slightly harder to get your Vegas trip approved with a business justification of “chatting,” but those water-cooler moments can be invaluable.
The week started with confusion on my side. I thought I knew the Black Hat ropes; I expected Alex Stamos' keynote to be given from one of the large seminar rooms. As we were ushered to the Mandalay Bay Theatre (this must hold 10,000 people), I could tell that one of two things were happening: 1) I had my timing wrong and I was off to Cirque du Soleil; 2) the conference had outgrown its previous home, something I didn't think was possible given the size of 2016's audience for Dan Kaminsky's keynote.
The latter was true. Infosec and cyber had arrived. The arena looked more like a rock concert than a security conference.
Further evidence that more people care about our industry came at DEF CON. After battling through the Gallic surroundings of last year's event*, I was pleased to hear that Defcon had shifted across the road to Caesars Palace. Parkinson's Law states that work expands to fill the time available for its completion. The Vegas conference scene adopts Hodson’s law: No matter how big you build a conference center in Vegas, DEF CON will fill it.
*I’ve nothing against the faux Parisian streets of DEF CON’s former home although they’re not conducive to expedient traffic flow. Trying to get 20,000 cyber geeks from one seminar to another through winding, cobbled walkways was a challenge.
The Internet of Things
I've heard the “20BN/50BN IoT devices will be connected to the Internet in 2020” more times than I've avoided a badge scanning in the expo halls, so I expected a fair amount of IoT focus at both events. I wasn't disappointed.
Talks focused on the weird and the wonderful, the funny and the frightening. Presenters outlined the vulnerabilities in everything from car washes to election machines, from insulin pumps to travel routers.
While the impact associated with “owning” an IOT device varies, the vectors for compromise remain the same:
Legacy firmware and applications
Standard OWASP Top Ten stuff
One of my favorite talks walked the audience through the compromising of a car wash, which allowed our attacker to slam shut a carwash door on an unsuspecting customer. Cool, yes. Materially different (in vector) to a web application being poorly coded and allowing for remote code execution or cross-site scripting? Not so much.
Yes, I buy that it’s tougher to apply regular patch management to a car wash or a toaster, but these connected devices are computers (in the case of the car wash, running Windows CE) and good security hygiene applies. One clear difference in the IoT space is safety: Since a myriad of devices continues to be connected to the Internet, how does our traditional confidentiality, integrity, and availability triad get affected? The authors of the car wash talk suggest an “S” for safety needs to be added. In a lot of use cases, I agree.
The Erosion of a Trusted Environment
I frequently write about the futility of knowing good from bad on the Internet. In a world of phishing and drive-by downloads, who can say with any authority that a website is benign or malicious? Malvertising has raised the importance of zero trust. Several talks at Black Hat/DEF CON got me thinking about trust erosion in a broader context.
As enterprise adoption of public cloud continues to grow and sophisticated cyber attacks continue to achieve success, the traditional “network boundary” or perimeter becomes opaque and of limited efficacy. Forrester is going as far as to say that defining trusted interfaces is now impossible. If trust is impossible to achieve and industry analysts are recommending a “Zero Trust” model, then I assert that we are better off applying a consistent set of security controls based on information sensitivity, irrespective of location.
How does this relate to Black Hat? I’m getting to that! I watched a couple of talks that discussed the abuse of common (read: trusted) services across the enterprise; more specifically, the use of Active Directory and GitHub for the transmission of covert channel/C2 traffic. What better way to fly under the radar than to use common protocols and storage repositories leveraged for BAU services. Blacklists are failing us; yes, it’s important to prevent a compromised host from accessing a known C2 location, but what about behavioral analysis and heuristics? At Zscaler, we see on average 4% of all the threats blocked in our cloud being through our inline AV layer. Behavioral-based controls are necessary if we’re to catch these more contemporary attack vectors.
A View from the Vendor Hall
Ostensibly, vendors deliver solutions to business problems. I therefore make sure that I use some of my conference time to check out the vendor halls. There were plenty of vendors I’d heard of, but many new kids on the block offering some innovative-looking solutions.
The demand for cloud-based solutions was at an all-time high. As I work for a pure play cloud vendor, it’s interesting to hear others in the industry use techno-nomenclature that confuses me. For example, I see the benefit of a hybrid car (performance with economy) or a hybrid golf club (distance with utility), but a hybrid cloud security architecture still confuses me. Why would I want to retain a portion of my security capability on premise (assuming my workloads are shifting to the cloud)? Invariably, providers are telling customers that they have a “cloud solution” that is really a set of appliances: the high-volume, signature-based bits in the cloud (low overhead), with deep packet inspection and encryption in the customer location. Good for the vendor, less so for the customer.
I couldn’t mention the vendor hall without complimenting the Zscaler staff manning our booth and providing thought leadership through a series of talks. A special shout-out to Deepen Desai and Kevin Peterson who provided knowledge, intelligence and enthusiasm in every session they hosted.
I also received plenty of killer feedback for the Zscaler 2017 Mid-Year Threat Report, in which the Zscaler research team highlights patterns, trends and outliers that emerge from the 35 billion transactions the Zscaler cloud processes each day. The most interesting part in my opinion was the SSL/TLS research – you can see that here.