August 2021. This year, the time-honored Black Hat conference is giving the InfoSec community a choice in how they participate, unveiling a new hybrid event model. From July 31st to August 3rd,  Black Hat USA 2021 is extending its Las Vegas event experience to a virtual audience.

Black Hat is an international cybersecurity conference that provides the security community with the latest cutting-edge research, developments and trends. This multi-day event series features briefings and trainings by some of the world's foremost security experts in a friendly and vendor-neutral environment. This year's key topics include supply chain attacks, Microsoft Exchange vulnerabilities and the iPhone/Pegasus spyware incident.

The virtual component of this hybrid model promises to capture the zeitgeist of the live event, in true Black Hat fashion, by featuring the same kinds of vulnerability disclosures, attack research and exploit tools that regular attendees have come to expect year over year.

As WWT's very own Matt Berry attends the event in person, he'll provide ongoing expert and personal feedback on his Black Hat USA 2021 experience.

Take it away, Matt!

Wed, Aug. 4th @ 1:30pm (PST)

There's a subdued tone to this gathering of security practitioners. Jeff Moss (@thedarktangent) kicked off the event with a moment of silence for the brilliant minds who passed away in the last eighteen-months. The number of attendees is much smaller than in previous years. Yes, there are still long lines for registration, but no more seas of people funneling into the business hall. In fact, the business hall is only about half-occupied. There's a noticeable emptiness--but everyone I've spoken with is so thankful to visit one another in-person. For many, this is their first trip since the lockdowns occurred in early 2020.

The opening keynote focused on supply chain compromise. Matt Tait, COO of Correlium, presented a pre-recorded presentation (he's in the UK and lockdown prevented his in-person attendance) about how safely managing the integrity of the software supply chain has become harder than ever. Overnight, virtually everyone in office environments, including everyone in software development, suddenly become a remote worker. Keeping personal and corporate devices separate--a hard enough problem under normal circumstances--is, at least for now, essentially a lost cause for most businesses. It's a must-listen to talk.

On the floor of the business hall, very little swag is being handed out. Most companies opted to offer branded bottles of hand sanitizer and face masks. A few handed out t-shirts. There are no battery-powered swords. No foam Hulk hands. CrowdStrike definitely takes the prize for coolest swag, with action figured named after famous APTs.

Some of the largest booths are for vendors in the EDR, SIEM, and API security space. CrowdStrike and SentinelOne are going head-to-head with beautiful displays and engaging teams. API Security is definitely playing a larger role this year, with Salt Security and No Name going head-to-head. Elastic is making a splash. Siemplify has a great demo walk-through.



Thu. Aug. 5th @ 8:00am (PST)

If there were one word to sum up the Black Hat conference so far, it'd be, "validating." The sessions I attended yesterday focused on the same topics I've been discussing with my customer base in the financial community since last fall: supply chain, cyber resiliency, adoption of zero trust, and making cyber teams more diverse and inclusive. I have a large team of thought leaders at WWT who have contributed to this talk tract. I think of experts like @Neil Anderson (SASE), @Brent Collins (Cyber Resiliency), and @Gen. Bob Ferrell (D&I). However, you never quite know if you're in a self-made "echo chamber" until you get out amongst the community and hear similar talk tracks within the broader community. Validating, indeed.

Most entertaining

David Evenden, founder of StandardUser, gave a phenomenal presentation called, Whoops, I Accidentally Helped Start the Offensive Intel Branch of a Foreign Intel Service. He talks about how he was offered a job that seemed too good to be true, in which he ended up working on the UAE's Project Raven--completely unbeknownst to him. If you want to hear more, the story is discussed in episode 47 on Darknet Diaries, has been reported about extensively by Chris Bing at Reuters and Nicole Perloth in her book, This Is How They Tell Me the World Ends.

Most transformational

Cloud migration is a multi-year journey fraught with complexities that only get worse as organizations get larger--years of technical debt, mergers and acquisitions, and fragmentation between security, cloud, and application development teams. But the team over at Wiz.io is involved in some real groundbreaking cloud stuff! Shir Tamari (Head of Research) and Ami Luttwak (Co-founder and CTO) gave a great talk called, Breaking the Isolation: Cross-Account AWS Vulnerabilities. It was a virtual briefing, so it'll likely pop up online sometime soon.

In short, the team at Wiz discovered multiple AWS services that were vulnerable to a new cross-account vulnerability class. While reporting and working with the AWS security team on resolving these issues, Wiz concluded that the process of updating IAM-related vulnerabilities is sub-optimal. Although AWS acted very quickly to fix the issues, the cloud provider relies on customers to perform the IAM policy updates, which often does not happen. IAM vulnerabilities are not tracked by NIST, do not have a CVE, and do not have scanning tools that provide IAM vulnerability scanning results. Their call-to-action? It's time to create a community-built repository of IAM vulnerabilities.

As for now…

I picked up my DEFCON badge this morning at Black Hat. It was mostly painless. The staff were phenomenal despite some minor setbacks. Excited to see what's going on at Paris Hotel and Balley's later today. 

More to come, my friends!

Thu. Aug. 5th @ 1:00pm (PST)

The second day of Black Hat kicked off with Jen Easterly, the new Director for the Cybersecurity and Infrastructure Security Agency (CISA). She announced the new Joint Cyber Defense Collaborative (JCDC), a new agency effort to lead the development of cyber defense operations plans, and to execute those plans in coordination with partners from the federal interagency, private sector, and state, local, tribal, territorial (SLTT) government stakeholders to drive down risk before an incident and to unify defensive actions should an incident occur.

The initial industry participants of the JCDC include Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon; government partners include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence, with sector risk management agencies joining the effort as we move forward.

Cybersecurity skills shortage

Yes, it's pretty much the same (or worse). Not much progress has been made in bridging this gap in skills and ability to grow skills. Technology is moving at such a fast pace, further exacerbated by pandemic-infused changes and the ever-increasing threat of ransomware outbreaks, that we simply can't keep up. And this doesn't just impact new hires. The areas of greatest need are (a) cloud computing, (b) security analysis and investigation and (c) application security. Cybersecurity professionals are so overworked right now (no surprise there) that there's little time to attend trainings and self-educate. With humans being the greatest weakness in an organization, cybersecurity leaders would do well to invest in continuing education for their staff.

Zero Trust guidance for CISOs

With the Biden administration mandating Zero Trust within the US, now (more than ever) is a best time to develop a game plan for bringing your organization into this new era. CrowdStrike's VP of Identity Protection and Zero Trust, Kapil Raina, shared on Frictionless Zero Trust: Top 5 CISO Best Practices. Here they are in summary:

  1. Use industry definitions from sources like NIST 800-207, Forrester, DISA and NSA/CISA.
  2. Make adoption frictionless for IT, Security, and User principles.
  3. Remember this is a journey, not a sprint. Work with trusted advisors to map out a multi-year journey into a zero-trust future and take calculated steps to reach that goal.
  4. Embrace the cloud trend: reduce cost and complexity. Look for cloud-first, cloud-based solutions that can stitch together on-prem and cloud-based environments.
  5. Chose platforms, not vendors. Look for well-integrated platforms (which can include an alliance of multiple vendors) rather than a collection of disparate point solutions or a single vendor.

Time for lunch! More to come!

Thu. Aug. 5th @ 2:15pm (PST)

Well, Black Hat 2021 is winding down. It's been fun to be in-person, but also a little weird and sentimentally vacant--it's estimated that attendance has only been about 5% of what it's been in the past. No wonder the business hall felt so small! Here are a few last updates before I head over to DEFCON for a bit before my flight leaves tomorrow morning.

Best talk of the day

James Coote and Alfie Champion are both senior consultants at F-Secure. They gave a talk entitled, I'm a Hacker Get Me Out of Here! Breaking Network Segregation Using Esoteric Command & Control Channels. This explored the weaponization of esoteric internal command and control (C2) channels and their use for lateral movement. Channels such as:

  • C2 into VMs through vCenter and Guest Additions
  • C2 using arbitrary network printers and print jobs
  • C2 over Remote Desktop mapped drives and file shares
  • C2 using LDAP attributes

For the red teamers, the duo shared how to identify and exploit these channels, and the OpSec considerations behind each. For the blue teamers, James challenged defenders' assumptions about how sophisticated actors may operate within segregated environments, and how commonly accepted boundary systems and technologies may offer a means for actors to progress unimpeded into organizations' most sensitive network zones.

More to come a bit later, although it will likely get posted tomorrow morning.

Off to DEFCON I go!

Fri. Aug. 6th @ 9:00am (PST)

Last update for the week:

Sitting here in the airport, waiting for my flight. I got here four hours early--not because I'm an early riser (I am), but because I'm presenting on WWT's Cyber Range for our global sales call. Impeccable timing. Coffee is in hand, a venti americano, so, yes, I'm in a good spot.

As I reflect on the events of this week, the following takeaways come to mind:

These last two years have been a seedbed for innovation. A number of very intriguing tools were developed over the past two years, the Arsenal talks were proof of this. Startups have responded to the market with new advancements in cloud security, zero trust strategy, and observability. The leaders are yet to be determined, but it's going to be a great race to the finish line.

The pandemic continues to take its toll, but we're still here and we're still providing value. Without talented security practitioners and thought leaders, organizations everywhere would be in really bad shape. You put in the extra hours. You were flexible and cool (sometimes) under pressure. You responded to an unprecedented challenge, and you did well. It was so good to see some of you face-to-face, shake your hand, and share war stories. See you all next year.

Thank you for reading.  I hope you all enjoyed this article series as much as I did.

Matt Berry, signing off!

Learn more about WWT's security transformation expertise.