BlogCybersecurity Risk & StrategySecurity Transformation
Blog13 minute read

WWT Security Expert, John Aplin, Weighs in During Black Hat USA 2022

Black Hat USA 2022 was attended by over 25,000 people this year, including, WWT's Executive Security Advisor for Cybersecurity in Global Financials, John Aplin. To see what you missed, check out John's live feedback captured during this two-day event.

In this blog

 Wednesday, Aug. 10th @ 9:00am (PST)

The kick-off

If there is one word to describe the 25th year (quarter of a century) of Black Hat it is "electrifying!" 

Jeff Moss kicked off the event to talk about all the people that have come, 111 countries to be exact, and was very surprised how many people were in attendance.

The opening keynote from Jeff Moss focused on Russia and Ukraine, and how government sanctions are taking place. The power of the government to tackle Russian IT projects were staggering. Vast amount of organizations and individuals were not able to pay for domains and projects due to sanctions on credit cards and more. Because of this, Jeff mentioned communities and individuals have a lot of influence and can help shift the cybersecurity space during this tumultuous time. 

At the end of Jeff Moss's presentation, he made a prediction that things will be more chaotic and consequential due to misinformation campaigns, filter contents and more. 

The next presenter was Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA). Chris Krebs' presentation focused solely on government politics vs. cybersecurity, and why this is an uphill battle. 

At first, the presentation seemed ominous, where Chris discussed the 3 areas attributing to hard times: technology, bad actors, and people. However, the vibe shifted when Chris gave us hope that something can be done about it. One thing that resonated with me was that threat actors understand the shift of business and trust in software and updates, therefore, the inevitable need for cloud technology and the security that goes with it. He and I agree, cloud security is something that organizations must take extra considerations in while we undergo this shift. 

Some other areas of focus were software vulnerabilities, attack surface and ransomware. The three main industry concerns are supply chain shortcomings, leaders not leading and workforce challenges. The general outlook within 3-5 years seems to be bearish with a future outlook being bullish (thankfully!). 

With the prediction of China's possibly invading Taiwan, the government and major business enterprises are worried about supply chain and the threat of economic collapse. However, the upside is that a new generation of the cyber workforce is getting smarter and more savvy and innovative. Chris Krebs ended the note saying that, "security is a national security issue," so we should therefore take it seriously and plan ahead (2-3Q ahead).

The floor of the business hall was chaotic. Every vendor was prepared to lure people to their booth. Swag was being handed out like candy on Halloween. Companies were giving away t-shirts, water bottles, wireless chargers, light sabers and much more. But the prize goes to CardinalOps for offering the coolest swag: a book signing of the New York Times best seller, This is How They Tell Me the World Ends, by Nicole Perlroth. Runner up was CrowdStrike, with their action figurines of known threat actors.

It seemed some of the largest booths showcased top vendors in EDR, NDR, TVM and API security space. Once inside, the EDR vendors, such as CrowdStrike, SentinelOne and Cybereason, were going head-to-head with beautiful displays and engaging booth discussions. API security also had some major real estate, with Salt Security and No Name competing for largest booth. ExtraHop also had quite a display, and Halcyon and CardinalOps provided great demo walk-throughs.

 Wed. Aug. 10th @ 5:00pm (PST)

If there was word to describe the briefings and breakout sessions, it's "familiarity."  

Vendors that reached top attendance capacity were the ones focused on EDR/XDR, Zero Trust, work place shortage, API security and cloud security. This all felt very familiar, as these are the major talking points my team has with our global financial customers during WWT's Hour of Cyber. The validation I received from these talk tracts gives me a sense of purpose on our mission within Global Accounts. When I think back on this year's meetings with our customers, the amount of talent and leadership in these areas are staggering; calling-out individuals like Richard Thomas (Cyber Resiliency) and Zac Turpin (ATC EDR Testing).

Most entertaining

The award for most entertaining would be a toss up between Robert Lipovsky, Principal Threat Intelligence researcher at ESET, and Steve Povolny, Head of Advanced Threat Research at Trellix. Steve gave an exciting presentation called, Perimeter Breached! Hacking an Access Control System, While Robert gave a breathtaking session on Industroyer2: Sandworm's Cyberwarefare Targets Ukraine's Power Grid Again. 

Steve's presentation gave insight on how to attack the most commonly used door system in the world. Throughout my career, working in multiple "secure" buildings and offices, I always found it alarming (pun intended) that the door systems that housed such critical assets and employees could be so easily penetrated. Most organizations around the world use this system called HID, and most claim that proper security measures are in place. Robert's presentation, on the other hand, gave lots of juicy details on the power grid attack, which has been labeled the greatest cyber-attack to ICS systems since Stuxnet.

Most transformational

As an anonymous source once said, "if I were to advise a rogue nation state on how to take down the United States, I'd tell them to start with the APIs first." As such, there were many briefings on protecting APIs, API security test tools and exploiting APIs.

Neosec had a fantastic session on API security innovation, and everything you should know about challenges in securing APIs, API priorities and a practical guide on where to start. To sum it up, 83% of all web traffic is based on APIs, and Gartner predicts that by 2024, API abuses and related data breaches will nearly double! This is particularly important for our global-fi and payment customers because they all rely on API technology for customer applications and digital experiences. Rudimentary API security is a necessity, but it is not sufficient enough. Further, faving a WAF, Bot Mitigation, API Gateway, CWPP, CSPM and CDN does not cover the requirements for API security. Abuse cases are not always vulnerabilities, and while vulnerabilities are important, the focus needs to be on abuse cases.

Day 1, down…

I picked up my DEFCON badge in the morning at Black Hat and it was a very straightforward and painless experience. After the long day I saw Frodo Baggins from the Lord of the Rings perform at the new Las Vegas Raiders stadium, and it was fantastic! 

All in all, it was wonderful 1st day of Black Hat.

 Thur. Aug. 11th @ 1:00pm (PST)

The biggest topics at Black Hat

As mentioned before, Chris Krebs' talk on organizations moving to the cloud really resonated with me on day 1.  Something resonated with me even more on day 2! That is, the explosion of talk on how to incorporate a Zero Trust architecture into cyber resilience processes. It has been a major point of focus for all of us at WWT security, as well. 

Below, I cover some of the other major topics and questions mentioned at black hat by cybersecurity community. 

Cloud security is more important than ever

One of the biggest topics this year at Black Hat was cloud security. In the business halls and arsenal booths in Mandalay Bay, there were multiple sessions on how to protect your assets within the cloud. There was also focus on the different aspects of cloud security, such as compliance, misconfiguration, and vulnerabilities (CSPM, CWPP), but newer technologies on cloud DATA security stole the show. Up and coming companies, like Laminar Security and Big ID, are moving up in this space to fill the gap. 

Another key focus was the exploitation of cloud vendors (GCP) with untraditional PostgreSQL vulnerabilities presented by WIZ researchers. In the arsenal space, developers and engineers have created multiple cloud pen testing tools, such as "HazProne," to emulating hacking scenarios within the cloud. As more and more organizations shift to a hybrid multi-cloud infrastructure, or a complete cloud migration, the transparency and threat vectors in this space will increase because threat actors are figuring out where the tides are shifting.

Endpoint security: are we reaching at the end of the tunnel?

The endpoint, or should I say the end-user computer, remains the most common attack vector for all organizations around the world (over 70% of breaches start at the endpoint). That is why there was a fully packed session to see a panel of experts from multiple industries (mostly finance) discuss EPP/EDR solutions, the most common operatorial challenges, and where things are falling short. Below were some questions and answers I captured from the session:

  1. Where are the most common mistakes on implementing endpoint security?
    1. Security practitioners tend to think what security controls to load onto the endpoint; therefore, you will have 20 agents (exaggeration) utilizing 80% of the CPU and overlapping technologies of your end-goal.
  2. Are those security controls needed if you have an employee that never connects to the corporate network?.
    1. AV is not enough, need to stay on top on latest solutions (EDR).
    2. Communication with security and business needs.
    3. Single biggest mistake is rushing to adopt a new architecture or marketecture from one architecture to another.
  3. Do you see the operational challenges in endpoint security increasing, or tools helping to mitigate for example alerts?
    1. Reality is, agent sprawl is really important. Favorite security tools are getting acquired by security companies that do not make investments into the solution.
    2. Too many app configurations to reduce alert storms. Wasting your money if you are making too many configuration changes.
    3. Got to balance IT operations of EDR with the balance of security controls that are provided.
  4. Is the state of industry is getting better or worse in showing leadership in these architectural frameworks and managing risk (like utilizing NIST Frameworks or MITRE frameworks)?
    1. A lot of organizations are still dealing with the basics, locking, patching, etc.; therefore, new capabilities and new attack paths can be difficult to evolve in the endpoint space. Organizations don't have the cycle to constantly evolve with thought leadership.
    2. Confusion often gets associated with many organizations; technical group associate vulnerabilities, business on risk, and lawyers on liability. There needs to be alignment with all these groups.
    3. In regards to risk management, companies need to know that a $10M EDR solution might not be in their best interest if there is only a $100K risk.
  5. What are new approaches to endpoint security showing promise, and what are suites vs best of breed?
    1. The biggest problem in the endpoint security at the end of the day is the end-user; therefore, we need to isolate the environment and create a VM environment. This will neutralize common threat vectors.
    2. Isolation technologies (browser isolation) will change the game. Containment is another form of technology that will help.
    3. Dedication workstations for administrators are still needed.
    4. Security fails because of the users (19 % of users will click on a phishing link even after anti-phishing training!).
    5. We have NOT reached the end of the tunnel of endpoint security; the challenge is how to make it useful and ensure business functions are met.
  6. Does Windows need to have 90% of the focus over other operating systems?
    1. Emerging platforms generate more problems as security controls are not as tight knitted than on Windows platforms.
    2. Vast majority of Malware are from criminal organizations, and these organizations focus on Windows; Malware on a Mac will be more from Nation State.

Thu. Aug. 11th @ 4:20pm (PST)

My thoughts so far were that it was immensely fun and exciting to see so many people from so many different countries come together to talk cyber. I had the chance to meet people from Greece, and a Turkish individual who worked in Tokyo. To say the event was fun would be an understatement.

Best talk of the day!

John Dwyer and Neil Wyler are both global leads at IBM Security X-Force. They gave a talk entitled, The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting. This informative session highlighted the need for security professionals on the defensive side to work together to tackle threats that we see each and every day. 

They discussed open frameworks helping organizations take control of building a threat-hunting program by providing a clear path to operationalizing threat hunting, as well as a well-defined threat hunting process, to ensure threat hunters are set up for success. As such, the open threat framework highlights that threat hunting needs to be open instead of argumentative. Identifying what works well, and not focusing entirely on the technology but more on the mission at hand, will increase success for organizations. 

Here are some points taken from their talk:

  • It's not the tools, it's the long-term strategy and mission.
  • You need clear and efficient processes that hunters actually use.
  • Don't focus too heavily on the technical components of a hunt (should focus on only 3 things at a time).
  • Seek community driven results.
  • Foster continuous evolution of hunting and detection.
  • Be vendor agnostic, all technologies should be welcomed.

A key takeaway is that organizations that are looking to enhance their Security Operation Center should be reaching out to like-minded security folks and having a leader with a specific mission and vision to help each and every organization with their security posture. 

 Fri. Aug. 6th @ 10:00am (PST)

Reflection…

As I sit in my hotel and gather my thoughts and notes on everything that went on at Black Hat, I must say there was so much knowledge with so little time. This was my first time at Black Hat, and Vegas, and it was an exhilarating experience. As much as I hoped to explore Las Vegas as a first timer, no regrets were lost as I got to meet amazing people from both the OEM and customer sides at the convention.

Wrapping up, here are some important takeaways I'd like to share:

Application security is the future. 

During the last panel on the last day of Black Hat, Jeff Moss, Black Hat's founder, and other Security experts, went on stage to talk about key takeaways from Black Hat 2022.  After being asked which topic mattered most, the consensus from the panel was application/API security. Jeff went on to say that API security is the future. As more and more banks and other verticals use APIs so does the inherent risks that follow. In the 2023 Black Hat event, we can expect to see a lot on Web3 bugs and blockchain for the same reasons. 

More and more people are coming together despite the pandemic. 

It was reinvigorating to see some of the smartest minds come together to tackle today's most complicated and complex security challenges despite the current circumstances. Regardless of what occurred over the past couple of years it seemed everybody was back in full swing! There were smiles and laughter wherever you go. It was an honor to meet each and every person I met during this monumental event. I can't wait to see them all again next year as well! 😊

Thank you taking your time to read this. I hope you enjoyed it. I certainly enjoyed putting it together.

John Aplin, signing off to Austin, Texas!