Lessons from Black Hat USA 2017: Defense in Depth
Last month I attended the Black Hat USA 2017 conference. It did not disappoint. Overall the event and packed agenda were well worth it. I enjoyed the vibe, the networking, the briefings, the business hall, and the wonderful keynote by Alex Stamos (I recommend you follow Eran’s post who shared some of Alex’s deep insights). Overall the event covered a broad array of bleeding-edge infosec topics with sessions on research, zero-day exploits, open-source tools, and other security risks and trends.
With many broad topics, I found several themes emerge that I thought I would share with you.
Here are the takeaways:
Big Data and Machine Learning
Big data and machine learning are still hot topics for IT security. As computing becomes more widespread, a typical network becomes bigger (more servers, more devices, more protocols) and security teams have a hard time simply keeping tracks of patch management, alert prioritization, threats intelligence, and effective privilege assessment.
As static signature-based security is not enough, the need for tracking user behavior and continuously evaluating risk is crucial. There were a few interesting talks on how to achieve better security using smart data processing and advanced machine learning algorithms. Ironically enough, a few lectures focused on the interesting subject of how attackers are leveraging machine learning to bypass security mechanisms and manage the vast amount of data collected from an infected network.
Based on visiting the exhibits and seeing the problems security firms are trying to solve as well as attending briefings led by security researchers who were uncovering vulnerabilities, it seems we still have much to do to prevent Lateral movement. Even after a decade of IT security advancement we still see simple phishing attacks, exploits of web server vulnerabilities, and the use of compromised credentials being the main attack vectors for infiltrating an enterprise network. With initial network infiltration “solved”, the lateral movement was a key focus of the conversation. In the briefings alone I heard presenters discussing Mimikatz and BloodHound 10 times each. If you read between the lines, you find a rather bleak outlook as both make it easy to get an initial foothold in the victim’s network and move laterally inside the network.
Defense in Depth
There’s a wide agreement that simple solutions cannot stop modern advanced security threats:
- You cannot just guard the perimeter as the attacker will probably find a way in.
- You cannot solely rely on endpoint protection as these could be bypassed.
- You cannot rely on VLANs and network segmentation as an attacker will find a way for malware to communicate.
- You cannot rely on network threat analytics as a skilled attacker will bypass these solutions
- And the list goes on.
In their great talk on the Industrial Revolution of Lateral Movement, Tal Be’ery and Tal Maor suggested a philosophy which I strongly agree with: We should be making attacker life’s harder with a multi-layered defense. You should go all the way by adding behavioral analytics, you should protect privileged accounts with MFA and incorporate deception techniques.
See you next year at Black Hat 2018!
Posted by Yaron Zinar on August 18, 2017 4:19 AM