Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Lessons from Black Hat USA 2017: Defense in Depth

Last month I attended the Black Hat USA 2017 conference. It did not disappoint. Overall the event and packed agenda were well worth it. I enjoyed the vibe, the networking, the briefings, the business hall, and the wonderful keynote by Alex Stamos (I recommend you follow Eran’s post who shared some of Alex’s deep insights).  Overall the event covered a broad array of bleeding-edge infosec topics with sessions on research, zero-day exploits, open-source tools, and other security risks and trends. Black Hat 2017 Lessons

With many broad topics, I found several themes emerge that I thought I would share with you.

Here are the takeaways:

Big Data and Machine Learning

Big data and machine learning are still hot topics for IT security. As computing becomes more widespread, a typical network becomes bigger (more servers, more devices, more protocols) and security teams have a hard time simply keeping tracks of patch management, alert prioritization, threats intelligence, and effective privilege assessment.

As static signature-based security is not enough, the need for tracking user behavior and continuously evaluating risk is crucial. There were a few interesting talks on how to achieve better security using smart data processing and advanced machine learning algorithms. Ironically enough, a few lectures focused on the interesting subject of how attackers are leveraging machine learning to bypass security mechanisms and manage the vast amount of data collected from an infected network.

Lateral Movement

Based on visiting the exhibits and seeing the problems security firms are trying to solve as well as attending briefings led by security researchers who were uncovering vulnerabilities, it seems we still have much to do to prevent Lateral movement. Even after a decade of IT security advancement we still see simple phishing attacks, exploits of web server vulnerabilities, and the use of compromised credentials being the main attack vectors for infiltrating an enterprise network. With initial network infiltration “solved”, the lateral movement was a key focus of the conversation. In the briefings alone I heard presenters discussing Mimikatz and BloodHound 10 times each. If you read between the lines, you find a rather bleak outlook as both make it easy to get an initial foothold in the victim’s network and move laterally inside the network.

Defense in Depth

There’s a wide agreement that simple solutions cannot stop modern advanced security threats:

  • You cannot just guard the perimeter as the attacker will probably find a way in.
  • You cannot solely rely on endpoint protection as these could be bypassed.
  • You cannot rely on VLANs and network segmentation as an attacker will find a way for malware to communicate.
  • You cannot rely on network threat analytics as a skilled attacker will bypass these solutions
  • And the list goes on.

In their great talk on the Industrial Revolution of Lateral Movement, Tal Be’ery and Tal Maor suggested a philosophy which I strongly agree with: We should be making attacker life’s harder with a multi-layered defense. You should go all the way by adding behavioral analytics, you should protect privileged accounts with MFA and incorporate deception techniques.

See you next year at Black Hat 2018!


Topics: big data, Black Hat, Lateral Movement,

Posted by Yaron Zinar on August 18, 2017 4:19 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More