Lessons from Black Hat USA 2017: Defense in Depth
Last month I attended Black Hat USA 2017 conference. It did not disappoint. Overall the event and packed agenda was well worth it. I enjoyed the vibe, the networking, the briefings, the business hall and the wonderful keynote by Alex Stamos (I recommend you follow Eran’s post who shared some of Alex’s deep insights). Overall the event covered a broad array of bleeding edge infosec topics with sessions on research, zero day exploits, open source tools, and other security risks and trends.
With many broad topics, I found several themes emerge that I thought I would share with you.
Here are the takeaways:
Big Data and Machine Learning
Big data and machine learning are still hot topics for IT security. As computing becomes more widespread, a typical network becomes bigger (more servers, more devices, more protocols) and security teams have a hard time simply keeping tracks of patch management, alert prioritization, threats intelligence and effective privilege assessment.
As static signature-based security is not enough, the need of tracking user behavior and continuously evaluating risk is crucial. There were a few interesting talks on how to achieve better security using smart data processing and advanced machine learning algorithms. Ironically enough, a few lectures focused on the interesting subject of how attackers are leveraging machine learning to bypass security mechanism (e.g., this) and manage the vast amount of data collected from an infected networks (e.g., this).
Based on visiting the exhibits and seeing the problems security firms are trying to solve as well as attending briefings led by security researchers who were uncovering vulnerabilities, it seems we still have much to do to prevent Lateral movement. Even after a decade of IT security advancement we still see simple phishing attacks, exploits of web server vulnerabilities and use of compromised credentials being the main attack vectors for infiltrating an enterprise network. With initial network infiltration “solved”, lateral movement was a key focus of conversation. In the briefings alone I heard presenters discussing mimikatz and BloodHound 10 times each. If you read between the lines, you find a rather bleak outlook as both make it easy to get an initial foothold in the victim’s network and move laterally inside the network.
Defence in Depth
There’s a wide agreement that simple solutions cannot stop modern advanced security threats:
- You cannot just guard the perimeter as attacker will probably find a way in.
- You cannot solely rely on endpoint protection as these could be bypassed.
- You cannot rely on vLANs and network segmentation as attacker will find a way for malware to communicate.
- You cannot rely on network threat analytics as skilled attacker will bypass these solutions
- And the list goes on…
In their great talk on the Industrial Revolution of Lateral Movement, Tal Be’ery and Tal Maor suggested a philosophy which I strongly agree with: We should be making attacker life’s harder with a multi-layered defence. You should go all the way by adding behavioral analytics, you should protect privileged accounts with MFA and incorporate deception techniques.
See you next year at Black Hat 2018!
Posted by Yaron Zinar on August 18, 2017 4:19 AM