Black Hat looked different this year as the security community gathered on the virtual stage, due to COVID-19 concerns. “Different” doesn’t necessarily carry a negative connotation: the shift not only addressed public safety concerns, but also enabled the security community to critically think about the way we do work in our digital-centric world, particularly at a time where we are increasingly reliant on technology to stay connected.

When scrolling through the countless briefings available, it was clear that politics and COVID-19 remain top-of-mind. So, let’s start with the biggest topic of the week: election security.

Takeaway #1: Securing the Vote Relies on Collaboration… and Testing

Matt Blaze, a Georgetown University security researcher, kicked off the conference with a keynote titled, Stress-Testing Democracy: Election Integrity During a Global Pandemic. In the past, the industry has had conversations about securing voting machines themselves, but this year, the discussions were centered on online and mail-in voting mechanisms and the hacking of the process. Matt shared, “our confidence in the [election] outcome increasingly depends on the mechanisms that we use to vote.” And this year, we are tasked with scaling up mail-in voting mechanisms.

Blaze looked at software as the core of the election security framework, noting that “software is generally hard to secure, even under the best circumstances.” Though we expect a majority of votes to be made via paper ballot, software will still be used in every facet of the election system, from pre-election (ballot definition, machine provisioning) to post-election (tallying results, reporting, audits, and recounts). So, what is the industry to do?

He suggested that election committees prepare for a wide range of scenarios and threats and work towards software independence, though most don’t have the appropriate budgets to do so – a problem all too familiar to the security industry. Because of this, he encouraged the IT community to volunteer their time and become more involved with their local election efforts, specifically, testing the software and machines for vulnerabilities. In a way, he opened the door for ethical hackers, like our team at NetSPI, to get involved. An encouraging call to action that proved realistic during Black Hat occurred when voting machine maker ES&S and cybersecurity firm Synack announced a program to vet ES&S’ electronic poll book and new technologies – a call for “election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries,” according to WIRED.

Continuing the narrative of election security, the day two keynote from Renee DiResta, research manager at the Stanford Internet Observatory informed Black Hat attendees of how to use information security to prevent disinformation in mass media (social media, broadcast, online publications). She explained how influence campaigns can skew not only voting results, but also perceptions of companies and, larger-scale, entire countries and governments. She reiterated that disinformation is indeed a cybersecurity problem that CISOs can’t ignore. In another humbling call to action for the security testing community, DiResta suggested, “we need to do more red teaming around social [media] and think of it as a system and [understand] how attacks can impact operations.” Read more about the keynote on ThreatPost.

Takeaway #2: The Importance of Application Security Has Heightened in 2020

Let’s start with healthcare. Amid the current public health pandemic, healthcare systems continue to be a top target for adversaries due to the sensitive and confidential patient records they hold. During Black Hat, the security industry shined a light on some of the various areas of weakness that can be exploited by an attacker. A big one? Healthcare application security.

One conversation that stuck out to me was from the Dark Reading news desk: HealthScare: Prioritizing Medical AppSec Research. In the interview, Seth Fogie, information security director at Penn Medicine, explains why healthcare application vulnerabilities matter in the day-to-day business of providing patient care. He recommends that the security and healthcare communities should have a better line of communication around AppSec research and testing efforts. He would like to see more security professionals asking healthcare administrators which other applications, including third-party vendors, they can assess for vulnerabilities. I agree with his recommendation to raise awareness for application testing in healthcare security as it would add value to the assessments already in effect and ultimately the overall security posture for the organization.

Then, there are web applications, such as virtual meeting and event platforms, that have seen a surge in popularity. Released at Black Hat, researchers found critical flaws in Meetup.com that showcased common gaps in AppSec. Researchers explained how common AppSec flaws cross site scripting and request forgery (both tied to the platform’s API) could have resulted in threat actors redirecting payments and other malicious actions. This is just one example showcased at Black Hat that showed the heightened AppSec risks amid COVID-19, as we continue to shift in-person activities to online platforms.

With NetSPI a Black Hat sponsor, myself and my colleague Jake Reynolds hosted a 20-minute session on revamping application security (AppSec) programs: Extreme Makeover: AppSec Edition. During the session, we explored the various options for testing [SAST, IAST, SCA, manual] and the challenges that exist in current AppSec testing programs and how to “renovate” an AppSec program to ultimately increase time to remediation. Watch the session to learn, through one centralized platform, how to remodel your AppSec program to achieve faster remediation, add context to each vulnerability, enable trends data and reporting functions to track and predict vulnerabilities over time, and reduce false positives.

Takeaway #3: Our Connected Infrastructure Is Vulnerable

As in years past, the Internet of Things (IoT) again took over Black Hat conversations. This year, the research around IoT vulnerabilities proved fascinating. Showcasing the potential impact of IoT infiltration was at the core of the research. Here are some examples:

• Security researchers at the Sky-Go Team, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.
• Researchers with the Georgia Institute of Technology described how certain high-wattage Internet-connected devices such as smart air-conditioners and electric-vehicle (EV) chargers could be used to manipulate energy markets.
• And perhaps the most interesting, and alarming: James Pavur, an academic researcher and doctoral candidate at Oxford University, used $300 worth of off-the-shelf equipment to hack satellite internet communications to eavesdrop and intercept signals across the globe.

All these examples highlight how much complexity goes into building systems today. As we continue to increase complexity and inter-connectivity, it becomes more challenging to properly protect these systems from being compromised. At NetSPI, we are constantly working with our clients to help them build well-rounded cyber security initiatives. It’s well understood today that just performing penetration testing near the end of a product’s lifecycle before going to production isn’t adequate from the perspective of security. It’s important to understand various business objectives and implement proper security touchpoints throughout a product’s lifecycle. Vulnerability detection tools have come a long way in the past decade or so. With significant advances in products like SAST, DAST, RASP, IAST, SCA, etc., integrating these tools into the SDLC in earlier phases have been a common approach for many organizations. The true challenge however is determining how to make security as frictionless as possible with the overall product development lifecycle. NetSPI works continually with clients to help them build and implement strategy around their security program based on their business objectives and risk thresholds.

Takeaway #4: We’re Learning More About Securing the Remote Workforce

Lastly, many cloud, container, and remote connection-related sessions were held during the conference. Many of them highlighted the need to reinforce security practices pertaining to remote work, or telecommuting – not surprising, given the state of today’s workforce amid the pandemic.

Black Hat research from Orange Cyber Defense demonstrated that VPN technologies ordinarily used by businesses to facilitate remote access to their networks are “poorly understood, improperly configured and don’t provide the full level of protection typically expected of them.” The researchers attribute the vulnerabilities to a common scenario where the remote worker is connected to Wi-Fi that is untrusted, insecure or compromised. Watch this video interview with the researchers via Security Weekly.

It’s an ever-evolving issue that has warranted additional focus this year and the industry is continuing to learn best practices to achieve a secure remote connection. I would consider this topic a silver lining to the pandemic. It has forced the security industry to learn, better understand, and serve as counsel to organizational leaders on the security considerations that come with scaling up remote workers. A great starting place for remote connection security? Read my recent blog post: Keeping Your Organization Secure While Sending Your Employees to Work from Home.

While we certainly missed the face-to-face connections and networking opportunities, the virtual conference was an invaluable opportunity to hold urgent security conversations around election mechanisms, healthcare systems during the pandemic, application security, the growing remote workforce, and connected devices and infrastructures.

While these were my key takeaways, there were many more discussions that took place – and DefCon continues today with prerecorded presentations and live streamed Q&As and panels on Twitch. Want to explore more Black Hat 2020 news? Check out this Black Hat webpage. We hope to see you next year, hopefully in-person!

Nabil Hannan

Distributed Denial of Service (DDoS) attacks have gained celebrity status during COVID-19. In the first quarter of 2020, DDoS attacks in the U.S. rose more than 278% compared to Q1 2019 and more than 542% compared to Q4 2019, according to Nexusguard’s 2020 Threat Report. This increase in attacks is correlated with the increased dependency on remote internet access and online services as many organizations’ workforces continue to work from home amid COVID-19 concerns. With the dependency on remote internet access comes an increased need for Internet Service Providers (ISPs) to monitor and mitigate irregular activity on their networks before it results in server outages or loss of critical resources, data, or money. But ISPs aren’t the only ones that need to be proactive as DDoS attacks continue to rise – their customers will face the same problems if proactive security measures are not in place.

Learning from others: Amazon Web Services (AWS) successfully thwarted the largest DDoS attack ever recorded on its infrastructure, internet infrastructure firms Akamai and Cloudflare fended off record-breaking DDoS attacks in June, and online gaming platforms are being targeted as attackers figure out how to further monetize DDoS attacks (see: GGPoker). These recent attacks underscore how similar vulnerabilities and weaknesses can easily propagate across many organizations since there’s a tendency of reusing similar technologies to support business functions, such as widespread use of open source code or network hardware. Additionally, it’s also common that simple misconfigurations issues can result in breaches that have significant business impact.

It’s important to understand that there are two common forms of DDoS attacks:

1. Application layer attacks where attackers try to overload a server by sending an overwhelming number of requests that end up overtaking much of the processing power.
2. Network layer attacks where attackers try to overwhelm network bandwidth and deny service to legitimate network traffic.

The ultimate goal of both techniques is to overwhelm a particular business, service, web app, mobile app, etc. and keep them from being accessible to legitimate access requests from the intended users/customers. This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic.

Many web application firewall vendors have DDoS mitigation solutions available for customers to buy, but that shouldn’t be the only step that organizations should rely on. Defense in depth, or an approach to cyber security in which defensive tactics are layered to ensure back up measures in the case that another security control fails, is key for all security concepts. Here are five techniques organizations can layer on to stop DDoS attacks:

1. Penetration Testing – Although it’s difficult to properly simulate full-scale DDoS attacks during a penetration test, it’s important to do regular third-party testing that simulates real-world attacks against your infrastructure and applications. A proactive penetration testing approach will allow organizations to be prepared for when the time comes that they’re actually under attack. Tip: Implement Penetration Testing as a Service (PTaaS) to enable continuous, always-on vulnerability testing.
2. Vulnerability Management and Patching – Ensure that all your systems have been properly updated to the latest version and any relevant security and/or performance patches have been applied. A proper patching and vulnerability management process will ensure this is happening within a reasonable timeframe and within acceptable risk thresholds for the business.
3. Incident Response Planning – Build a team whose focus is on responding in an expedited fashion with the appropriate response. This team’s focus needs to be on ensuring they can minimize the impact of the attack and ensure they can trigger the appropriate processes to ensure that communications with customers and internal teams are happening effectively. More on incident response planning here.
4. Traffic Anomaly Monitoring – Make sure there’s proper monitoring taking place across all network traffic to set off alerts if any abnormal behavior is detected from suspicious sources, especially if they are from geographies that don’t make normal business sense.
5. Threat Intelligence and Social Media – Keep an eye on threat intel feeds and social media for any relevant information that may help predict attacks before they happen, allowing organizations to plan accordingly.

DDoS is just one of many cyberattack methods that have increased due to COVID-19 remote working dependency. As networks continue to expand, we are opening new entry points to attackers to secure footholds and cause critical damage – pointing to the need for continuous evaluation of security strategies.

My overarching advice? Go beyond the baseline security measures, such as a firewall, and implement a proactive security strategy to identify and remediate vulnerabilities, monitor network activity, plan for a breach as they become more inevitable, and connect with the security community to stay on top of the latest threat intel.

Nabil Hannan