At the beginning of the month, the NetSPI team ventured out to Las Vegas for the highly anticipated Black Hat USA and DEF CON 29 cybersecurity conferences. Given the hybrid nature of the events this year, the crowd was much thinner and the halls of Mandalay Bay much quieter – reports mention that Black Hat attendance was one-fourth of a typical year’s attendance pre-pandemic.
While quieter than usual, there were still many opportunities to connect with one another face-to-face, rather, mask-to-mask. I sat down with my colleagues who attended the conferences – both in-person and virtually – to get their take on what went down at the events this year. After all, “What happens in Vegas… gets posted on the NetSPI blog.” Right? From keynotes to topics/themes to hacks, read on for five of the greatest moments from Team NetSPI’s time in Las Vegas.
1. Call for collaboration: The Joint Cyber Defense Collaborative
Jen Easterly, the newly appointed head of the Cybersecurity and Infrastructure Security Agency (CISA), used her platform at Black Hat to build trust and personal relationships with the private sector. During her talk she noted her plans to continue the work that former CISA head Chris Krebs started, specifically around building relationships between CISA, the private sector, and government.
Secretary of Homeland Security Alejandro Mayorkas delivered the final keynote at Black Hat which echoed much of Easterly’s call for collaboration. He took to the virtual stage to recruit security professionals to work for DHS and to talk about the need to diversify the workforce. He cited two specific ways hiring private sector professionals at DHS could increase collaboration: acting as a bridge between the hacker community and DHS as well as mentorship.
Both keynotes highlighted the Joint Cyber Defense Collaborative, a new CISA initiative that plans to “bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.”
Read more about the keynote speeches online at SC Media:
- CISA head Easterly emphasizes the personal to foster community’s trust
- DHS secretary asks for more participation and cooperation with cybersecurity pros
2. Caution around supply chain attacks
Supply chain attacks are just getting started, warned Corellium COO Matt Tait during his keynote speech. He cited the exploitation of zero-day vulnerabilities as the driver for the increase in software supply chain attacks. Since 2014, the number of zero-day vulnerabilities detected “in the wild” has increased 236 percent.
The road to securing the supply chain is not going to be easy, Tait reassured. But he did share his thoughts on two critical steps we can take to get started: improvements to bug bounty programs and Certificate Transparency. Contrary to the keynotes from Easterly and Mayorkas, Tait suggested that platform vendors hold most of the responsibility for securing the supply chain, and government intervention or regulation will not do much to address the problem.
3. Ransomware policy panel
The panel on ransomware policy solutions at DEF CON was a highlight for the NetSPI team. It featured co-chair of the Ransomware Task Force Chris Painter, security researcher Robert Graham, and lawyer Elizabeth Wharton.
They discussed the varying aspects and challenges of handling a ransomware attack. (Hint: it’s not as cut-and-dry as banning ransom payments). The panel debated the role of cybersecurity insurance, whether to pay a ransom, the need to understand the granular details of an attack, and more.
Robert Graham pointed out that the true problem with ransomware is that organizations aren’t looking at how the ransomware is getting into the systems, they’re focusing more on whether their recovery efforts are hardened. He brings up a great point and highlights a problem that NetSPI is helping to solve with its new Ransomware Attack Simulation service.
Info Security Magazine wrote a detailed recap of the panel – check it out.
4. Team NetSPI at DEF CON
We may be biased but learning from colleagues at DEF CON was certainly a “greatest moment” from the conference. This year, Portland-based practice director Karl Fosaaen and our newest NetSPI practice director Chad Rikansrud presented at the conference.
Karl is one of the foremost experts on Azure penetration testing. His presentation at the DEF CON Cloud Village focused on Azure password extraction. In the talk he showcases how to use the password extraction functionality in MicroBurst, a toolkit he created that contains tools for attacking different layers of an Azure tenant. He also walked through a real example of how it was used to find a critical issue in the Azure permissions model that resulted in a fix from Microsoft. For those that missed Karl’s talk, register for his upcoming webinar: Azure Pentesting: Extracting All the Azure Passwords.
During Chad’s talk he and container security expert Ian Coldwater told the story of the first mainframe container breakout. They became the first people on the planet to escape a container on a mainframe, and they explain how they did it. Watch on YouTube: Crossover Episode: The Real-Life Story of the First Mainframe Container Breakout.
5. More DEF CON talks worth watching
Our services team looks forward to meeting up at DEF CON each year. And while the annual NetSPI happy hour on the Las Vegas Strip is likely everyone’s top moment of the weekend, there were plenty of interesting talks held during the conference. Here are five talks worth watching on-demand if you didn’t catch them at the show:
- New Phishing Attacks Exploiting OAuth Authentication Flows – Jenko Hwong, Researcher at Netskope
Overview: This talk details OAuth authentication flow for phishing and abusing refresh tokens to pivot and avoid audit log entries.
- Offensive Golang Bonanza: Writing Golang Malware – Ben Kurtz, Host of the Hack the Planet Podcast
Overview: This talk breaks down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components.
- Hacking G Suite: The Power of Dark Apps Script Magic – Matthew Bryant, Red Team at Snapchat
Overview: This talk delves into the dark art of utilizing Apps Script to exploit G Suite (AKA Google Workspace).
- Bundles of Joy: Breaking MacOS via Subverted Applications Bundles – Patrick Wardle, Creator of Objective-See
Overview: This session provides an easy way to bypass all of Mac’s native malware protections. For a summary of the bypass, view the slide at 24:50.
- Hacking Humans with AI as a Service – Eugene Lim, Glenice Tan, Tan Kee Hock
Overview: They present the “nuts and bolts” of an AIaaS phishing pipeline that was successfully deployed in multiple authorized phishing campaigns.
The conversations around collaboration, securing the supply chain, ransomware, and more were invaluable. As were the opportunities for those that were able to meet safely in-person. Whether you were there in person, attended virtually, or simply kept an eye on the announcements/news coming out of the event, it feels great to feel a sense of community in the security space yet again.