Black Hat USA: Worst Supply Chain Attacks Are Yet to Come
Due to COVID-19, the hybrid event is both virtual and in person.
![technology supply chain technology supply chain](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt7beb5d0aff6b97e1/65244b30ddd9b8afebc7df49/4-Supply-Chain-Attack.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Corellium‘s Matt Tait said malicious hackers are exploiting an enormous number of zero-day vulnerabilities in the wild. It’s also deeply disturbing how zero-day vulnerabilities are being exploited in mobile devices with no detection.
“One of the big problems at the moment is that supply chain attacks are really just starting,” he said. “What’s [happened] so far is pretty small vendors people hadn’t heard of. A couple of weeks ago, Electronic Arts (EA) was attacked and their customer base is enormous. What would the Kaseya attack be like with customers at that scale? That’s why we really need to change how we look at this.”
Jeff Moss is founder of Black Hat and Def Con. He said 140 different countries are represented at Black Hat, including 27 with a single representative.
He then gave an analogy comparing working together to stop cyberattacks to working together to end the COVID-19 pandemic.
“First, there’s the mode where no one is immunized,” Moss said. “There’s a disease rampant in the community, but nobody’s immunized. The contagious disease spreads through the population and nothing’s there to prevent it. And in the network world, it would be sort of like no systems are maintained. Nothing’s patched, nothing’s updated, there’s nobody watching the logs. So the malware spreads unchecked through the network.”
In the second mode of immunity, some of the population is immunized, he said. The contagious disease spreads through some of the population. And some systems and some networks aren’t maintained. So malware is sometimes noticed and sometimes removed, and it spreads through some of the population.
“This is basically where we are now, sort of in that second mode,” Moss said. “And the third mode is a lot more optimistic. This is when most of the population is immunized and spread of contagious disease is contained. That’s what we’re working toward. And in the digital world, that might be that most networks and systems are maintained, malware is noticed most of the time and is removed most of the time. And actions are taken to protect other systems besides your own system. In this third step, you are concerned about the networks around you, not just your own stuff. That’s the difference. You’re thinking about others around you.”
The do-nothing stage is the cheapest, he said. In the middle option, you’re protecting your systems and applications, but not those of others.
“So you secure your system by patching and updating, you select good software, you filter spoofed inbound traffic, but you’re not filtering outbound traffic,” Moss said. “So you’re getting the benefits, but you’re not providing any benefits to anybody else. You’re not helping them make decisions about the quality of traffic or services on your network. And this is lower cost than fully immunized. You get almost the full benefit for yourself, but you’re only really helping yourself. That’s pretty selfish.”
Finally in the fully immunized state, “that is where you’re actually conferring immunity to those around you,” he said.
“And it’s most beneficial to all the users of the internet and it’s the best security stance you can take,” Moss said. “So you probably have the least liability, too, because you can show you’re taking these proactive steps. It’s the most expensive to maintain and you need better trained staff. So I want you to think about what you are doing to try to confer immunity to those around you. Are you part of the problem? Are you a user, you’re just getting the benefit of those around you? Or are you contributing … doing things to help those around us?”
From a software supply chain standpoint, “we all rely on the software supply chain,” he said.
“We’re building tools and systems based on this,” Moss said. “We’re trusting it. We’re hoping the people in the supply chain are in that third state. They’re doing things to help everybody else in the supply chain because if they don’t, everything we do is potentially vulnerable. We all depend on the supply chain being fully immunized and it’s not there yet.”
At Black Hat, Acronis released its midyear report that shows SMBs are becoming a bigger target of cyberattacks. This is of particular concern since many of these companies do not have the financial resources to handle such attacks.
Noteworthy data points from the report include:
The average cost of a data breach was around $3.56 million. The average ransomware payment rose 33% to more than $100,000.
Four out of five organizations experienced a cybersecurity breach originating from a vulnerability in their third-party vendor ecosystem.
The most attacked countries in the first half of 2021 were the United States, Germany and the United Kingdom.
Ninety-four percent of malware is delivered by email.
Phishing emails increased by 62% from the first quarter to the second quarter.
Candid Wüest is Acronis’ vice president of cyber protection research.
“Many factors are influencing the cybercrime ecosystem,” he said. “The fact that it is very profitable for the attackers is definitely a reason why it keeps growing. The risk for them of getting arrested is small compared to their potential gains. As we see ransomware groups going after larger targets with high digital dependences and putting more pressure on the organizations by threatening to publish stolen data, it is understandable that the ransom demands are increasing as well. On the other hand, cybercriminals know that many corporations have cyber insurances, which will pay the demands, so they started to ask for more.”
Unfortunately, too many companies still don’t follow best practices, such as using strong authentication or patching vulnerabilities in time, Wüest said.
“Even the visibility over their own infrastructure is missing,” he said. “Very often, organizations are overwhelmed with the growing complexity of their own infrastructure and missing the resources to handle this. MSSPs can help the many small and midsize companies that don’t have the resources or knowledge to protect their own infrastructure. An ideal cyber protection service from a service provider should offer an integrated holistic protection approach and offer automated security with strong resilience to keep the business running without getting flooded by alerts.”
During Black Hat, Ivanti announced it has acquired an industrial internet of things (IIoT) platform owned by the WIIO Group, one of Ivanti Wavelink’s technology and channel partners based in Paris. This platform acquisition will enable customers to get a 360-degree view of their IIoT equipment, identify and remediate issues, and build scalable applications that drive operational efficiency.
Nayaki Nayyar is Ivanti’s president and chief product officer.
“Ivanti plays in three different fields,” she said. “One is being able to manage every endpoint … and now we’re extending into IoT devices, especially in the IIoT space with this acquisition, but also various rugged devices and various Android devices you see in frontline worker use cases. So being able to offer a single pane of glass for any customer who wants to manage all these devices, all the way from the devices within the network or in the operational technology layer. That’s why this acquisition makes perfect sense for us. We are super stoked on being that single vendor who can provide that … single inventory management on all devices for our customers.”
While Ivanti provides the capabilities to discover, manage and secure devices, the partners can extend the platform, Nayyar said.
“It’s a beautiful low-code/no-code platform that partners can build onto and build any specific use cases, or even leverage the platform for net new industries,” she said. “Customers who want to extend into other verticals can use the platform to build around.”
Sri Mukkamala is Ivanti’s senior vice president of security products. He said partners are looking for a technology they can build upon and service, and make continuously trusted.
“Your partner is always there with your customer and is deriving value, not just a transaction,” he said. “We focus on innovation and the platform, and they focus on the delivery and really helping with the solution. ”
Ivanti is becoming an interim platform player for companies to manage all the various devices they have, Nayyar said.
“We are definitely releasing more innovations, we have been bringing in more acquisitions through various M&A that we have done, and for partners to build on it,” she said.
And stay tuned for more acquisitions in the months ahead, Nayyar.
Also during Black Hat, NTT Application Security, which rebranded from NTT Security last month, announced the appointment of Vlad Nisic as vice president of sales for EMEA. The hiring of Nisic, a cybersecurity veteran with more than 25 years of industry experience, aims to jump-start the company’s expansion throughout the region and help further its international growth.
Based in London, Nisic joins NTT from Sonatype. There, he served as regional vice president of sales for the EMEA region. Prior to Sonatype, Nisic was the vice president of sales in EMEA for Bugcrowd. He also held leadership roles at Dell EMC, Symantec, Orchestria and Guidance Software.
NTT Security acquired WhiteHat in 2019.
David Gerry is NTT Application Security’s chief revenue officer.
“The NTT brand carries a tremendous reputation and a tremendous amount of weight in Europe, and the U.K. and Ireland,” he said. “And as we look at our next phase of expansion, EMEA is incredibly important to us. It’s an incredibly strategic part of our business and having somebody of Vlad’s caliber on board is going to be critical for that. So as we start to identify new channel partners, we’re going to do that here in North America as well as we already have, but really our greenfield opportunity is really the EMEA market and leveraging the channel partners. EMEA as we all know is almost 100% channel-focused. So that’s where we’re going to double down to make sure we have the right programs for them, that they have a predictable path to revenue, that they have the right level of field support and that we help guide them in the sale, and most importantly, that we jointly are a united front going in front of a customer.”
Mimecast has updated its channel program around its SMB business, Fully Loaded Champions and Enterprise First. It has built its sales strategy to support its latest strategic initiatives and built its channel strategy to support its sales strategy.
Kurt Mills is Mimecast’s vice president of channel sales.
“We’ve taken our business partners, and because our distribution was doing such a great job with them, we’ve moved our business partners to distribution because they are seeing higher levels of growth and support than what we could possibly give them,” he said. “The second piece is we’ve made more systems advancements with partner relationship management (PRM) tools so that it’s a more self-servicing experience. They can look at the analytics of how they’re doing with us on their own if need be. And then the third one is we’ve simplified our MSP program so our hundreds of MSPs now also will have the benefit of that new PRM, and also a simplified program to understand their pricing and things like that.”
Fully Loaded Champions provides upsell registration for partners, Mills said.
“So for our partners who are selling Mimecast email security, now we have this new solution, CyberGraph, and they can go in and deal-register that, and it’s being able to make good profitability and helping us build the long-term relationship with the end user,” he said.
And with Enterprise First, Mimecast has built some additional components and features that allow the company to differentiate itself in the market.
In the meantime, phishing, like COVID-19, is something that seems to keep reinventing itself in some ways, Mills said.
“But the other thing is it’s become much more aggressive,” he said. “So that continues to be a challenge for our customers. But also email is still the No. 1 vector for attacks. So our customers want to make sure we’re staying current on our technologies and we’ll protect them.”
Exabeam has unveiled the XDR Alliance, a partnership of cybersecurity and IT innovators committed to an inclusive and collaborative extended detection and response (XDR) framework and architecture.
The goal of the XDR Alliance is to foster an open approach to XDR to allow organizations to protect themselves against the growing number of cyberattacks, breaches and intrusions. Alongside Exabeam, founding members of the alliance include Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope and SentinelOne.
Gorka Sadowski is Exabeam’s chief strategy officer.
“It started by the realization that SOCs are failing today … and there is an interesting, new type of approach to helping the SOC, and that is XDR,” he said. “The problem is that there is big confusion in the marketplace around what XDR means. You have several definitions and these facts don’t agree with each other. And every vendor is having its own definition that is self-serving based on the portfolio they have. So one of the first goals if the alliance is to get together the village … and it’s about collaboration between the members of this village to provide a definition for the type of XDR that everybody can agree on. And this definition should be open, inclusive and collaborative.”
Justin Bajko is Expel‘s co-founder, and vice president of strategy and business development.
“From our perspective, it’s all about interoperability, and we see this time and time again with our customers,” he said. “Some organizations have chosen to buy their security stack from a single vendor and that’s totally fine. Some customers have chosen to go with what they believe is best of breed, which might mean technologies from different vendors. A lot of their technology purchases are accretive over time, so they’ve sort of grown up naturally, and that means they have technology from many different vendors. But regardless … everyone has the same need of being able to get the data in one place and be able to do something with it in an efficient way. And that’s where we feel very strongly about the alliance because it’s all about promoting integration and interoperability to make sure that regardless of how you’ve chosen to build your security technology platform and how you’ve chosen to build your security program, you’re going to be able to get the outcome that you want because technology really should all work together.”
Exabeam has unveiled the XDR Alliance, a partnership of cybersecurity and IT innovators committed to an inclusive and collaborative extended detection and response (XDR) framework and architecture.
The goal of the XDR Alliance is to foster an open approach to XDR to allow organizations to protect themselves against the growing number of cyberattacks, breaches and intrusions. Alongside Exabeam, founding members of the alliance include Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope and SentinelOne.
Gorka Sadowski is Exabeam’s chief strategy officer.
“It started by the realization that SOCs are failing today … and there is an interesting, new type of approach to helping the SOC, and that is XDR,” he said. “The problem is that there is big confusion in the marketplace around what XDR means. You have several definitions and these facts don’t agree with each other. And every vendor is having its own definition that is self-serving based on the portfolio they have. So one of the first goals if the alliance is to get together the village … and it’s about collaboration between the members of this village to provide a definition for the type of XDR that everybody can agree on. And this definition should be open, inclusive and collaborative.”
Justin Bajko is Expel‘s co-founder, and vice president of strategy and business development.
“From our perspective, it’s all about interoperability, and we see this time and time again with our customers,” he said. “Some organizations have chosen to buy their security stack from a single vendor and that’s totally fine. Some customers have chosen to go with what they believe is best of breed, which might mean technologies from different vendors. A lot of their technology purchases are accretive over time, so they’ve sort of grown up naturally, and that means they have technology from many different vendors. But regardless … everyone has the same need of being able to get the data in one place and be able to do something with it in an efficient way. And that’s where we feel very strongly about the alliance because it’s all about promoting integration and interoperability to make sure that regardless of how you’ve chosen to build your security technology platform and how you’ve chosen to build your security program, you’re going to be able to get the outcome that you want because technology really should all work together.”
BLACK HAT USA — It’s early days in terms of supply chain cyberattacks, according to the opening keynote speaker at Black Hat USA 2021. Furthermore, the size and scope of what’s to come will make what’s happened so far look like “peanuts.”
Matt Tait, chief operating officer at Corellium, was the opening keynote at Black Hat USA 2021. Due to the pandemic, the event is hybrid with attendees participating both in person and virtually. The in-person event also is much smaller, drawing fewer than 5,000 attendees as opposed to nearly 20,000 in past years.
Tait talked about the state of supply chain risks, what happens when they go wrong, and what steps the industry can take to mitigate some of them.
In supply chain attacks, bad actors target a system upstream instead of what they want, he said. They’re more interested in a company’s customers. That’s why malicious hackers target general purpose software providers like Kaseya.
“Supply chain intrusions are unusually enormous,” Tait said. “SolarWinds was enormous, but was it as enormous as could have been? SolarWinds has 300,000 customers [and]18,000 infected.”
SolarWinds has clarified that actually fewer than 100 of its customers were hacked.
Kaseya was a “huge attack, but weirdly small” when you think about how big Kaseya is, he said. Just .1% of Kaseya’s customers ended up getting this ransomware.
Supply chain intrusions are not like other intrusions, Tait said. They’re different and work in different ways. And they’re “huge” by default and the scale “dwarfs” other attacks.
“So how do we fix it?” he asked. “It’s not going to be fixed by the U.S. government, federal agencies, or a consortium of governments. The only way to tackle this at scale is to fix the underlying technology. Platform vendors need to step in.”
Channel Futures is in attendance at Black Hat this week. Scroll through our slideshow above for more from Tait and other highlights from the event. (Black Hat USA is presented by Informa, the parent company of Channel Futures.)
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like