The Gately Report: Black Hat USA Edition — Former Child Hacker Warns of 'Catastrophic' Cyber Event
The cybersecurity community's overall feelings about security posture get worse and worse each year.
![Black Hat USA 2023 stage Black Hat USA 2023 stage](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt4e184bac88764339/6523eae8f72fd55c371c410b/Black-Hat-GR-Cover.jpg?width=700&auto=webp&quality=80&disable=upscale)
Illumio‘s Paul Dant said hacking as a child gave him an edge in cybersecurity.
“And the reason I say that is in looking at the things that I was exploring and curious about, I would start to see what we would eventually today call vulnerabilities,” he said. “But I would just think, that looks funny, as a kid. Most of those mechanisms that I was using to carry these attacks out, nothing’s really changed in the underlying sort of fundamental aspects. Networks still work the same way. When you put computers onto a network, they can talk to each other. And if you’re not thinking about [if] they’re talking to each other in just the ways they need to or [if] are there extraneous network paths, then we start to really understand that the same problems that I was exploiting as a kid are the same ones that ransomware attackers are using to bring hospitals down today. The fundamentals are all the same.”
One thing that’s changing with the new generation of hackers is the devotion to exploration and curiosity, Dant said. They’re now more driven by monetary gain.
“I think when we look at hackers today, obviously children are exposed to technology at a much younger age than generations previously,” he said. “That’s why I was able to gain an advantage. And the same thing applies as you see teenagers starting to understand the inner depths of how our mobile devices work and how they communicate with internet hosts. They start to explore and start to exploit, and
particularly in jurisdictions outside of the United States, some Eastern European nations, Russia for sure, you have state-sponsored activities, but you also have the potential for massive earnings by being a hacker in some of those jurisdictions. And so I think one of the fundamental differences is today’s generation of hackers are driven monetarily, much more so than previous generations.”
Along with it becoming more of a business, anybody can now become a cybercriminal because everything they need is available online, Dant said.
“We have SaaS offerings, ransomware as a service (RaaS) that allows ransomware authors, crafters to just focus on the effectiveness of their ransomware and not, ‘How do I break in?” he said. “That’s an initial access broker that can sell me that access into my victim. So it’s become quite a streamlined, multilevel marketing type approach where you can enter without necessarily having any specific skills. Now, the likelihood of you scoring a big ransom payout as a lone wolf, a not very skilled hacker, is pretty low. But there’s also a lot of motivation to join up with some of these ransomware groups and these hacker collectives, whether it’s a group like Anonymous, which is not at all fundamentally motivated by finance. But a lot of ransomware attackers today, their sole focus is being able to move into a target organization’s network very quickly, impact operations, threaten to leak sensitive information, whatever the case might be. Whatever those pressure points are for that target, get the ransom payment and then move on, it’s become a very streamlined, almost factory-line operation at this point.”
One of the biggest misconceptions about hackers is that they seem to operate in a “hive-mind” fashion, and they all have the same psychological profile and characteristics, Dant said.
“A lot of identity is what feeds into the way a hacker chooses to hack,” he said. “Some are very interested in mobile applications. Some are really interested in network-based attacks. And I don’t think you can really draw lines to any psychological aspects of a person.”
Another misconception is bad hackers are practicing black magic and are “these geniuses that are finding sometimes a little needle in a haystack,” Dant said.
“Sometimes it is just luck to come across some of these vulnerabilities that they’ve identified,” he said. “But at the end of the day, it’s really just a devotion to understanding the technology to a point where the flaws just kind of stand out. And that’s what I was referencing earlier. When I got started, modems, all that stuff that was … CD-ROMs, it was mainstream. You could go to your computer store and buy it, but if you didn’t really understand the fundamentals, the instruction manual wasn’t going to get you through it. You had to really get an understanding of tweaking and making things work. That I think is an invaluable tool set when you get to 20, 30 years later. And while the world is completely different, the internet has grown, it’s diversified. We have cars and refrigerators on the internet now. But all of those fundamental elements of how it all works are still the same as they were in the ’80s and ’90s.”
The combination of AI and cybersecurity was a major topic at Black Hat USA. Dant said where it really comes to the rescue for defenders is providing a way to automate or at least minimize efforts involved in “a lot of the hard work of discovery, understanding what is in your environment, how it’s talking to each other, all of those things that most of us don’t really have a strong understanding of.”
“I think I can be invaluable in some of that fundamental foundational work,” he said. “Where I think it goes off the rails a bit is in a lot of the detection and prevention … because in my opinion, AI is not anywhere to a point where it can actually see something and truly determine without any sort of human intervention that this is bad or this is good. In some cases, it’s pretty black and white, but in most cases there’s always going to be a need for judgment and reasoning outside of what I think AI is really able to do and really meant to do. AI is not meant to be a judgment engine.”
Eric Skinner, Trend Micro‘s vice president of market strategy, told us at Black Hat he’s certainly optimistic about the use cases around applying AI to help defenders.
“In a variety of ways we’ve been using AI for a very long time now, I think since 2009,” he said. “Generative AI is kind of the next wave and we’ve seen a lot of value in leveraging AI over the years, and I believe we will continue to see that. AI in the hands of attackers is going to make life challenging. But we’ve seen there’s just constant iteration in this business. The attackers get better, the defenders get better, the attackers get better again and the defenders get better again. So I really see that while we’re certainly going to be facing some new challenges, that’s not a new dynamic. AI is certainly making it possible for attackers to do things well, in particular to be more convincing with social engineering. So I think what we’re going to see is that it’s going to become much harder for individual employees to recognize that kind of social engineering, which puts the onus on vendors to do a better job of detecting these social engineering emails and other ways.”
During her Black Hat keynote talk with Jason Healey, senior research scholar at Columbia University, Acting National Cyber Director Kemba Walden called on the cybersecurity community to help with drafting policies to prevent and fight cyber crime.
Michael Cocanower, president of itSynergy, a Phoenix-based MSP, tells us Walden’s keynote “clearly illustrated what the cybersecurity community has known for some time, that business leaders refuse to accept.” He’s also CEO of a new company launching soon called AdviserCyber, which will provide cybersecurity services to registered investment advisers (RIAs).
“There must be a transition beyond simple compliance towards the investment in the right cybersecurity tools and skilled human resources,” he said. “In wealth management sectors, and frankly across the business world, these decisions are currently being made by leaders that do not have a deep cybersecurity understanding. I am hopeful we will see an increased turn to the cybersecurity industry and the professionals therein to help make informed decisions rooted in risk mitigation.”
AI will be the push toward this transition so desperately needed, Cocanower said.
“Just like the introduction of ATMs forcing bank tellers to develop higher skill sets, cybersecurity professionals will need to harness the power of AI to diminish cyber risk,” he said.
Huntress is making a splash in the highly competitive security awareness training market with its July 2022 acquisition of Curricula, a story-based security awareness training platform.
John Hammond, principal security researcher at Huntress, said his company is bringing managed security awareness training to the market.
“Curricula creates this whole story and narrative that’s a little bit more engaging than a dry PowerPoint, rinse-and-repeat sort of formulaic cookie-cutter security awareness training,” he said. “So we really hope we can build more of a world and narrative, and storytelling on that front that’s more engaging. And the coolest thing is when we can tie that into some of the Microsoft 365 stuff, when we get to do things like phishing simulations, or awareness or education, we can … have those ecosystems work together.”
Huntress has added capabilities to Curricula’s security awareness training, Hammond said.
“It’s kind of been a slow transition to ‘Huntressify’ some things that were curriculum-based, but it’s really cool because we can augment and add to that phishing scenario library, to create new stories and narratives, and episodes to get folks engaged, and that is eventually going to be pulled into its own Huntress portal. So right now we’re still letting folks work in their own lanes. But one day soon we’re going to have that managed security platform for the identity, for the education and for the endpoint all together.”
Managed security awareness training is now available to MSPs, Hammond said.
“We’re excited they have some of their own content-creation tools on their own,” he said. “If they want something fully custom that they want to put together for their own team, they can. But if the whole point is to have this sort of set-and-forget managed Huntress, ‘I want you to solve this problem for me, we’ve got on the cadence and calendar here’s when we’ll get these things filled out to you,’ here’s when they’ll do their own testing. And that’s the Huntress way. How can we streamline and make it easy so you can sleep?”
Also at Black Hat, we caught up with Patrick Sullivan, Akamai‘s CTO of security strategy. He said when people hear the name Akamai, they think of content distribution, “streaming your movies to your set-top device or shopping, those other type of things.”
“But I think what’s exciting is that’s now a minority of our business,” he said. “Security is the largest revenue contributor and our compute business is growing quite strong as well. So … we may be the largest security company that nobody’s ever heard of because they think of us as a content delivery network (CDN). So we have very strong growth in security. “
In its latest quarterly earnings, security and compute revenue represented 59% of Amakai’s total revenue and grew 14% year over year.
Akamai is seeing a lot of distributed-denial-of-service (DDoS) attacks, and “we’re in a great spot to pick that off,” Sullivan said.
“And now we’re adding this more comprehensive API protection,” he said. “I think that’s extremely timely. Just last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as well as NSA and ACSC within Australia, issued an alert with some pretty strong calls to action for folks that fall underneath them around insecure direct object reference (IDOR), which is the most basic vulnerability of all, perhaps. And that is in response to dozens of very high-profile breaches via API. So a breach could be somebody just finding an API that is not properly authenticated and forcing authorization, and you scrape it and you can amass quite a bit of information about a big chunk of the citizens of a country or their health care data. So I think that’s good to see government drawing attention there and that directly aligns to the problems that we’re solving.”
This month, Gartner identified CardinalOps as a Sample Vendor for automated security controls assessment (ASCA). According to Gartner, ASCA technologies reduce an organization’s attack surface caused by security configuration drift, poor defaults, excessive tuning to reduce false positive rates, and high administration staff turnover. ASCA improves the security posture by verifying the proper, consistent configuration of security controls, rather than simply verifying the existence of controls.
At Black Hat, Phil Neray, CardinalOps‘ CMO and vice president of cyber defense strategy, told us this recognition presents a revenue opportunity for partners in many different ways.
“There are a lot of services that go along with our solution,” he said. “So what our solution will do is assess where you have gaps and how to fill those gaps. But usually you need consulting services to figure out how to actually implement various tools that you might be missing or to reconfigure parts of your infrastructure to provide better security. And then there are MSSPs and MDRs that also use the security information and event management (SIEMs) that we use like Splunk, that we focus on and we can help them as well deliver a higher value offering that differentiates them from their competitors, and deliver it in a more efficient way that preserves their margins because we’re using automation instead of people to deliver it.”
What’s fueling CardinalOps’ growth is the growing complexity of managing a security operations center (SOC), and the growing complexity of tools like Splunk and other SIEMs that have a lot of functionality, but require specialized expertise to run, Neray said.
“It’s difficult to find those people and it’s difficult to retain those people,” he said. “So organizations are looking for automation and machine learning (ML) to help with that process.”
This month, Gartner identified CardinalOps as a Sample Vendor for automated security controls assessment (ASCA). According to Gartner, ASCA technologies reduce an organization’s attack surface caused by security configuration drift, poor defaults, excessive tuning to reduce false positive rates, and high administration staff turnover. ASCA improves the security posture by verifying the proper, consistent configuration of security controls, rather than simply verifying the existence of controls.
At Black Hat, Phil Neray, CardinalOps‘ CMO and vice president of cyber defense strategy, told us this recognition presents a revenue opportunity for partners in many different ways.
“There are a lot of services that go along with our solution,” he said. “So what our solution will do is assess where you have gaps and how to fill those gaps. But usually you need consulting services to figure out how to actually implement various tools that you might be missing or to reconfigure parts of your infrastructure to provide better security. And then there are MSSPs and MDRs that also use the security information and event management (SIEMs) that we use like Splunk, that we focus on and we can help them as well deliver a higher value offering that differentiates them from their competitors, and deliver it in a more efficient way that preserves their margins because we’re using automation instead of people to deliver it.”
What’s fueling CardinalOps’ growth is the growing complexity of managing a security operations center (SOC), and the growing complexity of tools like Splunk and other SIEMs that have a lot of functionality, but require specialized expertise to run, Neray said.
“It’s difficult to find those people and it’s difficult to retain those people,” he said. “So organizations are looking for automation and machine learning (ML) to help with that process.”
BLACK HAT USA 2023 — A former child hacker says Black Hat USA 2023 should have served as a “wake-up call” that “we’re on the precipice of something truly disastrous.”
Paul Dant, Illumio‘s senior director of cybersecurity strategy and research, is one of many cybersecurity experts we spoke to at last week’s massive Black Hat conference. He started hacking at the age of 9.
“I called it call to action maybe five years ago and now I truly think it’s a wake-up call that’s needed,” he said. “I think conferences like this can certainly provide the forum for that wake-up call. It’s really when people come to a conference like this, are they listening for it? Everybody has different reasons for coming to Black Hat, but I do think it’s becoming more and more of a collective wake-up call.”
While Black Hat grows bigger and bigger, “our overall feelings about security posture in general get worse and worse each year,” Dant said.
Illumio’s Paul Dant
“These ransomware actors started out …with the proclamation that they would not go after health care, they’re not going to go after hospitals,” he said. “That’s been tossed to the side now because they’re financially motivated. We’ve seen so many close calls. We see regional microcosmic aspects of potential impacts to society. When a hospital is turning patients away and sending them to other emergency rooms because they can’t get their computers to work, that tells me we’re really close to something that we don’t want to see, something really catastrophic. I see these security conferences explode every year, more and more, and I hope that we’re reaching that wake-up call where we acknowledge that we are on the precipice of something like that.”
Black Hat USA 2023: Hacking in the 1980s
During our conversation at Black Hat USA 2023, Dant recounted his history with hacking, beginning with his interest in PC games in the mid-’80s.
“I decided that I wanted to start publishing my own,” he said. “I was around 8 [years old] and I taught myself how to code and created a couple of silly games, and started selling them. And my game got cracked by someone that I sold it to and it was my first real introduction into the idea of security. And this is 1987, 1988. Not many people were thinking about it at the time, but it really set my mind onto that path… We talk about hacker culture and exploration, and curiosity. It really was that I didn’t start out with any malicious intent, just kind of exploring and understanding how things worked. But I started to realize the more exploration I did, the deeper into things I could get that I probably shouldn’t have been able to get into. It was probably [when I was] 13 or 14 years old.”
The movie “Sneakers” came out in the early 90s, and that was “kind of a really cool wake up call that I could do this as a living,” Dant said.
“I could have people pay me to break into their things and then show them how to prevent people from doing the same,” he said. “And so that was kind of the child hacker. I definitely got involved in my teens in some things that would be considered illegal activity today. But that’s … your cliche story of getting in trouble in school and then getting hired by the school. That’s what happened. So I was hired by the board of education, I think it was my junior year, to help them start securing some of the challenges with security that I had found. And that kind of is what led me to start doing it professionally. And here we are.”
See our slideshow above for more from Dant and more from Black Hat USA 2023. (Black Hat is part of Informa Tech, Channel Futures’ parent company.)
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like