The Gately Report: Black Hat USA Edition with Cisco, IBM, CISA, More
Black Hat USA has come roaring back since the COVID-19 pandemic.
![Black Hat expo hall 2022 Black Hat expo hall 2022](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt2ab6908b1e5449b9/65241c35c8fd33bcfbb85492/Black-Hat-Expo-Hero.jpg?width=700&auto=webp&quality=80&disable=upscale)
Cisco was a prominent presence at Black Hat. During the conference, it disclosed that on May 24 it became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
According to a Cisco Talos blog, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
“The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multifactor authentication (MFA) push notifications initiated by the attacker,” it said. “The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.”
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack, Cisco said. However, these attempts were unsuccessful.
Sharon Nachshony is a security researcher at Silverfort.
“The activity seen in the Cisco attack is a prime example of how an attacker can use lateral movement to progress from an initial toehold towards more high-risk internal targets,” she said. “Starting with a single set of stolen credentials, the attacker was able to gain access into the Cisco VPN, pivot into the Cisco environment and eventually move to the domain controllers. Their use of PsExec in the attack was notable. Command-line tools such as this are typically used by admins to remotely configure and troubleshoot. But in the hands of an attacker, and often unprotected, they have become a target of choice. This can be prevented by applying MFA to remote command tools to manage access and close down lateral movement.”
More broadly, this is a sign of how lateral movement is being commoditized by initial access brokers, Nachshony said. Focusing specifically on initial breach and accessing of target systems, they will then sell this compromised position on to other threat actors specializing in payloads and ransom activity.
At Black Hat, IBM announced it has launched a source code management attack toolkit (SCMKit). It allows users to launch simulated attacks against SCM platforms. The toolkit supports attack modules for reconnaissance, privilege escalation and persistence. The SCMKit can currently launch simulated attacks against GitHub Enterprise, GitLab Enterprise and Bitbucket Server.
HackerOne was on hand in the Black Hat Business Hall sharing insights on the latest hot security and hacking trends. HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.
Darktrace and HackerOne at Black Hat announced they have partnered to combine Darktrace Prevent/Attack Surface Management (ASM) technology with the continuous security assessment capabilities of the HackerOne platform. The partnership expands HackerOne’s OpenASM initiative to help organizations secure their digital estate through technology and a community of ethical hackers.
Amanda Berger is HackerOne’s chief customer officer.
“I love that this event has both hackers and customers, and also a lot of customers that are hackers,” she said. “So being able to have those conversations about identifying the gaps in their security posture and mitigating them with humans is amazing.”
During a panel discussion, two HackerOne hackers, Dominic Couture and Leandro Barragan, talked about their experiences as hackers and some of the most interesting vulnerabilities they’ve uncovered.
For those interested in becoming a hacker, Couture suggested “just go ahead and get started.”
“There hasn’t been a better time to get free resources online and just learn about it,” he said. “There are blogs, YouTube videos and learning resources by Hackerone. So just get started. Learn one thing and then try to work with it, and then learn a second one, etc., etc. Get a year off the ground with that.”
HackerOne has seen a rapid increase in customers in the enterprise space as well as the government space, particularly in some other countries, Berger said.
“We’ve certainly found that the idea of using ethical, friendly, nice hackers has become more mainstream,” she said.
Goldman Sachs, General Motors and Starbucks are among HackerOne’s customers.
Also during Black Hat, we caught up with Salt Security, an API security platform provider. This month, it released a report showing malicious API traffic now accounts for more than 2% of all API traffic seen by its customers. On average, those organizations were hit by 26.6 million malicious API calls in June 2022, a more than 100% increase compared to last year’s per-month average.
Michelle McLean is Salt Security’s vice president of marketing.
“The big thing is that there’s still a bit of an awareness gap about the risk that APIs themselves pose,” she said. “And so it’s just an
opportunity for organizations to try to get an assessment of where they are, how well they understand the landscape of APIs that
they have and how well they understand the security posture of those APIs. And then you can use this research to look for certain areas of vulnerability where you might have problems and learn from others’ mistakes before anything can get exploited. That’s always the hope.”
API security is an interesting area for channel partners, McLean said.
“If you think about how companies are distinguishing themselves today and innovating today, it’s all in application development,” she said. “So I think the channel partners have an amazing opportunity with digitalization projects, cloud migration projects and application modernization projects. They can really distinguish themselves as guides and experts because these are really big projects and they’re very intimately related to this business success. So I think they can become much more strategic partners. The relationship is that APIs are super foundational. We used to say you’re not writing code anymore, you’re assembling code. And now it’s sort of like it’s all just APIs.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had a booth in the Black Hat Business Hall recruiting cybersecurity professionals, and providing information about internships and scholarships. A recruiter at the booth said a fair number of attendees had shown interest in joining the agency.
During his Black Hat keynote, former CISA director Chris Krebs said a standalone CISA could help streamline how the private sector and other stakeholders work with the government to combat cyber threats.
ExtraHop hosted a Red vs. Blue, Hackers vs. Defenders game at its Black Hat booth. The game provided a chance for attendees to get their hands on ExtraHop products from the point of view of either hackers or defenders.
Two private equity firms, Bain Capital Private Equity and Crosspoint Capital Partners, are shelling out $900 million in their acquisition of ExtraHop. It plans to add channel sales leaders after the acquistion is completed.
iBoss, a zero trust edge cloud security provider, was on hand at Black Hat to discuss its newly obtained Federal Risk and Authorization Management Program (FedRAMP) authorization. FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Paul Martini is iBoss‘ CEO.
“FedRAMP authorization allows us to sell to the federal government,” he said. “Basically there’s a lot of talk about zero trust or secure services edge (SSE) or secure access service edge (SASE), but really what this what’s going on across the government as well as in the commercial space is the ‘SaaSification’ of security and connectivity. Users are remote. People are working from everywhere. They need to connect to applications that they need, but they also want security. Now we’re defense DLP CASB so that you prevent infections but also grant only authorized users to access data. And so this idea of providing direct access and direct connectivity with security baked in, in a cloud service is being mandated across the federal government.”
In January, an executive order began pushing the entire federal government to follow what it calls the NIST 800 207, which is zero trust architecture, Martini said.
“We implement the NIST 800 207,” he said. “So the federal agencies will start to get rid of these physical perimeters, gear and equipment inside these perimeters and move to basically a world where there is no walls, there are no perimeters, and users can work and connect from anywhere. And security is baked into the cloud itself.”
This enables partners to sell to the federal government, and particularly sell a cloud security service that is mandated by the federal government, Martini said.
“By 2025, the government needs to move to this model and so now they’ll be able to sell this service,” he said.
Blumira was also at Black Hat to draw attention to its cloud-based security information and event management (SIEM) solution. It’s targeting the SMB market.
Brian Penney is Blumira’s vice president of sales.
“Black Hat is the perfect place for us because we’re still relatively new to the market,” he said. “We were founded in 2018 … and we’ve been selling for three years now.”
Blumira partners include MSPs and resellers.
Earlier this year, Blumira announced the availability of a free, self-service cloud SIEM for Microsoft 365. It also launched three new paid versions: Microsoft 365, cloud and advanced.
“If they’re just in an Office 365 environment, which many small businesses are … our free tier will give them a full SIEM solution with detection and response built it, and they never have to pay for it,” Penney said. “There are some limitations. For instance, all of our paid tiers, including our cloud tier and our advanced tier, have a full-year retention on all of the logging and documentation. Our free solution does seven days. You have seven days to download that information and store it yourself in a secure environment. For those small businesses that are just focused on being in the cloud and are trying to build, rather than scale, it’s a solution that allows them to have the checkbox for cyber insurance.”
The free service is the entry point for most of Blumira‘s partners, he said.
“They come on board, they utilize the service and say ‘Hey, this makes sense, we like this, we’d like to move into the advanced tier,'” Penney said. “We have a not-for-resale (NFR) program for the MSPs as well that allows them to use our product as well at no charge, and then they begin rolling out that free edition to their customers. It’s a very quick, very efficient tool for small businesses to see a lot of value out of.”
Blumira was also at Black Hat to draw attention to its cloud-based security information and event management (SIEM) solution. It’s targeting the SMB market.
Brian Penney is Blumira’s vice president of sales.
“Black Hat is the perfect place for us because we’re still relatively new to the market,” he said. “We were founded in 2018 … and we’ve been selling for three years now.”
Blumira partners include MSPs and resellers.
Earlier this year, Blumira announced the availability of a free, self-service cloud SIEM for Microsoft 365. It also launched three new paid versions: Microsoft 365, cloud and advanced.
“If they’re just in an Office 365 environment, which many small businesses are … our free tier will give them a full SIEM solution with detection and response built it, and they never have to pay for it,” Penney said. “There are some limitations. For instance, all of our paid tiers, including our cloud tier and our advanced tier, have a full-year retention on all of the logging and documentation. Our free solution does seven days. You have seven days to download that information and store it yourself in a secure environment. For those small businesses that are just focused on being in the cloud and are trying to build, rather than scale, it’s a solution that allows them to have the checkbox for cyber insurance.”
The free service is the entry point for most of Blumira‘s partners, he said.
“They come on board, they utilize the service and say ‘Hey, this makes sense, we like this, we’d like to move into the advanced tier,'” Penney said. “We have a not-for-resale (NFR) program for the MSPs as well that allows them to use our product as well at no charge, and then they begin rolling out that free edition to their customers. It’s a very quick, very efficient tool for small businesses to see a lot of value out of.”
That’s a wrap for this week’s Black Hat USA 2022 event, which came roaring back after going virtual during the pandemic and returning to a much smaller conference last August.
The event, the 25th Black Hat USA, brought tens of thousands of attendees to Las Vegas from 111 countries. That compares to approximately 5,000 at last year’s mini-event.
Jeff Moss is Black Hat’s founder and CEO. He didn’t expect so many people at this year’s Black Hat event. He also pointed out that attendance still fell short from pre-pandemic levels because the conference usually brings cybersecurity professional from China and other Asian countries, and they’re still unable to travel abroad.
Increasing complexity and how that’s giving cybercriminals an advantage was a big topic at Black Hat. The topic was discussed during a closing keynote with Moss and event content organizers.
Veracode’s Chris Eng
Chris Eng, chief research officer at Veracode, said a lot of the same problems are occurring in cybersecurity, “so we need to be faster at adopting.”
“We know what needs to be done, but we’re not getting it done,” he said. “It’s a little discouraging. We are seeing things get better in pockets … but way too slowly.”
Scroll through our slideshow above for more from Black Hat USA 2022.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like