Black Hat 2023 Retrospective: AI, Keeping Focus, Hackers, and More AI
Black Hat USA 2023 came and went, and if you didn’t notice one subject shoving its way into every conversation at some point or another, you’re probably one of the lucky few. There was, of course, so much to absorb little to do with AI for the thousands of cybersecurity professionals that walked the convention center halls in Las Vegas to hear leading industry experts discuss and workshop everything they learned from they work.
For our Nucleus team, we at the booth were invigorated by the excitement shared by visitors and customers, and to see the excitement matched for the beach towels. We took in as much as we could from the agenda and share some personal perspective below.
AI technology is not new in and of itself. It has been used in everyday technologies for quite some time, like auto-correct in our phones, but use-cases within the security industry have stagnated during this period. This all changed when the generative-AI Nation attacked. After OpenAI released their user-focused, intuitive generative AI chatbot ChatGPT, this technology has taken the security industry by storm in hopes for it to be the ‘next solution’ that ‘does the thing’ better than anything before it. Maria Marksteder’s opening Keynote as well as Jeff Moss’s introductory statements both spoke to AI with cautious optimism, leaning on the fact that our implementation strategies of these technologies will be key in enhancing our capabilities as defenders.
Keeping our Focus
What is ‘the thing’ that always needs to be done better? Securing systems and software. What generative AI cannot do alone is just that. As security professionals, we must remember what a good solution to doing this better than we were before looks like, and not how it could look under the next fad. This is not to deflate the valid use-cases of generative AI in how it assists security professionals, as it has already been shown how important it can be for assistance in live incidents. Triaging everyday work with the use of a generative assistant can vastly improve the daily throughput of a single human doing hands-on-keyboard work.
However, generative AI technology shows an incredible promise to make industry-wide changes far beyond security. It is a technology that will certainly change the ways we do a lot of things. The Black Hat talks we attended did not disappoint in taking this opportunity seriously to understand how we can utilize it best to help people secure systems. If you were interested in attending all of the discussions you could about generative AI and its use in the security industry, you’d probably have to check out a few talks in video-form post-conference to catch up.
One example was the talk by IBM’s John Dwyer on Breaking the Cycle: Getting in Front of the Next Massive Exploitation Event. In the talk, John discussed how a generative-AI ‘assistant’ can help researchers and responders get to miniscule technical details about a system at a flash compared to the human doing the research on the system themselves. This can be useful in the event of another massively exploited technology, such as a Managed File Transfer service. Objectively, a human looking up in the documentation what the default file path is for the MOVEit web process that transfers data on any given system will be slower than instantly receiving a response to the question from a chat box that knows all the documentation. The key to this use-case being effective in the long term and at scale is validation testing. “A computer can’t be held accountable…” Something or other, you know the rest.
There are large hurdles that exist related to how this subset of AI technology will assist everyday security professionals: Attacker advantages and complexity in compliance. Generative AI is as effective as the dataset you train it on. In the panel discussion Forward Focus: Perspectives on AI, Hype, and Security there were two major subjects of discussion: How attackers as well as red teamers may utilize this same technology, and what compliance might look like for working with large generative AI models giving advice to security professionals doing their work. We must all work from a place of openness and extreme care if implementing a generative AI subproduct is getting thrown on the roadmap by executives and project managers alike. No one wants to be responsible for the implementation of a product that suggests a vulnerability in Windows is a vulnerability in Apache software.
What wasn’t AI at Black Hat?
While there were lots of places to be to escape the AI-noise, we could only be at one place at a time. One talk we were personally excited for and not disappointed by was Kelly Shortridge’s Fast, Ever-Evolving Defenders: The Resilience Revolution both in theme and its use of generated-AI art throughout all 156 slides of the talk. The talk focused on how we as defenders can take well-known historical advantages that attackers always have and flip them on their head to work from the perspective of a Defender that is always prepared. This focuses on several ideas all tied to resilience. As far as technical concepts go, it covered a ton of information on Infrastructure as Code (IAC), CI/CD, Chaos Security Engineering, and more.
The talk was refreshing, and the concepts covered were important in understanding what is next for DevSecOps. We truly are in the state of a revolution in software development, where we see secure-as-code taking front-and-center stage for developers, operations, and infrastructure alike. These technological concepts revolutionize how an organization lives security-first, and if you haven’t gotten the chance to dive into these subjects, we highly recommend that you take off the AI-rose-colored glasses to understand how some of these concepts are modernizing how people develop and push software.
The cloud can be a place of wonderous consistency and authorization, but what happens when a 0-day gives an attacker all-seeing access to your entire AWS stack? Margaret Zimmerman of Palo Alto’s Unit 42 had a fascinating talk, When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM 0-Day Vulnerability, breaking down the response to SugarCRM exploitation through the usage of the MITRE ATT&CK Matrix. There also exists a post on Unit 42’s blog about the ordeal also by Margaret for those interested. The talk covered various AWS attack paths conducted by the malicious actors thanks to almost unlimited access gained to cloud environments. The attackers used conventional and some not-so conventional methods and techniques when attempting lateral movement and exfiltration. Using found keys stored on a system through SugarCRM exploitation all the way to using `GetCostandUsage` to understand resource allocation.
Cloud resources are efficient and convenient when they can all talk to each other but when we make IAM policies with `s3:*` and `ec2:*` we’re just asking for trouble. One of the other important takeaways for defenders from this talk was the critical step of logging. Some incidents worked by Unit 42 were difficult to fully put together due to missing VPC logs or no CloudTrail implementation. Logging is a critical component to the security of not just your cloud systems, as they are always what tells the facts.
Wait, the Government likes Hackers now?
That’s right, the government likes (non-criminal) hackers now! Well, at least it appeared so from the enthusiastic keynotes with Jen Easterly from the Cybersecurity & Infrastructure Security Agency (CISA) as well as Kemba Walden from the Office of the National Cyber Director (ONCD). We highly suggest watching the keynotes for yourself, as the change in tone from what security communities might historically be used to is such a breath of fresh air.
Established in 2021 with the assistance of the Defense Authorization Act, the ONCD reports directly to the white house on issues related to cyber policy and strategy. In her keynote, Kemba Walden sat down with Jason Healey to discuss many things from ONCD ‘superpowers’ as Walden refers to them that assist with things like budgeting, how the ONCD wields them to generate real progress in high-up places, all the way to how the white house should engage with hacker and security practitioner communities. The keynote covered many other topics like open-source security, raising the security poverty line, engaging youth in internet-safety basics, and more. The ONCD recently released a Request for Information (RFI) related to open-source software security, if you are interested in providing feedback or comments.
Government coming from a place of feeling the need to be educated by professionals that love this work is a great place to start, even if they missed the starter shot by a while. We welcome this change deep within our government and hope to see this encouraging collaboration continue for years to come.
In Easterly’s keynote, she sat down with Victor Zhora, the Deputy Chairman and Chief Digital Transformation Officer of the State Service for Special Communications and Information Protection (SSSCIP) of Ukraine to discuss efforts of collaboration and the resilience of the Ukrainian people in the face of the ongoing war with Russia. Zhora’s position is one of great difficulty and complexity. The keynote shed a fascinating light on how efforts within both the public and private sectors across Nations can offer protections, strategies and takeaways for Ukraine. There was a huge emphasis on the partnerships that Ukraine has developed outward leading to the success of their programs and missions.
If you want to hear more from Jen Easterly, check out the interview with security researcher Patrick Garrity from Nucleus over at the CISA booth!
Conclusion
Black Hat 2023 was as electric as it always is. We were excited and thankful to speak to so many people at the booth about their experiences in vulnerability management and with Nucleus. As we all return with another backpack in the books and dozens of stickers richer, we leave with a plethora of information. Seeing old connections and meeting new connections is a critical component to the success of security as an industry. What we go and do with all this newly found information and connections to continue the mission securing all the things depends on ensuring you give yourself time to unwind and digest.
For future first time Black Hat attendees, here’s a few key things to keep in mind
- Get to know the venue map. Mandalay Bay as well as the convention center itself is a bit of a maze. You wouldn’t be the first to feel lost.
- Download the Black Hat Events app or take good notes on what you want to attend, where and when it is. Talks come and go at the snap of a finger at Black Hat, so knowing where to go when one finishes will be handy.
- If the agenda says the talk is on a certain level, it is outside the Business Hall. If it doesn’t specify a level, it’s in the Business Hall. The Business Hall is a large open space in the front of the convention center for all the vendor booths to set up. There are lots of things that go on in the Business Hall that aren’t vendor booths, such as Start-Up City, Arsenal labs & stations, and sponsored sessions.
- Don’t drop your self-care habits at the convention. It’s easy to go 4 days on 16 hours of interaction when attending Black Hat or other conferences. It’s important to remember what helps you feel engaged and prepared to absorb everything going on.