Lessons from Black Hat USA 2017: Defense in Depth

Posted by Yaron Zinar on Aug 18, 2017 4:19:49 PM
Find me on:

Last month I attended Black Hat USA 2017 conference. It did not disappoint. Overall the event and packed agenda was well worth it. I enjoyed the vibe, the networking, the briefings, the business hall and the wonderful keynote by Alex Stamos (I recommend you follow Eran’s post who shared some of Alex’s deep insights).  Overall the event covered a broad array of bleeding edge infosec topics with sessions on research, zero day exploits, open source tools, and other security risks and trends.  black_hat_2017.png

With many broad topics, I found several themes emerge that I thought I would share with you.

Here are the takeaways:

Big Data and Machine Learning

Big data and machine learning are still hot topics for IT security. As computing becomes more widespread, a typical network becomes bigger (more servers, more devices, more protocols) and security teams have a hard time simply keeping tracks of patch management, alert prioritization, threats intelligence and effective privilege assessment.

As static signature-based security is not enough, the need of tracking user behavior and continuously evaluating risk is crucial. There were a few interesting talks on how to achieve better security using smart data processing and advanced machine learning algorithms. Ironically enough, a few lectures focused on the interesting subject of how attackers are leveraging machine learning to bypass security mechanism (e.g., this) and manage the vast amount of data collected from an infected networks (e.g., this).   

Lateral Movement

Based on visiting the exhibits and seeing the problems security firms are trying to solve as well as  attending briefings led by security researchers who were uncovering vulnerabilities, it seems we still have much to do to prevent Lateral movement. Even after a decade of IT security advancement we still see simple phishing attacks, exploits of web server vulnerabilities and use of compromised credentials being the main attack vectors for infiltrating an enterprise network. With initial network infiltration “solved”, lateral movement was a key focus of conversation. In the briefings alone I heard presenters discussing mimikatz and BloodHound 10 times each. If you read between the lines, you find a rather bleak outlook as both make it easy to get an initial foothold in the victim's network and move laterally inside the network.

Defence in Depth

There’s a wide agreement that simple solutions cannot stop modern advanced security threats:

In their great talk on the Industrial Revolution of Lateral Movement, Tal Be’ery and Tal Maor suggested a philosophy which I strongly agree with: We should be making attacker life’s harder with a multi-layered defence. You should go all the way by adding behavioral analytics, you should protect privileged accounts with MFA and incorporate deception techniques.

See you next year at Black Hat 2018!


Topics: big data, Lateral Movement, Black Hat