Three Areas of Change at Black Hat
Black Hat is changing. It is pretty evident when you walk the vendor floor and see some of the event and session attendees.
A lot of folks are talking about the changes, but are they good or bad for Black Hat and the industry? That’s a pretty subjective question, but I see most of the changes as positive. Talking more about how to defend against the hack is a good thing. Making hacking practical (in the way I define it) is valuable to building a security program, and bringing people together progresses the industry as a whole. These changes are an adjustment to the maturing of the industry, and we can all benefit from it.
Defending Your Environment Can Be Sexy
I love a good hack just as much as the next person. However, after I see a shell on the big screen and finish doling out the deserved applause, the security manager in me needs to know how to fix the problem. I think that sentiment is exactly what drives the opinion of the security managers I’ve talked to over the years who say they won’t attend Black Hat. The primary reason is because the event historically focused on just the existence of attacks and not enough about what to do about them. Fortunately, this year’s Black Hat delivered a healthy dose of straight-up defensive security.
One such talk came from Mario Vuksan and Tomislav Pericin, both of whom discussed file disinfection techniques. This represented a change in what some people consider Black Hat to be all about, since they weren’t discussing how to infect files. Mario and Tomislav even announced the future release of the open source File Disinfection Framework (FDF) that can be used to fix infected files instead of simply reinstalling the operating system, which is often the default action. The Defense Advanced Research Projects Agency (DARPA) Cyber Fast-Track (CFT) program funded the creation of the File Disinfection Framework. More on that later…
Two other talks followed this trend by directly discussing defensive security. One was from John Flynn, a Facebook security engineer. He imparted some intrusion detection wisdom gained from his experience in high-traffic and highly-adverse environments. Another was given by my friend David Mortman, who talked about how to “centralize management, automate and test” in order to improve security ops and development.
Accuvant LABS’ Shawn Moyer was the Defensive Track chair for this year’s Black Hat review board. He gave an executive briefing about the defensive talks and made a good argument for why defense needs as much or more focus than offensive security. To be fair, there have been defensive talks at Black Hat in the past. But Shawn pushed for talks that were less strictly operational and dry. He wanted more creative approaches for defense, and I think he achieved that goal.
Hacking for Fun Can Also Be Practical
Another change at this year’s Black Hat was the practicality of many of the hacks – though I see this as largely a perception problem and not an actual issue. First, let me explain what I mean by “practical.” I am not talking about how easily that latest cool hack can be reproduced by another hacker. Obviously, the ease at which the hack is reproduced is a factor for the risk-level it represents. However, a hack that is easily reproduced but has no applicability to an organization can probably be safely ignored, assuming all scenarios have been hashed out. Will the security manager or director of an organization make a shift in priorities because of this hack, even if that shift is long term in nature? Does knowing about this attack help the industry by addressing a concern of which most were not aware? This is a practical hack.
Accuvant LABS’ Dr. Charlie Miller’s talk on near field communication (NFC) – also funded by the DARPA CFT program – was a great example of research based on a real-world issue. An increasing number of smart phones are using NFC technology, which is adding another layer to the highly relevant mobile device explosion that has many security managers scratching their collective heads. While solutions for bring your own device (BYOD) and mobile data distribution are becoming more effective, security vendors aren’t yet working on the NFC problem – it’s really just now becoming known as an attack vector. However, just knowing that there is a potential for abuse via NFC gives organizational security teams and security vendors the heads up about this long-term problem.
Ivan Ristic’s talk was another great example of real-world practical applicability. I have been going through some of his work with the IronBee open-source WAF project and reading through his blog on the topic. In that post, Mr. Ristic says that WAFs are “now an accepted security best practice and have a significant role in compliance.” When someone starts pushing ways to get around a security measure that has become that important, the practicality of the attack becomes apparent quickly.
Crossing the Streams Can Be Beneficial
“Crossing the Streams” is a reference to the movie Ghostbusters. The main movie characters determined that it would be extremely dangerous to cross the particle streams of their proton packs, which they used to capture ghosts (if you needed this explanation, turn in your 80’s card). In this context, you might assume that I am referring to bringing the world of the hacker together with the world of upper security management (Bill Brenner talks about it here and here, and Mike Rothman offers his own take as well). You would be half correct. However, I saw another type of stream-crossing from Black Hat that is also beneficial to the security industry.
In terms of hackers and management, it is good to see that this is becoming a more common occurrence. Some people might view it negatively, thinking that is diluting the hacker conference. That might be partially true. Yet, it also means that security is getting the focus and attention that it sorely needs in other large organizations. Security teams are receiving more funding, more staff, and so on. We need to have executive buy-in if we hope to succeed in moving the security needle forward.
Government and security was another stream-crossing. I mentioned the DARPA CFT program a couple of times above. The CFT program is meant to fund short-term security research projects while allowing researchers to keep the intellectual property of whatever they create. It is a great initiative that made possible quite a few of the research projects presented at Black Hat and DEF CON. The cooperation between these two worlds is a great step forward for the industry.
Heraclitus said, “Nothing endures but change.” These three areas of change represent this fact fairly well. Yes, Black Hat is evolving a bit, but it is simply representing an industry that is also evolving. Security must be accepted on a wider basis in order to move the needle forward. Investment must increase in order to better understand the hack, as well as the defense from the hack. Black Hat is turning into the amalgamation of these concepts, with researchers and management coming together to fight the good fight. Trey Ford, general manager of Black Hat, said in a CSO Magazine interview that he “wants his events to bridge the gap between these camps.” That is a great idea, and it will only strengthen the Black Hat brand.