Observations From Black Hat - More Defense Please

Last week I had the opportunity to attend the 15th annual Black Hat security conference in Las Vegas. I have attended DEFCON in the past, but never Black Hat. The conference has grown significantly each year, and judging by the size of the expo floor, the vendors understand its significance. I enjoyed the conference and had great conversations with practitioners and vendors alike. Here are some observations from two of the sessions that I attended:

  • Former FBI Executive Assistant Director Shawn Henry gave the first keynote presentation, “From HRT to APT.” He commanded the renowned FBI Hostage Rescue Team and focused much of his talk on how we as InfoSec warriors could learn from the HRT specifically, and the lessons the Bureau made in refocusing on the terrorism threat. The content was very much aligned with Mr. Henry’s Wall Street Journal interview titled: “U.S. Outgunned in Hacker War.” Although he didn’t mention Zero Trust architecture by name, he described the principles of Zero Trust design. He also made the comment that the NSA secures the .mil domain, the DHS secures the .gov domain, and it is up to us to secure the .com space. He spoke about the need to share threat intelligence, which I found extremely ironic given how little actionable threat information the Feds share with private industry. The .com space is essentially on our own, but if we are “outgunned in the hacker war,” shouldn’t we get some assistance from the government? What assistance, in what form, and how it is executed is an entirely separate conversation. The tricky thing about intelligence is that you don’t want it to end up in the enemy’s hands. That is why so much effort is spent on compartmentalization. 
  • I attended the Mandiant session from Jim Aldridge titled “Targeted Intrusion Remediation: Lessons From The Front Lines.” This was a great presentation covering tactical and strategic recommendations for dealing with targeted attacks. I recommend that you download the slides. I want to dig deeper into a few of Jim’s comments.
    • He made the suggestion to patch 3rd party applications, which is a great suggestion, but the reality is that enterprisewide patch and configuration management are very challenging for companies. I hear this almost every week during my client inquiries. What can you do? To start with, make sure you limit 3rd party applications on servers. If there isn’t a business requirement for an application, then don’t run it on the server. Focus your limited resources and make sure that the servers that house the most critical data have the highest priority for patching. When it comes to user endpoints, hopefully you don’t permit local administration access to employees. If you do, then you will face obvious cultural challenges reversing that decision. If your environment is homogenous, then 3rd party patching of end user workstations is easier, but the more complex and dynamic your endpoints are the more challenging patching becomes. An enterprise solution and the staff dedicated to run it are critical to success.
    • One of Jim’s strategic recommendations was to “get management’s buy in.” If I had a dollar for every time I heard someone say that, I could retire. It is one thing to say this; it is an entirely different story to successfully communicate this to management and business stakeholders. I recommend taking a look at Ed Ferrara’s research “Don't Bore Your Executives — Speak To Them In A Language That They Understand” to help with strategies to make the elusive “management buy in" a reality.

Black Hat is in transition, doing soul searching on the future direction of the conference. The primary focus of Black Hat has traditionally been on offense. Attacks are sexy, defense …. not so much. As someone said to me during the event, “Go to OWASP if you want to hear about defense.” There was a Defense track this year, and although Jim Aldridge's presentation wasn’t in it, I thought it was the most actionable defensive session I attended. Innovative defense strategies lead to faster detection and minimize the damage to organizations; this is what CISOs should be most concerned with. Given the nature of the threat landscape, sharing is our best option and I hope we see more defense talks in Black Hat’s future. 

Comments

Defense is usually develop in academia

Dear Rick,
next to my "regular" job I keep an academic position. I've been submitting to BH (and presenting, from time to time) only "defense" talks. In recent years, none got through. Most of the times, they labeled the presentation "too academic for BH".

I believe that, unfortunately for wannabe BH presenters, most advances in defense come from academia. Look at "The Blue Hat" prize sponsored by Microsoft. The guy who won the 1st prize for the best defensive technology is a PhD student at Columbia University in NYC...

my 2 cents