Visual Journal: Black Hat Europe 2019Cybersecurity Conference Features False Flags, Tool Talks, Deep Dives and More
Black Hat Europe returned to London last week, drawing nearly 3,200 attendees. Once again held at the ExCeL conference center in the city's Docklands quarter, the annual cybersecurity conference featured in-depth training as well as two days of briefings, vendor exhibitions in a packed business hall, sessions run by vendors, in-depth technical demonstrations and more.
See Also: From Passwords to Passwordless
Topically, this year's conference touched on everything from application security and fuzzing to Active Directory auditing and false-flag attacks launched by nation-states.
Here are visual highlights from the event.
Conference at a Glance
This year's conference, running from Dec. 2 to Dec. 5, started with in-depth technical training, followed by two days of briefings. More than 100 speakers and researchers delivered 15 in-depth technical training sessions and more than 40 briefings. Tracks this year covered such topics as cryptography; data forensics and incident response; exploit development hardware and embedded systems; human factors; internet of things; malware; network defense; reverse engineering; the security development lifecycle; industrial security; and web application security.
Tips for Cybersecurity Defenders
Setting the tone for this year's Black Hat Europe, Jeff Moss (@thedarktangent), the founder of Black Hat, kicked off the conference by urging attendees to account for how attackers operate in the real world.
"The most dangerous thing is defenders who never get real information from actual attackers ... the real people doing the real attacks," he said in his introduction to the conference's keynote presentation.
Blend Blue and Red Thinking
Amanda Rousseau (@malwareunicorn), an offensive security engineer at Facebook, in her opening keynote speech, urged organizations to make better use of red teams as well as an adversarial mindset for testing and refining defenses (see: Cybersecurity Defenders: Channel Your Adversary's Mindset).
Rousseau is a member of Facebook's "red team," which is military parlance for insiders who run mock attacks against the organization and its "blue team" defenders, so that vulnerabilities can be identified, prioritized and remediated (see: Cybersecurity Defenders: Channel Your Adversary's Mindset).
Don't Trust Your Tools
Take it from an offensive hacking expert: One of the most dangerous results of failing to have an adversarial mindset is having an over-reliance on one's tools.
"We have this assumption that our tools work as intended," Rousseau said, pointing for example to tools for whitelisting applications, which add a security layer predicated on specifying which applications can run, and blocking everything else.
Whereas defenders might trust in the tool to do just that, she said attackers will test ways it can be exploited. "The offensive mindset will think, maybe I should test this framework to see how many things are whitelisted, and work within those bounds," she said.
One benefit that red teams can provide, she said, is to help identify these blind spots and practice realistic attacks against such tools to help unearth not only vulnerabilities in defenses but also defensive thinking.
Don't Trust PDF Encryption Either
Should you trust your PDF readers and PDF-generating software to encrypt PDFs? This year's briefings included a session from two security researchers who explored the answer to that question. "We tested 27 PDF viewers and found all of them vulnerable to at least one of our attacks," researcher Jens Müller of Ruhr University Bochum said during the "How to Break PDF Encryption" briefing he co-presented with Fabian Ising of Münster University of Applied Sciences.
"So we differentiated between attacks with no user interaction and those with user interaction," he said. "That might mean clicking something in a document, so the whole page was a link, for example."
False Flag Operations Can Offer High Returns
Another briefing featured returning Black Hat Europe presenter Jake Williams, who formerly worked for the U.S. National Security Agency's offensive hacking team and now heads Georgia-based consultancy Rendition Infosec. He talked about the ease of running a false flag operation, compared with the difficulty of correctly attributing attacks.
False-flag operations, Williams said, typically have one of the following goals: distracting investigators, sowing doubt, delaying investigations or convincing investigators that a false flag is really a real flag, which Williams said is "really, really hard" - although not impossible - to do against experienced investigators. Although when attackers do manage to trick investigators, it's bonus-round time, because those same investigators will tend to not rethink their conclusion for a long time, he said.
Sowing doubt is a tactic that continues to be wielded or used in multiple ways - not just for false flag operations. "Just look at Russia and Ukraine - because obviously it's not Ukraine interfering in the elections, it's Russia, and yet, a huge part of the population in the U.S. believes that it may have been Ukraine running a Russian false-flag operation," he said (see: Why Did Trump Mention CrowdStrike to Ukraine's President?).
Physical Security Concerns
Attendees at the conference again this year had to clear a security and bag-check cordon. While Black Hat Europe is primarily focused on cybersecurity, physical security is always a concern in London. This year's conference ran just days after a horrible London Bridge attack left two victims dead and others injured.
Once inside the ExCeL conference center, front and center was the Black Hat Europe conference business hall. The hall featured 60 vendors - from Allied Telesis, ARCON and Attivo Networks to Veracode, XM Cyber and Yubico, offering insights into their products and services as well as tchotchkes galore. The hall also hosted deep-dive Arsenal demonstrations, vendor briefing theaters as well as the all-important lunch break area.
Beyond the approximately 40 briefings that were selected by the Black Hat Review Board, another 25 vendor-sponsored sessions took place in the business hall, alongside vendors' booths, in two business hall presentation theaters. Topics ran the gamut from rounding up recent big cyberattacks and the state of internet of things security to using artificial intelligence for data leak detection and how to deploy deception technology.
Hardware Hacking Is Fun
Among the many vendors, IBM's X-Force Red returned to the business hall with two hardware-hacking demonstrations. One attack simulated the ease with which an attacker could read an employee's workplace access card and use the readings to create a card designed to spoof access-control systems. Extra points go to the attendee who was attempting to make the RFID chip he'd surgically implanted in his hand double as the fake access card. Alas, the testing array would have needed an extra antenna coil - of the type used in contactless payment card systems - to be able to read the implanted chip.
Deep Technical Dives via Arsenal
The business hall also featured Arsenal, which is designed to allow researchers and the open-source community to deliver live demonstrations of tools they develop and use. This year's Arsenal featured nearly 50 tools covering topics ranging from Amazon Web Services post-exploitation tools and digital forensic toolkits to tools for drone hacking and foiling machine-learning models.
Active Directory Security
One of the most popular Arsenal presentations this year was delivered by IT security researcher and trainer Michael Grafnetter, following his Dec. 4 briefing, "Exploiting Windows Hello for Business." As noted in his briefing, Microsoft in Windows 10 and Server 2016 introduced Windows Hello for Business, which allows for password-less authentication in Active Directory-based environments. But unfortunately, the new feature also included "a new type of persistent Active Directory backdoor," leaving many organizations vulnerable (see: Why Hackers Abuse Active Directory).
The solution, he said, is to ensure that everyone who uses on-premises Active Directory employs auditing to ensure they're not using weak keys from outdated Trusted Platform Modules.
I don't want to discourage you from using Windows Hello for Business - it is a really good technology, an interesting technology, a hundred times better than passwords," he said in his briefing. "Just take ... precautions."
In his Arsenal slot, Grafnetter demonstrated DSInternal, a PowerShell module he built to provide AD administrators with better auditing and other capabilities.
What's Helping Defenders?
Black Hat Europe is also a great place to spend time with cybersecurity experts outside of briefings and demonstrations. For example, Moss, in an interview at the conference, amplified keynoter Rosseau's takeaways, saying the state of cybersecurity has continued to improve as organizations have used information about real-world attacks to make their defense better. But he says that's been a long time coming (see: How the Adversarial Mindset Is Making Cybersecurity Better).
"This idea of the adversarial mindset stems from: People who started in attack and moved to defense were stunned to find how crazy the defense people were," Moss told me. "They were really smart; they just weren't doing things that really mattered ... [because they were] disconnected from reality," he says, too often because they didn't have good information about how criminals or government attackers were hacking them.
What's changed in recent years has been large incident response firms - the likes of Mandiant and CrowdStrike, among others - investigating cybercrime and nation-state attacks, and then publicly releasing the results of those investigations. As a result, organizations have been able to learn from real-world hack attacks to refine their defenses.
Black Hat Europe includes an annual closing "locknote" panel bookending the opening keynote by discussing key takeaways from the conference and upcoming cybersecurity challenges at the end of the briefings. The locknote is led by Moss, who invites several Black Hat review board members to serve as panelists.
"So is it all AI and ML and unicorns?" Moss asked panelists Leigh-Anne Galloway, Daniel Cuthbert and Marina Krotofil.
"We saw plenty of submissions on fuzzing and AI," Galloway (@L_AGalloway), a security researcher at Positive Technologies, replied.
Organizers said they received a record number of submissions for proposed briefings this year; of course not all could make the final cut. While two of this year's briefings focused on fuzzing, none of the accepted briefings were focused on artificial intelligence or machine learning. But the unicorn checkbox could said to have been ticked by keynoter Amanda Rousseau's @malwareunicorn Twitter handle.
Phew what a day. I'm just happy I didn't end up puking on stage. I'm proud to say that I'm actually 3 months pregnant. I guess baby's first blackhat.— Malware Unicorn (@malwareunicorn) December 4, 2019
Security: Prioritize the Basics
Another notable trend that the review board saw was too much of a tendency to focus on over-engineered approaches, and too often, products that Cuthbert (@dcuthbert) - global head of security research for Banco Santander - said turned out to be snake oil.
His solution: Prioritize the security basics. "Basic isn't sexy. Go to RSA. You're going to see something that fixes cancer," he said. "And the problem is, that sells."
Black Hat Europe 2020
What will be hot - or not - next year? For the answer to that question, hit Black Hat Europe 2020, which has been scheduled to run again at the ExCeL, from Nov. 9-12, 2020.
Photographs by Mathew Schwartz.