Is defense the 'new Black (Hat)'? Notes from 2017's 'security summer camp'

Every year, security pros of every stripe converge on Las Vegas to immerse themselves in three of the industry's most distinctive conferences: Black Hat, the largest and most commercial; DEF CON, which primarily serves the hacker community; and BSides, which provides a venue that lets the security community speak for itself. Together, these conferences represent the range and variety of interests that characterize the flourishing world of security – and in this variety, a lot can be learned about the nature of security and its practitioners during security's annual 'summer camp' in the desert.

The 451 Take

While Black Hat and DEF CON in particular have historically catered primarily to breakers, this year, Black Hat went out of its way to shine a spotlight on defense, while BSides has consistently engaged defenders among the representatives of the community as a whole that it primarily serves. This blending across all three conferences of the findings of breakers with serving the needs of builders and defenders exemplifies the growing maturity of the industry, further exemplified by Black Hat's celebration of its twentieth year. Admirable as that emphasis may be, however, security summer camp still shines a spotlight on technology's vulnerabilities – and Black Hat itself has a way to go to deliver on its new commitment to defense. We'll expand on these observations and more from this year's security summer camp in this spotlight and others to follow.

Defense sets the keynote
One of the most prominent themes of Black Hat was the tone set by the keynote from Alex Stamos, chief security officer of Facebook since 2015. At this twentieth Black Hat conference, Stamos described how the field of information security has matured – and how enabling more effective defense must become a priority. This is a departure from the focus around which Black Hat, DEF CON and similar events grew up, namely giving a platform to innovation in exploiting technology's security weaknesses. Because of this emphasis, presenters and participants have faced varying degrees of opposition over the years, which has sometimes contributed to the perception of security researchers as technology's 'wild bunch' (a reputation not exactly rejected by many).

But as security has evolved, that perception has evolved as well, toward an understanding of the vital service that security researchers render to the wider technology industry. Researchers are only illustrating what adversaries can (and often will) do to threaten vital technology, and what they can share with defenders about how technology can be exploited is essential to understanding how security can be improved.

Stamos highlighted how a maturing security industry has also brought those who may have begun as hackers into roles where they are now responsible for improving defense and strengthening technology for their organizations – and that this should now be a primary focus of industry events and efforts that reflect this evolution. The credibility of Stamos' message is underscored by his own reputation as one who has stuck his own neck out for an ideal – something that those who have grown along with the industry can identify with, especially those who have faced pressure to mute their own findings.

The emphasis on better enabling defenders has become increasingly prominent among security conferences, including more recent venues such as the O'Reilly conference in New York, for which defense is the primary focus, so Black Hat isn't the first to embrace the idea. But Black Hat's emphasis is significant, since it first emerged as one of the more visible venues for attack research, and lingers on despite Black Hat's growth and increasing commercialization, and the emergence of other, sometimes 'edgier,' events for the hacker community.

Do actions speak louder than words?
With defense now such a priority, one would think, therefore, that there would be much airtime given at Black Hat to building and reinforcing more secure IT. And there were indeed sessions that focused on significant areas of attention and interest for greater cooperation between technology developers, administrators and security teams, such as better integration of security into DevOps organizations.

But despite Black Hat's new emphasis on the defender, the message seems to have yet to find its way to the rank and file of conference organizers. While the largest rooms for talks were still given over to topics such as hacking 'smart' door locks, a session on how development, operations and security teams can cooperate more effectively in DevOps environments was presented in a room perhaps a third the size of the largest venues – and this particular session was not just standing room only, but filled with people who lined every wall shoulder to shoulder to hear how they could contribute to building not just better, but faster. If Black Hat truly believes what it invited Alex Stamos to say, there will need to be more evidence of it in future years.

In the desert, IoT remains hot
Notwithstanding the heightened visibility of defense, security summer camp week remains largely the world of the hacker, with an emphasis on IoT currently in vogue. There were a number of talks on IoT themes at Black Hat, in addition to several training courses designed to bring technical security pros up to speed on understanding issues and finding exposures in IoT environments. Among briefings of note, WhiteScope founder Billy Rios and Jonathan Butts, committee chair for the IFIP Working Group on Critical Infrastructure Protection, gave a presentation on hacking an automated car wash – an industrial control system in microcosm – to demonstrate the harm systems such as robotics could inflict when compromised (including video of a car being attacked by a car wash system under the presenters' control).

IOActive's Lucas Lundgren, meanwhile, continues to speak about the exposures of MQTT, a widely adopted 'lightweight' protocol designed to enable messaging on systems that are often resource-constrained – which makes it ideal for a wide range of IoT deployments. According to the description of his Black Hat session, Lundgren almost stumbled upon MQTT in his vulnerability testing, but has since found a lot of it, with 87,000 instances discovered most recently (up from 59,000 a year ago). He presented examples of the ability to read data from a gas and electrical utility system, a train station's departure information, a particle accelerator and even a Tesla car (which does not formally support MQTT). And in keeping with the defense theme of the conference, Lundgren emphasized that vulnerability is not the fault of the protocol itself so much as controls on access to it are often weak. This, in turn, led to highlighting the value of associating devices with strong authentication such as certificates. The implementation of cryptography to secure IoT is itself a significant area of focus, and one we expect to have a primary impact on the evolution of IoT security.

Something for everyone (and more to follow)
The endpoint arena continues to be a highly active (and often frothy) space in infosec, and with Black Hat as one of the industry's largest conferences, it was in full evidence as it was earlier in the year at RSA. The endpoint is just one of the areas where the topic of machine learning and analytics often takes center stage, as it increasingly does in other areas of security – and of course, 'the cloud' is inescapable. Surrounding it all are the usual antics to be found at a typical tech con - but do these antics reflect the maturity of which Black Hat is so (rightly) proud?

The 451 Research security team will have more to say about these areas and further takeaways from security summer camp 2017 in additional spotlights.

Scott Crawford

Research Director

Eric Ogren

Senior Analyst

Garrett Bekker

Principal Security Analyst

New Alert Set

"My Alert"

Failed to Set Alert

"My Alert"