There is an enduring nature to many cybersecurity challenges while at the same time cyber practitioners must be aware of the evolving scale of threats, including the rapid global impact of AI-related issues.
“A lot has changed in cybersecurity, but a lot has also stayed the same," Jeff Moss, founder of the Black Hat and DEFCON conferences, said during his opening talk at Black Hat USA 2023.
With this maxim, he reminded the cybersecurity community that the usual suspects, especially Russia and China, are still making the cyber headlines, and so are ransomware, distributed denial of service (DDoS) attacks and cyber espionage campaigns.
What has changed is the scale of these threats.
“Digital problems are now global problems, and now AI problems are quickly becoming global problems,” he added.
While AI has once again been front and center of conversations at Black Hat, the event has also reflected on other trends that dominate the cybersecurity threat landscape in 2023.
Infosecurity has selected five highlights of this year’s edition.
1. Adversaries Shifting to Identity-Based Attacks
As CrowdStrike’s Threat Hunting Report showed identity theft has established itself as the primary initial access method for threat actors in 2023, with 80% of breaches now involving the use of compromised identities.
According to Adam Meyers, CrowdStrike’s senior VP of intelligence, this is due to advances in enterprise security, especially endpoint detection and response (EDR) solutions, which “made it more difficult for threat actors, ransomware groups as well as nation-state groups, to accomplish their goals, bring their own tools and stay in one particular network without getting detected.”
Speaking to Infosecurity during Black Hat, Josh Lemos, appointed as GitLab’s CISO in June, agreed with Meyers, adding that the big cloud – sometimes multi-cloud – migration was also a factor for this new trend.
“As an industry, we’ve eventually gotten good at mitigating some of the threats, like ransomware – which still happens frequently but does not have the success it used to have. However, we’ve been lacking in identity and data security. These are where we should now focus our efforts,” he said.
2. US Government Pushing for AI Self-Regulation
One of this year’s Black Hat highpoints was the surprise announcement of the AI Cyber Challenge, a two-year competition led by the US Defense Advanced Research Projects Agency (DARPA) to create a new generation of AI-powered cybersecurity tools for securing US critical infrastructure and government services.
While the initiative is entirely funded by DARPA, the White House has also involved several generative AI firms on board (Anthropic, Google, Microsoft and OpenAI), who will make their technologies available and bring their expertise to help the competitors.
By committing to this, these companies are showing their willingness to use their expertise for the greater good, which was one of the voluntary commitments they promised the US government in July.
Earlier this year, the Biden administration announced a commitment from several AI companies to participate in an independent, public evaluation of large language models at DEFCON 2023 – which will be attended by the White House’s director of the Office of Science and Technology Policy, Arati Prabhakar.
3. Generative AI: Brace Yourselves for the Future
In a well-sourced and articulate keynote speech, security researcher Maria Markstedter (aka Azeria) explained that the current concerns around the use – and misuse – of generative AI models could be just the tip of a forming iceberg.
She argued that, with businesses' growing interest in integrating generative AI in their workflows, we will quickly shift from using external AI-powered chatbots to developing multi-modal, autonomous agents.
“To achieve this vision of using multi-modal, autonomous agents for business use cases, however, organizations will have to grant them access to a multitude of data and first-party applications, which means that the notion of identity access management has to be re-evaluated, as well as how we assess data security,” Azeria said.
She concluded that organizations’ threat models “will eventually be turned upside down.”
Black Hat was not shy of briefings exploring how LLMs are used for malicious purposes.
Interestingly, however, in almost all the AI talks the Infosecurity team has attended, the speakers chose to end their presentations with the opportunities AI offers cybersecurity practitioners. Presenters clearly didn’t want to leave the audience with the feeling that doomsday is near.
4. Know Thy Enemy: MITRE’s Effort on Understanding Adversaries
Black Hat USA 2023 was an opportunity for MITRE, the non-profit that created the widely used ATT&CK framework for mapping threat actors’ techniques, tactics and procedures (TTPS), among other things, to showcase what they were working on.
Much focus within MITRE seems to be dedicated to better understanding adversaries.
In a session titled ‘Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations,’ Cat Self, the non-profit’s principal adversary emulation engineer, and Kate Esprit, senior cyber threat intelligence analyst at MITRE, outlined in extensive detail how they emulated the attack processes and TTPs of BlindEagle (aka APT-C-36), a Latin American APT targeting organizations in Colombia, Ecuador, Chile and Spain.
Speaking to Infosecurity before their talks, Esprit said the duo wanted to “better socialize our process and methodology and get the word out there to empower other users and bring together CTI practitioners and red teamers to understand how their adversaries think.”
In another talk, MITRE’s Mirage team presented the results of a research project showing how autonomous, AI-enabled adversaries could operate.
5. White Hats Are Creative Too
The cybersecurity industry tends to emphasize how creative and adaptable threat actors are.
Black Hat was an excellent opportunity to show that security researchers and other cybersecurity professionals also have a creative streak.
In a much-awaited presentation, Carlo Meijer, Wouter Bokslag and Jos Wetzels, from Dutch consultancy Midnight Blue, shared how they discovered multiple critical zero-day vulnerabilities in Terrestrial Trunked Radio (TETRA), a set of European standards for trunked radio globally used by government agencies, police, prisons, emergency services and military operators.
The issues, dubbed TETRA:BURST, are relatively easy to exploit and could reportedly allow Mexican cartel members to eavesdrop on police officers, for instance. Some of the vulnerabilities have no patches available.
During their talk, the Midnight Blue researchers heavily criticized the European Telecommunications Standards Institute (ETSI) response to the findings as the organization downplayed the criticality of these vulnerabilities.
In another talk, Or Yair, a security researcher at SafeBreach, showed how he used OneDrive to encrypt sensitive files without actually encrypting any file on any endpoint.
For this, the security researcher developed DoubleDrive, a fully undetectable cloud-based ransomware, which uses OneDrive to encrypt local files outside of OneDrive's directory.
DoubleDrive can run with no privilege and bypasses decoy file detection, Microsoft's Controlled Folder Access and OneDrive's ransomware detection before successfully wiping OneDrive files' 500 previous versions and emptying OneDrive's recycle bin, making file recovery impossible.