Black Hat basics: Ruminations on 19 years of Black Hat Briefings

Las Vegas in August. Common sense might suggest those things go together about as well as wearing mohair in the Mojave. From a security perspective, however, it means making the annual pilgrimage to the land where what happens there stays there, to participate in the week-long activities surrounding one of the oldest standing (and best) security conferences: the Black Hat Briefings.

It is said that a smart person learns from past mistakes, while a wise one learns from the mistakes of others. In an era in which the world seems to be burning in front of our eyes, and one in which the threat of cyberattacks has become as common as the myriad of emails from wealthy African princes waiting to share their bounty with each of us if we just send money, it's sometimes a good thing to look at how we got to where we are, what we can learn from our experience, and what we can pass on to the next generation (so that maybe they can improve on what our peers began!).

I remember sitting at what was then the Conrad Hilton ("Chicago Hilton Towers") at the CSI annual conference in 1998, dining on bow-tie pasta with my long-time friends, Black Hat Founder Jeff Moss, and Adam Shostack. We were discussing how to advance the two-day event prior to Jeff's Def Con security forum into a bona fide gathering of deeply-rooted security scientists who would convene to share their break-throughs and break-ins in two days of break-out sessions.

That was the 1990s and everybody, it seemed, wanted a piece of the action in the fledgling and already over-vendored world of Information Security, so money wasn't the issue, especially for vendors who were trying to garner the graces of Gartner, Giga, Meta and the other groups who quickly competed to define the parameters of a "Comprehensive IT Security Solution." Jeff's young event, the same age as my youngest daughter, who was born shortly after DefCon 5 in 1997, took place around a couple of folding tables in a small conference room in the Aladdin Hotel. The topics included secure coding, Windows NT, ActiveX, firewalls not being enough, and cryptography. Wow, 19 years later and we're still seeing some of the same problems.

Since those humble beginnings, billions of dollars ($75 billion, according to Gartner), have been routed through CFOs' budgets, developing, buying and selling tech, tools, teams and whole companies, all in an effort to combat these things called polymorphic viruses, malware, DDoS attacks and APTs. And faster than we could see Marcus Ranum in the parking lot hawking T-shirts, Mudge in a suit, another "Free Kevin" bumper sticker, or watch while DilDog and Sir Dystic reveal their latest achievements in the latest CDC iteration of Back Orifice, we now find ourselves in a full-fledged conflict that was born out of the very tools we developed to make our lives easier.

The once dominating demises brought on by Stacheldraht, NIMDA, SynFlood, Code Red, Red Button, and  the ever-present Blue Screen of Death, have either grown into something new or have gone by way of XP, NetWare and the dodo, to be replaced by the likes of Black Energy, Conficker, Duqu and Stuxnet. Where there were once just pockets of “interest groups” looking at how to manipulate (and exploit) code, whole nations now invest sanctioned funding to find ways to challenge the confidentiality, integrity and availability of this and other countries' crown jewels.

And Jeff? His gathering in the desert--whose origins were loosely connected to a bunch of really smart, innovative guys who shared a common affinity in carrying on where Robert Redford's character in Sneakers left off (and possibly getting together before Burning Man), it has become a commercial success that is now convening for the 19^th year. Back then, I’d have said somebody check my brain if they told me I was going to be invited to a “sponsored concert” at the House of Blues with Alice in Chains.

What to look for at Black Hat 2016

Way back when, Jeff, Adam and 15 of his friends--some of the smartest men in the fledgling computer security industry--provided the two-day fare. This year attendees will find career tracks, business networking events, a book store, a CISO summit--even a forum that discusses the "Black Hat Student Scholarship Program."

While the likes of Priest and his incredibly hospitable "Goons" are gearing up for another DefCon that follows Black Hat, and Mark Hardy prepares his fourth iteration as the heir-apparent to security legend Winn Schwartau's beloved-but-dubious Hacker Jeopardy (aka, two days of drinking shots on a stage while answering really hard questions about the taxonomy of IT security), CSOs and high-level executives attending this week's Black Hat Briefings would do well to look at a couple of key activities that will more than justify the expense of the entry fee--and the hangovers most will have after Thursday (and before DefCon, as BHB parties are legendary):

1. Meet the vendors
   Despite the fact that there are scores of vendors pining for the attention of attendees (present company guilty, since I supported the very first "Gold Sponsor"  funding for Jeff's little soir?e in 2000, with our RAZR Team at BindView), the fact that the vendors share a common interest in solving problems, attendees would do well to take advantage of learning what's new from among the ranks of the polo-clad Booth Babes and Demo Dudes. It's a great way to learn who's taking the bleeding edge to new levels, and who's just showing up because some young CFO wants to play the tables during a summer boondoggle.

2. Network, network, network.
   Not because you might be looking for a new gig, but because the Black Hat Briefings attract the sharpest minds in the business--beyond the bus-dev barons and product pitchmen that abound at RSA. While Jeff may be a bit harder to track down, and Winn may be willing to swap stories of his original treatise on a "Electronic Pearl Harbor" over a cold drink, BHB is a venue where the exchange of how things work--and even better--how to make things stronger by uncovering their weaknesses--provides a forum where veteran CISSPs, security architects looking for a better mousetrap, and "Black Hat Virgins" may mingle without fear of violating some artificial corporate food chain, in an effort to exchange ideas, tech breakthroughs and fresh ideas at how we migrate from TIOT to The Internet of Community.
   

3. Catch Jeff's opening presentation.
   As the founder and host, Jeff provides a sense of perspective on the lay of the land. And if you're at all connected with protecting Internet access/assets/archives/artifacts, then Dan Kaminsky's presentation on how we could lose our ability to rely on the backbone of the Internet is worthy of prophetic study. And don't be surprised if you see other IT security legends popping in and out, like Bruce Schneier, Peter Shipley, or even American Cryptography's pioneer, Whitfield Diffie.

4. Guardians of the Group Policy?
   If you have anything to do with Active Directory, catching Sean Metcalf's presentation will shed some insight on how to better defend against the Microsoft Group Policy glitch (“Group Policy Attack”). Sean is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at numerous hacker events, including Black Hat and DEF CON.

5. It’s all about the “People.”
   So often we will hear organizations talk about "People, Process and Technology" as the trifecta for balancing a good security posture, but then we focus so much time and effort on the "Tech" and often overlook the one common denominator that causes the greatest problems: "People." Chances are most Americans have never heard of University of Erlangen-Nuremberg's Dr. Zinaida Benenson. Her work on behavioral characteristics of more than 1,600 social network users, and how they respond to content could shed some light on how to better evaluate the origins of insider threats and the general characteristics of user behaviors within an organization. (Here’s her synopsis)

6. Meet Mudge.
   Since 1997, Mudge (aka DARPA's Peiter Zatko), has been a staple in the Black Hat/Def Con line-up, and his work on matters of Homeland Security, with DARPA, and of course--L0pht Heavy Industries--have provided benchmarks the industry still turns to. Be sure to catch his presentation on his "CITL" non-profit, government-backed initiative. While involved with the L0pht, Mudge contributed significantly to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, he was the original author of the password cracking software L0phtCrack.

7. Beyond “Flo” and little green geckos.
   Another legend in the Black Hat family, and an executive in his own right--Jeremiah Grossman, formerly of White Hat and BugTraq fame--will be speaking on cyber insurance and the growing paradox organizations face when trying to address the insurable factor associated with cyber attacks. "While some security companies provide good value, the reality is the number of incidents are still getting worse and more frequent," writes Jer. As CSOs and other C-suite leaders are moving away from ROSI and more into a posture of investing funds in defending their infrastructures, Jeremiah's presentation will shed some light on a growing concern about how to evaluate the insurability of cyber assets.

8. What’s in your grids?
   In light of such heavy regulation as defined by NIST, FERC and NERC-CIP, Industrial Control Systems and the risk of compromise is becoming a point of continued concern. The conflicts between Russia and Ukraine have transcended from the battlefield to the grids. In December Ukraine experienced a comprehensive three-pronged attack on their power grids by a yet-to-be-disclosed entity. Homeland Security, in cooperation with utility and energy companies across the U.S., held by-invitation-only presentations to discuss the attack, and what could be learned for better defense of our grid system. Dr. Ken Greers from the NATO Cyber Center will present further analysis on the Russia-Ukraine cyber-conflict as part of a NATO-funded study. For CSOs who have to keep an eye on the soft underbelly of the grids, the presentation on ICS security on Thursday may offer some insight as to why the "Cyber Kill Chain" and "Intelligence-driven Defense" are becoming the new watch-phrases for protecting ICS-centric operations and addressing Advance Persistent Threats. (Here's a great video on more about both issues and how threats relate to defending ICS-dependent systems).

9. Got incident response?I would be remiss were I not to include something about the necessity of understanding the advantages and risks associated with migrating some or all of an organization's operations or assets into a cloud-based infrastructure. Thursday's briefing by McCormack and Krug on how "Incident Response procedures differ in the cloud versus when performed in traditional, on-prem environments," highlights the need to "properly configure an AWS environment and provide tools to aid the configuration process."

10. And finally. . .
    

    Just for kicks and giggles, lose the logo shirts and head up the Strip to DefCon 24, which follow the BhB. This year, DC24 takes place at the Paris and Bally's on Friday and Saturday. Although the annual DefCon hacker conference is not the granddaddy of hacker events, most would say it is the Godfather of gatherings for multiple generations of geeks, phreaks, sages and script kiddies. The breakout sessions are just as numerous as the BHBs, but with a tinge of a post-Metallica back stage party, and where "black" is--well, the new black. And grab four of your pals and try out for Hacker Jeopardy!

While there are a total of 118 sessions over two days (in comparison to the original 16 that were offered in 1997), Jeff's techno-party in the Nevada Oasis has become the staple in deep-diving into the realm of the fastest-growing sector of IT, and a contributor to new industry career paths (including the role called "Chief Security Officer"). Although our industry has come a long way from those "early days" in the late 1990s, when Becky Base was first funding IDS companies out of the NSA, and Deb Radcliff's award-winning "Barbarians at the Firewall" appeared in Byte (and drew the attention of a brand new "Cyber Unit" out of San Francisco's FBI field office), the core problems surrounding our increasing dependency on The Internet of Things means thinking in often abstract ways to address problems and defend our critical infrastructures.

And that is why Jeff Moss' Black Hat Briefings, and the annual pilgrimage to Las Vegas at the height of the heat is worth the price of admission!