Chains and Puzzles: the 2021 Black Hat keynotes
The Black Hat USA security conference took place this week, kicking off with a pair of keynote talks about some of the biggest issues in cybersecurity. The 2021 Black Hat keynotes focused on the growing menace of supply chain attacks — and on the kind of collaboration required to deal with today’s worsening threat landscape.
Why Black Hat matters
Black Hat USA is one of the biggest events in cybersecurity. It brings together vendors, security researchers, and experts from all around the world for a week of briefings, talks, and training.
As such, it’s a good way to put your finger on the pulse of the infosec world. The conference lets you see what people in the industry are talking about and working on. It’s also relevant to people who don’t work in cybersecurity — because it’s a great way to get a sense of what the future of security looks like!
Matt Tait’s Black Hat keynote
Matt Tait, COO of Corellium, gave the first Black Hat 2021 keynote. Tait’s talk, “Supply Chain Infections and the Future of Contactless Deliveries”, focused on the growing threat of supply chain attacks.
A supply chain attack occurs when a bad actor compromises software or a software component used by many different organizations. In this way, they can sneak malicious code into software trusted by multiple organizations further downstream. Importantly, they can do this without having to directly compromise those organizations. The effects of a supply chain attack can be far-reaching and severe. Last year’s massive SolarWinds hack was a supply chain attack, as was the recent Kaseya ransomware attack.
But as bad as those incidents were, Tait believes that attackers are just getting started with supply chain attacks. Security news outlet Dark Reading quotes Tait as saying:
It’s likely to start to escalate in the coming months and years. And when something really big happens … everything else will look like complete peanuts.
Fixing the problem
Tait says that it’s up to platform vendors to help improve security and prevent supply chain attacks. One specific way to do this would be for Windows to restrict app permissions. That wouldn’t necessarily stop malware infections, but it could help to contain the effect of malicious code.
Tait also says that vendors need to do more to help mobile security researchers. This should probably be read as a call-out of Apple even more than Google. SecurityWeek quotes Tait as saying:
There’s an enormous amount of exploited zero-days being detected in the wild and no device observability. This should be a wake-up call to all of the platform vendors. It’s deeply disturbing that we know that there’s massive amounts of zero-day being exploited against mobile platforms and we have no forensics on devices in order to collect this data.
Apple has long been resistant to attempts to let security researchers see “under the hood” of the iPhone. In fact, in 2019 the company sued Corellium for copyright infringement over its iOS virtualization technology. Tait says that security researchers should be able to scan mobile apps for malicious code. He also wants them to be able to install security and forensic software on mobile devices.
It’s unclear whether Apple and other vendors will be receptive to Tait’s proposals. One thing is certain, however. The worsening threat landscape will necessitate greater collaboration between cybersecurity agencies, vendors, and third-party researchers. That kind of teamwork was the subject of the second of the 2021 Black Hat keynotes.
Jen Easterly’s Black Hat keynote
Jen Easterly is Director of the Cybersecurity and Infrastructure Security Agency (CISA). CISA is a U.S. federal agency tasked with improving the nation’s cybersecurity.
Easterly gave a talk entitled “Hacking the Cybersecurity Puzzle”. It focused on how the government, private sector, and individuals can work together to fight back against bad actors.
In her remarks, she announced a new CISA initiative known as the Joint Cyber Defense Collaborative (JCDC). The JCDC aims to build up the United States’ cyber defense capabilities and planning through a strategic partnership between the government and the private sector.
According to a CNN report, the joint effort “will initially focus on combating ransomware and cloud provider incidents” and includes security and cloud services firms like “Crowdstrike, Palo Alto, FireEye, Amazon Web Services, Google, Microsoft, AT&T, Verizon, and Lumen”.
Education and encryption
Easterly also talked about the need to develop the nation’s cybersecurity talent pool, addressing the longstanding issue of the cybersecurity skills gap. Easterly indicated that under her leadership, cybersecurity education will be key:
I believe we need to be much, much more ambitious about this and innovative about figuring out how to inform and educate and really inspire the next generation of cybersecurity professionals from the youngest of ages.
Easterly also signalled her support for strong encryption, something close to the heart of the infosec community. This is significant, as strong encryption has come under attack from U.S. politicians and law enforcement in recent years. There have been a number of high-profile clashes between Apple and the FBI, demands for encryption backdoors, and even legislative threats to encryption like the EARN IT Act.
While she acknowledges that not everyone in Washington agrees with her, Easterly says:
We have to have strong encryption to be able to ensure the defense of our networks. It’s foundational, as everybody in this audience knows … I recognize there are other points of view across the government, but I think as the CISA director and me, personally, I think strong encryption is absolutely fundamental for us to do what we need to do.
The future of cybersecurity
The 2021 Black Hat keynotes offer an insider’s view of the current cybersecurity threat landscape.
There are clearly some very serious dangers out there — and in one sense, it’s fair to say that things are getting worse. But along with that, there’s also the recognition that things need to change, and that we have to be more deliberate about working together to defend ourselves against the bad guys. And interestingly, the calls for collaboration aren’t just coming from security researchers anymore, but from the highest levels of government as well.
Only time will tell if Tait and Easterly’s vision of a safer future will come to pass, but we find ourselves wholeheartedly in agreement with the idea that community and collaboration is the only way forward.