One of the biggest security events of the year, Black Hat, has finished. As always it was full of interesting talks, trends, products and news. This year the core theme that surrounded the conference was, undoubtedly, the huge increase in supply chain and ransomware attacks we have seen over the past 6 to 12 months.
If you missed the event, or were too busy ‘networking’ to get to all the presentations, here is a review of some of the most interesting insights from BlackHat 2021.
Economics of supply chain attacks change the game
From the opening moment at Black Hat, founder Jeff Moss established what will be the tone of the conference by immediately talking about how Supply Chain attacks are one of the biggest threats the cyber community is facing.
Using similarities to the Covid-19 pandemic Jeff used the concept of immunization, and the stages of immunization we need to reach as a community to be safe and related it back to the software supply chain.
“We all rely on the supply chain being fully immunized but the reality is it's not there” - Jeff Moss
This continued when Moss introduced Matt Tait (@pawnallthethings), who gave an incredibly insightful presentation titled Supply Chain Infections and the Future of Contactless Deliveries where he identified what he considered the two largest threats we are seeing currently, Ransomware and Supply Chain attacks. Tait first used real word statistics to show the incredible increase we have seen in attacks over the past year showing a steady increase in intrusion activity from the crowdstrike report as well as the massive increase in zero day vulnerabilities that are found in the wild.
"Offense is taking the gloves off in both the government espionage sector and private ransomware sector" Matt Tait
So why is this? What was incredibly refreshing with Tait’s talk was how he really focused on the economics of these attacks for both Ransware groups and Nation state espionage attacks. The goals haven’t changed for the attackers, what has changed is the method and cost of gaining access to that target.
“Governments want to gain access to secret data and turn it into actionable intelligence. Ransomware groups want to able to access your data to monetize it, turn it into local currency” -Matt Tait
Malicious attackers aren’t rogue computer experts conducting attacks from a basement, they are real organizations, and as such have real costs. Tait’s insights gave examples of how these economics play a huge part in when attacks are carried out. Including costs associated even once the initial access has been made, from moving laterally to obtaining currency after the attack. One example that stuck was when he showed that attackers that have working exploits for Zero day vulnerabilities yet choose not to act on them because the associated cost is too expensive for the potential risk/reward because the exploit will be burnt.
“Once you're in, you are probably not close to the data you need so you need to use privilege escalation tools and techniques and lateral movement to get to the data” -Matt Tait
The reality of this means that the cost to attack smaller targets has been prohibitive, reducing potential targets. But, as Tait explains, Supply Chain attacks have now completely changed the economics for attackers. These groups can now penetrate into a huge number of organizations by attacking the supply chain. This not only means these groups have an infinitely larger potential reward which in turns means more resources can be committed to the attack. This has changed the game.
When talking about commonalities of the massive breaches we have seen this year Tait continues to say
“A Lot of these are driven by supply chain compromises and these ones that are driven by supply chain compromises do have very high volume and indocriminant targeting”
“These are happening at a much bigger scale when the supply chain is enabled” -Matt Tait
This wasn’t just the opinion of Moss and Tait, throughout the entire conference we continued to hear this theme of the changing attack environment.
Small medium business becoming a more appealing target
In what felt like a continuation from Tait’s opening keynote, Candid Wuest from Acronis, presented his thoughts on the changing ransomware targets in his presentation titled, Ransomware Attacks Against MSPs – a Nightmare for SMBs. Wuest spoke in depth about the growing risks for SMBs (Small Medium Businesses) when it comes to ransomware attacks and while he did not directly attribute this to an increase in supply chain attacks, it fits right into the overall narrative of how the targets of attacks are changing. Now with SMB’s being a viable target to attack, attackers are rewarded with targets with limited resources to be able to defend these attacks.
"There is a huge demand for these smaller businesses to transition online and move remote. This makes them particularly vulnerable" -Candid Wuest
Wuest also gave great insights into how these attackers create (or steal) currency from these organizations. In one simple but effective example Wuest gave, he talked about how attackers changed banking details on an invoice template of a SMB to include the attackers details.
In previous years, many of these SMBs would have been too high of a cost and risk to attack directly (with risk associated predominantly with receiving currency). But, if attackers can access the SMBs through a Supply Chain attack, then now the economics begin to look very appealing to attackers.
This was backed up during the presentation by Cybereason RansomOps: Uncovering the Anatomy of a Ransomware Attack. Lior Div, CEO and co-founder of Cybereason, spoke about the ongoing impact of ransomware attacks originating from Supply chain attacks.
"Eventually we realized that we're not talking about ransomware, we're talking about a supply chain attack. In some cases you think just paying the ransom and if that the problem will go away but this is covering up the real operation" -Lior Div
This reduces the risk of that ongoing exploit being uncovered reducing the risk for attackers leaving their initial access point open for future attacks.
Breaking down the mechanics of a Supply Chain attack
Supply chain in software can be multiple layers deep and very complicated to understand. Tim Mackey, broke this down expertly in his presentation Software Supply Chain 101 - What Is It? Why Is It Hard to Track? What Are Some of the Common Challenges and Risks?.
This was a two part presentation first explaining the multiple layers. "There is no single entity that is executable in modern development" - Tim Mackey. Modern applications, as many of you will know, are made up of hundreds of different building blocks. Some of these building blocks are open-source dependencies, but these dependencies also have dependencies. There can be many layers of dependencies and a vulnerable dependency anywhere in this chain can have a domino effect providing backdoor access to applications or organizations relying on that dependency.
Using the example of an application that needed to interact with a slack API. Mackey used the example of Bolt, a simple open-source component created by Slack to make it easy to communicate with their API. This component would be a dependency of your application, however it has itself 15 dependencies, and when exploring one of these dependencies you can see an additional 30 dependencies. This continued for 8 layers with literally hundreds of components connected to this single Bolt dependency. This was an incredibly practical way to show the supply chain to anyone that was not yet familiar with the mechanics of what a software supply chain looks like in the real world.
In addition to some practical advice in part two of this talk of how to actually secure the supply chain. Matt presented some truly shocking statistics from the Synops’ 2021 open source security risk and analysis report. This included the vulnerabilities up a staging 93% on last year and that unpatched high severity vulnerabilities increased 22%.
Solving these issues in security
With these themes and revelations continuing through the conference. Attendees, or at least this attendee, was left pondering what could be the solution here. And while there is no super vendor to sweep in (despite some impressive demos from CyberArk, the core event sponsor), day two of the conference did provide insight into how we might solve such attacks.
In the first keynote of the second day, Jeff Moss gave his thoughts perhaps not so much what, but who will provide the solution. A collaboration between the private sector and government organizations. He suggested we have entered a new realm of security where we need more intervention from the government.
There are certain problems that are beyond the individual or company to solve. -Jeff Moss
If there is a nation stat F**** with us, and there is no governmental response, the problem is not going to get resolved. -Jeff Moss
So the government needs to step up and acknowledge they are the only ones in certain categories that can solve these collective problems, and they have to work with us to come up with an optimum solution. -Jeff Moss
What this looks like quickly came from Jen Easterly, the new director of CISA. In a presentation that was partly her introducing herself to the industry in general , partly reminding that CISA exists and partly introducing what could be a solution to this complex problem. The Joint Cyber Defense Collaborative JC/DC
A unifying call for collaboration
The newly introduced JC/DC showed that both the private and public sector didn’t have an answer for dealing with this growing and complex issue. But encouragingly showed that it may be time for the private and public sectors to come together in a meaningful way. The initial partners in the program are Crowdstrike, Palo Alto, FireEye, Amazon Web Services, Google, Microsoft, AT&T, Verizon, and Lumen, according to Easterly.
“Our mission is simple on the surface–we lead the national effort to understand and manage cyber and physical risk to our critical national infrastructure, but challenging to execute with significant consequences if we fail.” Easterly said.
And it wasn’t just Jen Easterly who was calling for this collaboration from the government. In the closing keynote of Black Hat Secretary Alejandro Mayorkas welcomed input from the private secret in a rallying call, even welcoming fierce debate and asking questions like how far the government should go.
While similar calls for collaboration in the past have not yielded the results, one could be left wondering if this was just a way for the government to look like it is taking the problem seriously, or, a genuine call to action. But the honesty by all government representatives at Black hat opening admitting that this is not a problem that is at all under control was a clear indication that this is in fact, a genuine call to create genuine action.
A close to Black Hat 2021
This year's conference truly brought out some shocking statistics trends and provided a lot of context around the incredible increase in cyber attacks we are seeing. We saw that undoubtedly, Ransomware attacks alongside Supply Chain attacks are going to continue to be the focus of criminal cyber activity in the immediate future. But we did also see a genuine call to bring the private sector into the conversation with the government with the announcements of the JC/DC and an all round call for action from the government cyber leadership. What was abundantly clear throughout is that we have entered a new stage of cyber criminal activity and if we are going to move forward to create a free and secure internet we need change and collaboration. Exactly what that looks like is yet to be determined.