Last updated at Mon, 23 May 2022 20:36:49 GMT
I attended Black Hat USA 2021 and DEF CON 29 from August 4 to August 8. This year was the fifth time that I made this annual pilgrimage to Las Vegas for cybersecurity professionals.
This pair of conferences was quite different this year, primarily due to the hybrid live-virtual nature of these events and other pandemic-related factors, such as the mask requirements and DEF CON 29’s COVID-19 vaccination requirement. Equally important, if not more so, was the difference in content this year, reflecting the massive changes in the cyber threat landscape and the attack surface over the past year and a half.
Hybrid live-virtual events
As an in-person attendee, the most obvious and significant difference to me was the lower turnout of both vendors and individual attendees. There was a great deal of unused space in the Black Hat Business Hall, as many vendors evidently chose not to represent themselves in person this year. Rapid7 was a virtual sponsor of the event.
Rapid7 did have a booth in DEF CON’s IoT Village, where security researchers conducted exercises in techniques for gaining root access to embedded IoT devices. These devices are often a vulnerable feature of an organization’s attack surface because they frequently receive less security support or go without security updates.
The lower in-person turnout was nonetheless advantageous for individual attendees if only because it reduced the size of the crowds. Smaller crowds made it easier to gain access to popular presentations, booths, and other events, and also to engage presenters and other attendees privately.
The smaller crowds were particularly advantageous at DEF CON. Those who have attended DEF CON in the past know how overwhelming its historically massive crowds can be, and the degree to which they can often impede access to popular presentations and other offerings. This year might have been the first DEF CON that I was actually able to attend every presentation I wanted.
The US government’s role in cybersecurity
The massive changes in the threat landscape and the attack surface over the past year and a half, and the implications thereof, were recurring themes in the presentations and other offerings. One of these themes was the role of the US government in cybersecurity, which has become a more salient issue in the wake of last year’s SolarWinds supply chain compromise campaign and this year’s ransomware attack on Colonial Pipeline.
At Black Hat, Keynote Speaker Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA) in the US Department of Homeland Security, announced the formation of the Joint Cyber Defense Collaborative (JCDC), a partnership between the public sector and several security vendors and other technology companies that aims to improve national cyber defense.
Other presenters at both conferences covered more specific aspects of the US government’s role in cybersecurity. For example, another Black Hat presentation covered the President’s Cup Cyber Competition, another CISA initiative that aims to identify the best cybersecurity talent in the US federal workforce. A policy panel at DEF CON discussed the political and diplomatic implications of cyberattacks, particularly state-sponsored attacks such as the SolarWinds campaign. Panelists discussed the possibility of establishing international cyber “norms,” such as those in warfare and diplomacy.
Critical infrastructure was another recurring theme at both conferences, and the defense of critical infrastructure was one key facet of the above-mentioned discussion of the US Government’s role in cybersecurity. As I suggested in my pre-event blog, the COVID-19 pandemic has underscored the importance and highlighted the frequent vulnerability of healthcare critical infrastructure in particular. The broadest and most extensive discussion of this issue was at a DEF CON policy panel on the unique cybersecurity challenges to the healthcare sector. I attended previous versions of this dedicated healthcare panel at earlier DEF CONs and found this year’s version particularly enlightening.
Other presentations covered more specific examples of the cybersecurity challenges to the healthcare sector. A Black Hat presentation highlighted vulnerabilities in the pneumatic tube systems (PTS) that many hospitals use to transport clinical items around their facilities. Attackers could exploit these vulnerabilities in a ransomware attack or otherwise disrupt clinical work processes.
Ransomware was probably the single most frequently discussed threat at both conferences. A recurring theme was the severity of ransomware attacks in the past year and a half, including both the skyrocketing dollar value of ransom demands and the increasingly disruptive impact of ransomware attacks, as in the Colonial Pipeline incident. Ransomware has escalated from a garden-variety criminal problem to a strategic-level threat, hence the title of a very edifying DEF CON policy panel discussion on the subject: “Ransomware’s Big Year - From Nuisance to ‘Scourge’.”
The increasing costs of ransomware attacks are very measurable. Some vendor presentations on ransomware in the Black Hat Business Hall featured statistics and visualizations that underscored this point, which highlighted the importance of investing in security measures that aim to prevent ransomware attacks.
Supply chain attacks
Ransomware operators, along with state-sponsored cyber espionage groups, have increasingly adopted supply chain compromises as an attack vector. Recent examples of this phenomenon include the large-scale REvil ransomware attack via Kaseya managed service provider (MSP) software and the state-sponsored SolarWinds campaign. Accordingly, supply chain threats were the topic of one of Black Hat’s keynote presentations: “Supply Chain Infections and the Future of Contactless Deliveries.” The presenter predicted that large-scale supply chain attacks will increasingly become part of “the new normal.” He further claimed that the attacks we have seen recently represent only a fraction of the potential damage that could result from supply chain compromises.
I was glad to have the opportunity to attend these conferences in person again. Losing that opportunity last year left me with a greater appreciation of the value of face-to-face interaction with other security professionals beyond my own team. I think that the cybersecurity community needed and benefited from the opportunity to discuss in person the massive changes that most of us have been tackling remotely for the past year and a half. If nothing else, it was good for morale. More importantly, this large-scale “huddle” can help the cybersecurity community regroup and respond more effectively to the unprecedented challenges of the past year and half and the threats that we face in “the new normal.”