Dispatches From the Desert: Black Hat Day One

It's that time of year again when the worlds of hackers and security vendors collide. Colloquially known as Hacker Summer Camp, early August sees the desert city of Las Vegas host two of the world's largest security events: Black Hat and DEF CON. 

This year, as in previous years, the Immersive Container 7 team arrived to attend briefings, talk to vendors, and get a glimpse into the state of security – or at least, how the vendors and researchers are showcasing it. 

Over the next five days, we’ll share our daily highlights, whether it’s our favorite talk, vendor session, or afterparty. Stay tuned!

Kev Breen: Senior Director, Cyber Threat Research

The first morning started off as you’d expect, with an introduction from Jeff Moss (aka Dark Tangent), the founder of both Black Hat and DEF CON, followed by the keynote from Mikko Hypponen. 

Jeff referenced a quote in his introduction, which stood out for me more than others: “You go to war with the army you have, not the army you might want or wish to have at a later time.”

We all wish we had the perfect “A Team”, but in reality, we have staff with a range of skills and talents. There are seasoned experts with decades of experience, high-flyers keen to apply their trade and thirsty for knowledge, and the dependable and reliable nine-to-fivers who turn up every day.

Then you also have your fresh recruits. They don’t know what they don't know, and they need time to learn and build up their experience – time you have to sacrifice from your experts.

Faced with an ever-evolving threat landscape, zero days, and threat groups able to weaponize vulnerabilities within 24 hours, how do we make sure we can stay up to date with the latest threats? And how can we prove our resilience in the face of emerging threats? 

The evolution of malware

In his keynote, Mikko reflected on the history of the computer virus and the evolution of malware, where a computer virus could have a disruptive impact. These viruses weren’t created to destroy or generate revenue, but were mostly used as a prank or a way to make a statement. 

Those days are behind us. Traditional viruses have paved the way for threats like ransomware and data breaches, which have almost become a daily staple in cyber news. 

The ransomware.live site tracks victims of ransomware attacks. As of today, August 7, there have been 104 victims of ransomware this month alone, with 4,692 so far this year. 

Rob Reeves: Principal Cyber Security Engineer

I’ve been to the US a number of times before, both in private sector and public sector roles, but this is my first time in Vegas and my first visits to Black Hat USA and DEF CON. 

The first day of Black Hat opened well, with a poignant and heartfelt talk from Jeff Moss, who pushed a narrative that’s close to my heart. It was a reminder that while the world currently seems uncertain and technology is both disrupting and highly politicized, the real strength behind successful companies is the abilities of people, culture, and a shared sense of purpose. 

Technology alone, without well-trained and motivated people, won’t achieve security. 

This message was reinforced by Mikko, who followed Jeff with sobering statistics about the state of cyber attacks today and a warning that companies are in the fight, whether they think they are or not.

Smart automation and new attack surfaces

AI was prominent in several talks and vendor demonstrations around Black Hat, but the most interesting use cases focused on the speed increases that smart automation can bring to technical teams and toolsets. 

There were also plenty of talks and briefings that showed how new technologies create attack surfaces, and the perils of quick implementation when security is an afterthought.

My favourite presentation today came from Olaf Hartong, who talked in detail about Event Tracing for Windows (ETW). The talk covered its use in security tooling, like endpoint detection and response (EDR), and how attackers can abuse weaknesses in its implementation. This includes taking advantage of or creating blind spots in detections, or creating deceptive alerts to exhaust blue team resources, even from a user-mode process. 

The security tooling available for the Windows OS is the strongest and most capable it's ever been, but talks like this show that interesting things can still be discovered, with a bit of curiosity and tenacity. 

Gaz Lockwood: Principal Cyber Security Engineer

I’ve spent over a year of my life in America, mainly through deployments while in the British Army. However, this is my first time at Hacker Summer Camp. 

I’ve heard a lot about Black Hat and DEF CON during my cyber career, but people haven’t done it justice. After the first day at the conference, I’ve been massively impressed, and the technical talks have been really engaging. 

Unsurprisingly, the main theme of the conference has been AI. The utilization of this tech has raised some internal questions for me, and some claims seem to be inflated. That said, the movement towards this has the potential to further flip the sector on its head. 

The inner workings of ETW

Like Rob, my favorite tech talk of the day was Olaf Hartlong’s. He’s been investigating the inner workings of ETW, which was designed to be used as a debugging tool for Windows. However, a number of security tools utilize it for security functions. 

Olaf primarily focused on Microsoft Defender for Endpoint. The main question in the investigation was: “What can you do to this service to potentially cause issues for security tools?”. 

Remember, this is a debugging tool that wasn’t initially designed for a security use case. Olaf focused on two main methods to stop ETW from functioning as expected. 

The first took advantage of the default limit of 1,000 unique events in a 24-hour period per subscription. As soon as you hit this limit, the events stop being sent from the service, effectively disabling telemetry that the security tools depend on. 

The second was to fill the subscription buffer, which also effectively disabled further events from being raised. The high-level summary was that a relatively unprivileged user could interact with ETW in a way to stop it. Olaf has released the tools to achieve this on his GitHub today.

Here at Immersive, our team loves ETW and the power that it can give security teams, so look out for a new collection coming out soon that solely focuses on ETW!

Today at Black Hat has been exceptional, and I’m looking forward to the talks tomorrow. 

Ben Hopkins: Cyber Threat Intelligence Researcher

The first day at Black Hat marked my second-ever day in the United States and my first day at a conference, so I thought I’d share my thoughts as a person who is completely foreign to the idea of conferences, conventions, and talks.

Black Hat formally opened with its founder reflecting on how chaotic the cyber industry has become. He noted that AI can be a disruptor, but it’s yet unknown what exactly AI will disrupt. 

While we might maintain that the technology industry is apolitical and a series of ones and zeroes being sold for other types of ones and zeroes, it’s also simply not the case. 

With the US banning Huawei technology and heavily regulating TikTok, I thought back to what the former Director of GCHQ, Sir Jeremy Fleming, said about the potential threat China poses in the economic and cyber sphere to Western powers. 

As quoted by Kev earlier, Jeremy talked about going to war with the army we have, not the army we want, and that security was getting better – all it takes is for us to step back and see the bigger picture.

No cohesive vision on AI

My experiences for the rest of the day were filled with AI, from larger talks to smaller demos being run by the various companies that occupied the business floor. 

Many of the talks left a lot of food for thought, like how we could train multiple large language models to analyze screenshots gained from InfoStealers to map out infection chains. That said, the theming wasn’t wholly consistent and clear. 

Some vendors attempted to sell the idea that AI and AI alone can work. Other vendors were more cognizant of the fact that AI is a tool – a very powerful tool, but still a tool – and if we rely too heavily on that tool, it will become a crutch. 

‍

‍That wraps up day one! If you’re an Immersive customer and weren’t able to make it out to Black Hat or DEF CON, keep an eye out. When we return, we’ll take some of the more interesting and novel tools and techniques we’ve seen here and turn them into practical labs.  

‍