5 key takeaways from Black Hat USA 2024
The infosecurity world got here collectively in Las Vegas this week for Black Hat USA 2024, providing displays and product bulletins that may give CISOs loads to think about.
Listed below are the highest takeaways CISOs ought to be mindful when adapting their cybersecurity methods going ahead.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]
Cloud safety underneath scrutiny
Safety researchers from Aqua Safety used a presentation at Black Hat to stipulate how they uncovered safety flaws involving the automated provisioning of AWS S3 storage buckets.
The assault vector — dubbed Shadow Useful resource — created a possible mechanism for AWS account takeover, information breaches, and even distant code execution.
Predictable naming conventions of buckets created a possible mechanism for attackers to attend for focused customers to allow susceptible companies, doubtlessly leading to delicate recordsdata and configurations been scooped up into attacker-controlled buckets.
Six AWS cloud companies had been doubtlessly susceptible: CodeStar, CloudFormation, EMR, Glue, ServiceCatalog, and SageMaker.
The issues had been responsibly disclosed to Amazon Internet Companies previous to Aqua Safety’s presentation, permitting AWS to resolve the vulnerabilities, which it has completed.
CSO’s Lucian Constantin dives into the small print of the shadow bucket assault and potential remediation steps right here.
Individually, Symantec warned that an rising variety of hacking teams are abusing cloud-based companies from Microsoft and Google for command and management and information extraction. Abusing extensively used companies resembling Google Drive and Microsoft OneDrive offers attackers higher stealth as a result of it makes malign communications more durable to detect.
The tactic will not be new, however it’s evolving to grow to be a much bigger menace. And when considered at the side of the AWS vulnerabilities, in addition to displays on the cloud because the seat of preliminary entry and a possible for privilege escalation, it’s clear that cloud safety stays a key concern for enterprises in the present day.
CrowdStrike meltdown emphasizes cyber-resilience
The July CrowdStrike-Microsoft meltdown was contemporary within the thoughts of delegates to Black Hat this week.
In the course of the opening keynote roundtable Hans de Vries, COO of the European Union Company for Cybersecurity, warned delegates that the business must be ready for extra provide chain assaults, which just like the CrowdStrike validation failure, put CISO’s resiliency plans to the check.
Jen Easterly, director of the US Cybersecurity and Infrastructure Safety Company, mentioned the incident emphasizes the significance of safety distributors creating a safe by design method. Organizations must bolster their cyber resilience, Easterly mentioned, according to Secure Computing, including that adversarial nations resembling China or North Korea would possible exploit any weaknesses.
In the course of the convention, CSO On-line caught up with CrowdStrike’s counter adversary workforce to speak concerning the newest techniques of North Korean state-sponsored hackers and others.
Patching is not any panacea
The comforting notion that merely preserving methods patched and updated was sufficient to safeguard safety took a severe knock with the discharge of a presentation from SafeBreach at Black Hat.
SafeBreach safety researcher Alon Leviev defined the way it could be attainable to downgrade methods through Home windows Replace, exposing them to outdated vulnerabilities, by a type of model rollback assault.
The so-called Home windows Downdate assault depends on hijacking the Home windows Replace course of to craft customized downgrades on crucial OS parts, elevate privileges, and bypass security measures.
In a press release, Microsoft mentioned it isn’t conscious of any makes an attempt to use this vulnerability. The software program big has revealed two advisories (together with CVE-2024-21302) providing really useful actions and detection whereas it really works on delivering extra complete mitigations.
CSO’s Gyana Swain has extra on the Home windows Downdate assault right here.
AI is a double-edged sword
AI, significantly generative AI and enormous language fashions (LLMs), was a big focus at Black Hat.
Many periods explored the dangers and vulnerabilities related to AI applied sciences.
For instance, safety researchers from Wiz outlined their research into hacking AI infrastructure providers. The work uncovered novel assault strategies to interrupt into AI-as-a-service suppliers, together with Hugging Face and Replicate.
“On every platform, we utilized malicious fashions to interrupt safety boundaries and transfer laterally inside the underlying infrastructure of the service,” in keeping with the researchers. The analysis opened the door to accessing prospects’ personal information, together with personal fashions, weights, datasets, and even consumer prompts.
In one other session, a safety architect from chip big Nvidia’s Crimson Workforce supplied practical findings around LLM security, together with the best offensive and defensive safety methods and methodologies.
Black Hat additionally supplied an area for cybersecurity distributors to launch new services and products. Many distributors have added AI-based capabilities to their applied sciences, as detailed in CSO’s roundup of product releases.
CISOs face private jeopardy from company breach dealing with
A session titled “Skirting the Tornado: Essential Strategies for CISOs to Sidestep Government Fallout in the Wake of Major Cyberattacks” highlighted methods that CISOs ought to apply to remain on the suitable aspect of regulators within the occasion on safety breaches.
Latest instances, resembling that of SolarWinds’ Tim Brown, have highlighted how senior safety employees face particular person regulatory and legal legal responsibility for alleged company reporting failures
The session coated sensible methods to mitigate harm, guarantee IT compliance, and preserve stakeholder belief in an setting of accelerating regulatory strain.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]