Cyber Threats Leading the Discussion at This Year’s Black Hat USA and DEF CON

I look forward to the opportunity to attend Black Hat USA and DEF CON in person this year, as a harbinger of the resumption of in-person events for the cybersecurity industry. As always, this pair of conferences provides a valuable opportunity to hear the latest security research and to network with other security professionals. If you will be attending in person and would like to meet or talk with me, feel free to reach out to me via LinkedIn. I will also be available to speak with journalists, particularly about the recent acquisition of IntSights by Rapid7, as well as my forthcoming white paper, “Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums.”

The monumental changes of the past year-and-a-half will undoubtedly loom large at these events, beyond the use of face masks and DEF CON's vaccination requirement. The cyber threat landscape has changed significantly since the last in-person occurrence of these conferences two years ago. This transformation and the details thereof will undoubtedly be significant themes in the presentations, workshops, and informal discussions at both conferences. I have been reviewing the schedules for both conferences in search of presentations and other events to attend. I noticed several recurring themes in the specific threats, attack vectors, targets, and other issues that presenters will be covering.

Cyber Threats Leading the Discussion

Ransomware has been a dominant feature of the criminal cyber threat landscape for years, but it has taken on new life due to the COVID-19 pandemic. Ransomware operators seized the opportunities that the rise of the remote workforce created to expand and enhance their attacks on enterprise networks, such as with pandemic-themed spam and phishing attacks or by exploiting the remote access services that employees have been using to work from home. Ransomware operators have also become more ambitious and aggressive in their targeting and ransom demands, as the high-impact Colonial Pipeline incident demonstrated. Even a cursory glance at the list of Black Hat USA session titles indicates that ransomware will probably be the single-most important type of cyber threat up for discussion.

Supply chain attacks, particularly via managed service providers (MSPs) and other technology companies and their products and services, are not new either. State-sponsored Chinese cyber espionage groups were early adopters of this access vector, and ransomware operators later followed suit. It was the use of such an access vector in the high-impact SolarWinds campaign by state-sponsored Russian actors — who have not historically used this tactic on a significant scale — that finally underscored its importance.

As if to reinforce the value of the MSP attack vector, this month's large-scale REvil ransomware attack via Kaseya MSP software not only demonstrated that criminals can conduct large-scale supply chain attacks as well, but it also provided more evidence of the growing ambitions of ransomware operators. While it may be less clear what if any connection those incidents had to pandemic-specific risk factors, the exploitation of cyber supply chain vulnerabilities fits broader, pandemic-based concerns about supply chains in general, such as last year's shortages of face masks, hand sanitizer, ventilators, and toilet paper. More specifically, the pandemic highlighted risks stemming from the large-scale economic dependence of the US and other Western democracies on China's large manufacturing and technology sectors. It is not a coincidence that state-sponsored Chinese cyber espionage groups are the oldest and some of the most prolific practitioners of supply chain attacks.

Perhaps awareness of and sensitivity to supply chain vulnerabilities will be one of the enduring impacts of this pandemic era. Similarly, it was the 9/11 era and the threat of terrorism that highlighted the importance of protecting critical infrastructure, first in the physical realm and later in the cyber realm. The defense of critical cyber infrastructure remains a primary objective, but perhaps the pandemic has shifted, or will shift, our specific priorities within this field. For example, the pandemic made many healthcare providers even more vulnerable and desirable targets due to increased pressure on them from large numbers of COVID-19 patients and an increased volume of protected health information (PHI) on their networks. A healthcare provider that is already in crisis mode from a surge in patients may be more likely to pay a ransom. A healthcare provider with a surge in patients is also a richer source of patient data for identity thieves.

The quest for COVID-19 vaccines has also made the broader healthcare and pharmaceuticals industry a higher-priority target for state-sponsored cyber espionage groups seeking vaccine research, which has become one of the most coveted forms of intellectual property. The distinction of “essential” businesses from “non-essential” businesses last year became another key pandemic theme. In light of that designation, perhaps it is not a coincidence that companies providing access to “essential” goods, such as food and gasoline, became targets of large-scale ransomware attacks earlier this year, as in the case of the Colonial Pipeline and JBS Foods.

President Biden's executive order to improve US cybersecurity in the wake of the Colonial Pipeline incident is on the agenda for some presenters and will probably be on the minds of many attendees as well. As a security professional who has spent the whole of his career in the discipline of intelligence in one form or another, the section of the executive order that interests me most is “Removing Barriers to Sharing Threat Information.” As the saying goes, “forewarned is forearmed.” Organizations cannot optimally defend themselves against cyber threats if they do not have enough relevant intelligence on those threats with which to improve their defenses.

An unwillingness to share cyber threat intelligence, for whatever reason, deprives other organizations of the opportunity to improve their defenses. Many companies are reluctant to share information about attacks on them because they fear that it will damage their reputations and be bad for business. I would argue, in response to that line of reasoning, that sharing intelligence about attacks on one's own organization creates opportunities to learn more about the attackers from other organizations that they may have also targeted. Developing a more complete picture of one's attackers enables one to defend against them more effectively in the future.

Interact With IntSights at Black Hat USA

The often voluminous collection of intelligence from a variety of sources can create the additional challenge of being overwhelmed with information, but that is “a good problem to have,” as the saying goes. Threat intelligence platforms (TIPs) such as ours here at IntSights can help organizations overcome this challenge and manage the volume and variety of data that they receive.

Visit our virtual Black Hat USA booth to learn more. As mentioned above, I will be at the physical events as well. Want to meet or talk with me in person? Feel free to reach out via LinkedIn.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.