#BHUSA or bust: Hopes and expectations for Black Hat 2021

Since 1997, Black Hat has been a staple in the world of cybersecurity conferences. Having been in cybersecurity for nearly a decade, I’ve been aware of Black Hat, but haven’t had the opportunity to attend. Sure, I’ve attended DEF CON and some local cybersecurity conferences, but never one with a corporate focus.

That finally changes for me this year as I’ll be joining Black Hat 2021 starting this weekend. The prospect has me both excited and anxious. And while I wish my first Black Hat experience was in-person, with the global pandemic still raging, I am happy this year’s hybrid event enables me to attend at all.

I’ll be joining Acronis’ VP of Cyber Protection Research Candid Wuest and, as Acronis is a proud Diamond sponsor, we’re hoping you’ll stop by our virtual booth to chat. It may not have the same energy as a packed convention center, but I expect we’ll have more meaningful conversations without the chaos of the crowd.

Given the hybrid nature of the event, we may even be able to attend more talks than we normally would – and there’s plenty to look forward to. As we perused the list of talks, there were a few that we each gravitated toward.

Candid noted that one popular topic was no surprise to see: the supply chain risk. Matt Tait is expected to discuss it in his keynote. While the recent SolarWinds and Kaseya-REvil incidents have reminded people that software supply chain attacks do happen, many organizations are still underestimating their exposure to trusted services and software dependencies. Such third-party dependencies are often overlooked and do not appear on the visibility till it is too late.

This dovetails with the session Candid is presenting. Called Ransomware Attacks Against MSPs – A Nightmare for SMBs, he will give a short introduction on how the trusted relationships of MSPs are being abused by attackers to compromise end customers. It’s a deadly mixture of supply-chain and living-off-the-land attacks, and an important consideration for all of the SMBs that moved to MSPs during the pandemic.

As a huge advocate for information sharing and collaboration, I was extremely pleased to see a number of talks will focus on the community aspects of cybersecurity. One that caught my attention was Oryan De Paz and Omer Yair’s The Ripple Effect: Building a Diverse Security Research Team. While not a technical talk, it discusses the importance of building the best team by fostering inclusivity.

Other community-focused talks I am excited about are The Case for a National Cybersecurity Safety Board and Securing Open-Source Software – End-to-End, at Massive Scale, Together. We are at a crucial time in this industry, where we need to figure out the way forward ... and fast. There are important discussions to have on both the open-source and regulatory fronts, and it’s great to see them at this year’s event.

Apple has made a lot of changes to their systems lately, so both Candid and I are fascinated by the talks covering their new hardware and the malware trends that followed. Personally, I like ripping things apart to see how they work, so I was naturally drawn to Reverse Engineering the M1 and Wibbly Wobbly, Time Wimey – What’s Really Inside Apple’s U1 Chip – and the Doctor Who reference doesn’t hurt either.

Since Mac exploits and malware are on the rise, as a cybersecurity researcher who focuses on threats and malware, I also have to check out Come to the Dark Side, We Have Apples: Turning macOS Management Evil and Arm’d and Dangerous.

Candid has a habit of following the topic of cloud services, so there are a number of talks that appeal to him. As companies increasingly moving to cloud services, we’ve seen a jump in attacks against cloud environments – from the classic AWS S3 bucket data breaches to ransomware going after cloud databases.

Breaking the Isolation: Cross-Account AWS Vulnerabilities will address the new cross-account vulnerabilities on multiple AWS services. Another promising session is Cloudy with a Chance of APT: Novel Microsoft 365 Attacks in the Wild. Microsoft 365 environments have seen their share of attacks in the last 12 months, so it is best to double-check that we have the latest attack trends on our radar.

I’m also interested in Do You Speak My Language? Make Static Analysis Engines Understand Each Other, which examines the increased complexity of modern cloud applications. How can you do static analysis across different codebases?

Open-source intelligence (OSINT) has been both a blessing and a curse when it comes to protecting our personal and professional data, and humans can often fall victim to phishing and extortion schemes. This makes the briefing Use and Abuse of Personal Information especially appealing. Researchers at the Virginia Tech Hume Center planted 300 fake identity profiles on various online platforms and analyzed what got leaked where within a year.

Candid is also drawn to 20+ Ways to Bypass Your macOS Privacy Mechanisms, where researchers discovered multiple ways to bypass local privacy restrictions. This research led to 40 vulnerability reports for Apple and shows that privacy protection is not nearly where it should be. Meanwhile, I’m personally leaning toward attending Deepfake Social Engineering: Creating a Framework for Synthetic Media Social Engineering.

From a curiosity standpoint, I am also looking forward to The Kitten that Charmed Me: The 9 Lives of a Nation-State Attacker, and Whoops, I Accidentally Helped Start the Offensive Intel Branch of a Foreign Intel Service. The ideas of human error exposing a nation-state attacker and gullibility leading to working for a foreign intelligence service both sound like a wild ride. Who needs action movies when you work in cybersecurity?

In my perfect world, Linux rules the OS ecosystem – but that doesn’t mean it’s perfect. It has a blind spot that makes incident forensics more difficult, so I’m interested in joining Fixing a Memory Forensics Blind Spot: Linux Kernel Tracing to see the memory forensics techniques that can help close this gap.

With behavioral detection being such an important piece of the security puzzle these days, I would be remiss to not mention Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-Driven Execution.

Candid notes that it wouldn’t be Black Hat without multiple exploitation talks, and this year’s event features the growing list of recent Microsoft Windows vulnerabilities that have widely been exploited. He’s flagged three of particular interest:

• Zerologon: From Zero to Domain Admin by Exploiting a Crypto Bug
• Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer
• ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!

Considering the ever-growing world of IoT devices, we were both surprised to see only two IoT talks are scheduled. Candid said Hacking a Capsule Hotel – Ghost in the Bedrooms could be a fascinating IoT talk: demonstrating how IoT devices were easily hijacked in a hotel.

We have also seen a steady rise in healthcare and OT/ICS attacks, so we had expected to see more on those topics at this year’s event. Unfortunately, both were lacking in the list of planned briefings. Perhaps they’ll be covered next year.

Despite these gaps, you can see that there are still quite a few talks that we are both looking forward to.

Whether you’re a Black Hat newbie like me or a veteran attendee like Candid, with so many great talks to attend, there is no way to walk away (or log out) from this event without having learned something new.

I am looking forward to meeting new people and reconnecting with people I may have only interacted with in threads on Twitter over the last year. Most of all, I am happy to have the opportunity to get back into cybersecurity conferences where I can really learn and expand my knowledge and skills.

If you’re attending, I hope you’ll stop by the Acronis booth to let me know what you’re looking forward to at Black Hat 2021.