Black Hat Recap 2016: The Good, the Bad and the Ugly

Black Hat Recap 2016: The Good, the Bad and the Ugly
3 minute read

If you missed our presentations at BSides LV, Black Hat and/or DEF CON, tune into our research team Black Hat recap webinars.

The ZeroFox Research team presented at and attended the trifecta of security conferences last week; Black Hat, DEF CON and BSidesLV. It’s clear from the increasing number of attendees and vendors at security events that cyber security demand is growing with the ever-evolving threat landscape.

We saw several novel hacks at Black Hat and DEF CON, including cars, ATMs, drones, IoT and social media. One talk was especially relevant: “Exploiting Curiosity and Context: How to Make People Click on a Dangerous Link Despite their Security Awareness,” which studied the effort -- or lack thereof -- required to effectively phish Facebook users. The study found that including first names within phishing messages significantly increased the likelihood of a click-through on Facebook compared to email, but not including them significantly decreased the likelihood of a click. It concluded with new recommendations and courses of action to avoid common phishing pitfalls on social media.

At both BlackHat and DEF CON, ZeroFox Research presented “Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter,” which demonstrated how data science can be leveraged offensively to automate spear phishing, both in finding high-value targets and in generating content geared to specific users on social media. Our talk discussed the need for users to think about social media as they do email: to stop and think before they click a link.

Machine Learning (ML) continues to have a measured impact on the InfoSec community. The presentation, “Applied ML for Data Exfil and Other Fun Topics,” demonstrated three separate use cases in which an ML approach could be used both offensively or defensively. The speakers discussed how large amounts of nmap data (containing open ports, port services and port versions), can be clustered together to glean personally identifiable information. They also demonstrated an obfuscation technique using Markov chains to evade detection from traditional defensive measures. Of course, there were also the DARPA Cyber Grand Challenge, which showcased expert systems trained to exploit and patch a live network in real time.

At BSidesLV, we investigated the Ground Truth track -- the main track of the conference -- which showcased ML research within InfoSec. Within the track, there were two major themes:

  • We need better ways to express how good our tools are, and
  • ML can be used, not only as a standalone solution, but in conjunction with human analysts to make them much more efficient.

The talk we presented at BSidesLV (“Labeling the VirusShare Corpus: Lessons Learned”) fit very neatly into the first theme, not only highlighting how ML is currently being used for detecting malware, but discussing the need for open datasets and benchmarks for which solutions can be measured against. Another talk at BSidesLV caught our eye, “Deep Adversarial Architectures for Detecting (and Generating) Maliciousness,” which showed that ML can be used not only as an additional layer of defense, but also as a method for finding where holes are and automatically patching them.

Our last presentation at DEF CON, “Attacks on Enterprise Social Media,” highlighted the anatomy of a social media enterprise attack in contrasted with traditional network attacks. The session outlined the steps leading up to an attack stemming from social media, and how adversaries footprint, monitor, profile, impersonate, hijack, and attack an enterprise organization. Social media exists outside of the network perimeter, therefore it remains a blind-spot for most organizations in terms of identifying data loss, social engineering on social media, targeted phishing & malware attacks, and much more. The talked detailed the tools, techniques, and procedures used by adversaries for social media attacks, providing the basis for prescribing countermeasures that could be deployed to enhance an organization’s security posture. One key takeaway is that footprinting (mapping and identifying) your social media landscape is fundamental to your organization's security posture.

In summary, we’ll be covering the sessions in more detail tomorrow, Thursday, August 18, in our Inside the Foxhole live webcast. Please join us for a DEF CON, BSidesLV & Black Hat recap. We will focus primarily on the Black Hat recap.

See ZeroFox in action