by Michelle Hodges and Mike Hodges
This year, we attended Black Hat USA in Las Vegas to present our open source tool. While we were very excited to be presenting at one of the top information security conferences in the United States, we were mostly excited for the opportunity to catch up on new trends, the biggest issues the tech & security world is facing, and to connect with big players in the industry (ie. WE HEARD ELON MUSK WAS THERE).
Here are some of our favorite highlights from Black Hat this year:
Jeff Moss, the founder of Black Hat and DEFCON, kicked off the largest-ever Black Hat (with a representation of 112 countries!) by diving right into the politics of information security. Whereas offensive politics pertains to which system to hit, defensive politics revolve around money, prioritization of assets, and departmental strategy. Tech that’s currently being developed in the space is currently favoring offensive security, while the less sexy, defensive side is being neglected. Our big takeaway? People and organizations who are truly innovating and doing more in the defensive security space need to step up and provide leadership and guidance in the space.
Next up was Parisa Tabriz, the infamous “Security Princess” and a Director of Engineering at Google. She recommends taking more of a macro look at your security program, stop getting bogged down in the details. How? Tackle root causes. Pursue long-term projects with mindfulness and intention. And build out a coalition of champions outside of your security program. She also shared some details about Google Project Zero, who have discovered more than 1400 zero-day vulnerabilities since 2014. This work has been instrumental in increasing the cost of a zero-day, and in making the world more secure. In addition to making vulnerabilities more expensive, they pioneered the 90-day disclosure policy (under which the details of a vulnerability must be disclosed to the public within a 90-day period).
Zero Trust networks have been all the rage lately, promising this security panacea we’ve all been waiting for.
David Weston’s brief, “ZEROing Trust: Do Zero Trust Approaches Deliver Real Security?” provided an attacker’s view of the Zero Trust model. Ultimately, his conclusion is that theoretically, the Zero Trust model is sound. But current technical capabilities – specifically, device authentication – contain pitfalls that could be leveraged by attackers in order to bypass existing controls.
We highly recommend looking more into Zero Trust as a great launchpad for new ideas and technology. If you’re interested, you can start right here with Google’s BeyondCorp model.
Time for a shameless plug for our own Arsenal presentation!
hideNsneak is an attack obfuscation framework that helps penetration testers do work more efficiently. Exhausted by the process of managing large numbers of “ephemeral infrastructure,” we built a tool that automates the deployment, destruction and management of cloud infrastructure. hideNsneak could cut processes down from a couple hours to a few minutes. On a high level, hideNsneak acts as a wrapper for Terraform and Ansible, using Golang as its language.
Black Hat blew our minds with some truly amazing development and research content, but the real highlight for us was meeting the biggest players in the industry — in person.
It’s no secret that the InfoSec community is in dire need of more diverse representation. I (Michelle) was thrilled to meet with Cheryl Biswas, Co-Founder of the Diana Initiative, which is a conference that brings together women in cybersecurity. While the conference first kicked off in Las Vegas last year, it’s already creating a buzz in the InfoSec community. Backed by companies like Google and Uber, the Diana Initiative aims to encourage diversity and support women in cybersecurity. And that’s awesome.
Mike Hodges joined Red Ventures this month (!) as a Senior Security Engineer. He has an alphabet soup of certifications: OSCP, CISSP, and CEH. If that means nothing to you — he’s a white hat hacker. On the side, Mike loves to roll in Brazilian Jiu Jitsu.