A Call to Action: Reflections on the Black Hat USA 2024 Keynote and Sessions

The Elisity team was active at Black Hat 2024 in Las Vegas. Team members met with customers and prospective customers, attended sessions, joined interviews with the media, hosted a dinner (Tuesday), and hosted an after-hours networking reception (Wednesday). Several of us also met with integration partners in the business hall.

Black Hat Keynotes and Session Highlights

Without a doubt the recent CrowdStrike update mishap and the resulting crashing of over 8M Microsoft Windows endpoints have sent shockwaves through the global cybersecurity community. These events were a stark reminder of the vulnerabilities that can exist within even the most well-managed systems and processes, and they took center stage at the opening keynote of Black Hat USA 2024 in Las Vegas.

The Global Wake-Up Call

The CrowdStrike incident sparked critical discussions among cybersecurity leaders from both sides of the Atlantic. Questions were raised about how a single vendor’s error could cause such widespread disruption and what this might mean for the security of essential democratic systems, such as elections. The consensus was clear: the cybersecurity community must act decisively to prevent similar events in the future.

Hans de Vries, COO of the European Union Agency for Cybersecurity, highlighted the lesson learned by cybercriminals from this incident. “Sadly, it was an interesting lesson for the bad guys. [They learned] it was one mechanism that started the entire process,” de Vries stated, pointing out the importance of understanding the implications of such a failure.

De Vries emphasized the significant impact of the incident, stating, “The impact was enormous. We have to be prepared for more of these types of cases. From a threat analyzing perspective, to supply chain attacks, and the multifaceted cooperation needed to address these issues are really the biggest challenges we face in the coming years.”

A Call for Responsible Software Development

Joining de Vries on stage were Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Felicity Oswald, OBE, CEO of the UK’s National Cyber Security Centre (NCSC). Easterly cautioned against dismissing the CrowdStrike incident as mere noise, highlighting its seriousness. She presented three key lessons drawn from the outage.

“It just reinforced what [CISA] has been saying about the importance of technology vendors developing, designing, testing, and deploying software that is secure by design,” Easterly remarked, stressing the critical role that secure software development plays in preventing such failures.

Her second point underscored the reliance on software and the need for it to function correctly. The incident’s varied impact across organizations underscored the disparity in cyber readiness. While some companies quickly recovered, others struggled despite available resources. Easterly concluded, “The big lesson… is a need for cyber resiliency.”

Resiliency as a Core Principle

Felicity Oswald echoed Easterly’s sentiments, emphasizing the universal importance of cyber resilience. “Resiliency is always going to be a buzzword in cybersecurity, and that's my job. But it's also the job of every public sector, organization, private sector organization, big and small organization in our civil society,” Oswald stated, likening cybersecurity readiness to fundamental business practices like financial management and employee safety.

Adversaries are Watching

The panel discussion also explored broader concerns, particularly regarding supply chain vulnerabilities. Easterly expressed her concerns, stating, “What went through my mind was ‘Oh, this [outage] is exactly what China wants to do.’” She elaborated on the threat posed by Chinese hackers, particularly the group known as Volt Typhoon, who are believed to be embedded within critical infrastructure, not for espionage but to prepare for potential disruptive or destructive attacks.

Securing Democratic Processes

The panel also touched on the implications of such incidents for the integrity of election systems. The possibility that a single vendor’s error could cause global disruptions raised concerns about the potential impact on critical democratic processes, such as early voting.

Securing OT Systems

In another session, "Navigating OT Cybersecurity," Quentin Kantaris, Senior Solutions Engineer at TXOne Networks, shared some great insights on the paradigm shift that has occurred with OT threats. From 2018's VPNFilter to 2020's WastedLocker to 2023's attacks on Sony and Siemens Energy (MOVEit), Johnson Controls (Dark Angel), and ABB (Black Basta), the number and diversity of tactics and techniques continue to grow in OT environments.

Quentin highlighted that in a September 2023 survey of 405 CIO respondents, Frost & Sullivan found that 97% of organizations reported IT security incidents that also affected OT environments. He also spoke of the current state of OT networks and how they are no longer "air-gapped," but are now integrated with IT Networks and typically not segmented, making them very difficult to patch, with 3rd party vendors consistently requiring remote access. He also referenced the growing number of regulations targeting OT networks, from NERC Reliability Standard CIP-003-9 to TSA SD-Pipeline-2021-01C- Enhancing Pipeline Cybersecurity and NIST SP 800-171 Rev 2.

Quentin emphasized that implementing and managing a stronger OT security program has many challenges, including operational disruption, cost concerns, the perception of "low risk," and resource constraints. His advice centered on preventive countermeasures that include security technology and tools with an OT zero trust methodology, selecting the right partner for implementation, choosing an experienced incident response partner with OT expertise, and perhaps most importantly – focusing on breaking the silos between IT and OT teams. He stressed that having shared goals, respect, and a commitment to collaboration are key to improving the program.

Omdia Analyst Summit

In a separate day-long session, the analysts from Omdia shared insights from their research and surveys. Andrew Braunberg, Principal Analyst for SecOps, shared that "Security Control Buying Drivers" center on three factors – digital transformation and the compliance requirements it brings, new tools for new threats and threat actors, and the numerous frameworks that guide organizations to more mature security postures.

Ketaki Borade, Senior Analyst for Infrastructure Security, shared details of an Omdia survey that found 57% of organizations have between 21 and 50 "standalone security products currently deployed" in their organization. She highlighted that although there is much written about consolidating stacks and the growth of platforms, it's not happening in the real world. The primary reason given was that some solutions, often from startups, are "best-of-breed" and accomplish the goals of an organization in a far more cost-effective way.

Interview with Paul Roberts, Editor-in-Chief of The Security Ledger

William Toll, VP of Product Marketing at Elisity, interviewed Paul Roberts by the iconic Black Hat sign. The brief conversation covered the reasons for the acceleration of "Zero Trust Maturity" and the role and outcomes that regulatory and government agencies are having with their increasingly prescriptive frameworks and architectural recommendations. Listen to the discussion.

Elisity Industry Chats from Reversing Labs

Conclusion

The Black Hat USA 2024 keynotes and sessions served as a powerful reminder of the ever-evolving challenges facing the cybersecurity community. The lessons drawn from the CrowdStrike incident underscore the need for ongoing vigilance, robust software development practices, and a commitment to resilience at every level. As the global landscape continues to shift, these principles will be vital in safeguarding not just our IT and OT systems but the very fabric of our societies.