Research Reflections from Black Hat 2015
Members of SecurityScorecard’s R&D Team Attended Black Hat USA 2015
The following post includes reflections and impressions from Black Hat USA 2015 by two security researchers, John Mullins and Greg Lindor, who work on SecurityScorecard’s Research & Development team. This team is led by Head of Threat Intelligence, Marcello Duarte, who manages and advises a team of eight incredibly experienced researchers with deep security DNA.
BlackHat Impressions from John Mullins
This was my first time at Black Hat officially, but I had been to Def Con a few times with friends and attended Hack Miami this year. I can say easily that this is the biggest event with the coolest talks I’ve been to… While it is full of security experts, I still feel pretty safe switching off airplane mode on my iPhone to make the occasional call or check my email.
People are here because they want to learn. On a side note, I’ve met more Python users in five days then I have in my entire life. We need more polyglot developers in the security industry.
The three biggest trends I saw were threat intelligence, Android exploitation, and malware threats. Most vendors here seem to be providing products for detection and remediation of malware. I’m also an Apple guy, so I had zero interest in the Android talks.
Threat intelligence is a very big current trend. There was a briefing almost every hour to talk about it. Much of the focus was on the concepts and problems surrounding sharing threat feeds. Some feeds are good, some are bad. There are approaches to determine which is good and which is bad.
SecurityScorecard does not have the same problems as most organizations because we create our own high-quality threat intelligence feeds ourselves. I only came across one vendor that focused on how to make your own threat feeds, and I took a training course on this as well. I’m happy to report we are going above and beyond what the industry is apparently up to. We have unique datasets that I simply did not find from other vendors.
In terms of interesting, strange, or unique, it goes without saying that the talk on “Remote Exploitation of a Unaltered Passenger Vehicle” by Charlie Miller and Chris Valasek was a highlight for me. Not only was it an entertaining insight into one of the years largest hacker-based changes made to the world, but it was a sobering reminder to never say: “Oh, my product is unhackable.”
When there is a will, there is a way. Hackers will always find a way.
Another great talk I attended was “Writing Bad @$$ Malware for OS X” by Patrick Wardle which showed that Apple products are not hacker proof. Recent Apple malware has been amateur at best, but once malware development for Apple has been looked upon with the same eyes as sophisticated Windows malware developers, we are going to see how fragile things really are… The speaker showed that all modern OS X security software could be easily bypassed with a few tricks, and ended his talk showing a proof of concept exploit against the next version of OS X (el capitan) which happens to boast its security features.
John Mullins is a Senior Threat Intelligence Developer who has been in the security industry for over 11 years. Mullins has worked with encryption products for the U.S. military, commercial malware/anti-virus products for analysts and customers, and threat intelligence for SecurityScorecard.
Black Hat Validates Our Approach: Applying Data Science Techniques to Define Our Data, Using ML (Machine Learning) to Predict Future Trends
BlackHat Impressions from Greg Lindor:
So this is my first ever attendance to Black Hat, so I could have some ‘newcomer’ bias. The trend right now is most-certainly threat intelligence data; It is not just about being able to gather the data, but in how to use the data in a smarter way. The vision we are seeing here at SecurityScorecard definitely coincides with the industry’s direction, such as applying data science techniques to define our data and using ML (Machine Learning) to predict future trends based on current data. As John mentioned, it is great to see that we are in fact pioneers here in creating our own data sets. It seems that the industry is sufficiently filled with the threat feeds that are circulating today and do not feel the need to create their own, so everyone is using everyone else’s data regardless of whether the data is useful or not.
As for threat intelligence and malware, there were some interesting talks about consuming and analyzing malware data at mass and analysis of graphical images embedded in malware. These are problems we are attacking here at SecurityScorecard’s R&D with improving levels of success. Malware analysis at scale poses several different challenges, and the best way to approach it is to solve each small problem at a time, eventually leading to a smarter system capable of giving us the information we need.
SecurityScorecard is in a great position. We are building our own datasets, and are applying our own algorithms to this data to make it useful and predictable. We are becoming an entirely in-house dataset company.
I was also impressed with the talk on the vehicle hacking. It certainly shows us that security is not just a topic for networks and PCs, but to any device or appliance that has connectivity. Hacking vehicles is something you’d expect in the far future, but we are here today, and it’s time to impose the same security standards across all industries. We need to be thinking: “If you want to connect your device to the Internet, you better think security first”.
One thing I noticed, however is the lack of talks about containers. No doubt this is a fairly new playing field for most but as things like Docker continue to gain traction, we should see more and more interest in their security risks. According to CVE database, there are only nine total CVE’s for Docker to date. None of these seem to affect the current version. So while they are doing pretty well, it could just be a side effect of a lack of auditing (as is the case with OSX malware and antivirus).
Greg Lindor is a Lead Malware Analyst with SecurityScorecard for about 8 months now, prior to that Lindor worked at Prolexic/Akamai as a Malware Analyst/Security Researcher. Lindor loves everything security and has been reverse engineering code for almost 10 years as a hobby.
SecurityScorecard is hiring for threat intelligence research and many other positions!