Black Hat USA Day 2: Cybersecurity Community Can Help with National Security Policy

BLACK HAT USA — During day two of Black Hat USA, the acting national cybersecurity director called on the cybersecurity community to help with drafting policies to prevent and fight cyber crime.

During her keynote talk with Jason Healey, senior research scholar at Columbia University, Acting National Cyber Director Kemba Walden (pictured with Healey above) discussed the National Cybersecurity Strategy and workforce efforts. Last month, the Biden-Harris Administration released its National Cybersecurity Strategy Implementation Plan.

The plan calls for two shifts in how the United States allocates roles, responsibilities and resources in cyberspace:

Also last month, the administration released the National Cyber Workforce and Education Strategy (NCWES), with the goal of reducing cyber workforce gaps, encouraging individuals to enter the cyber workforce, and improving diversity across the country via federal collaboration and public-private partnerships.

What’s Different About Latest National Security Strategy

Walden said the national cybersecurity strategy illustrates “what we want the internet to be, what we want the digital economy to look like.”

“We want to purchase and procure great innovative technologies,” she said. “These are our affirmative actions. But we do have to be clear about the rules, what the rules are and what the protocols are. That’s what we’re aiming to do. We have cybersecurity technology protocols, rules and people. But we have to put the rules in place in order to make this go in the right direction.”

It’s now been 25 years since the White House launched its initial national cybersecurity strategy. Walden talked about why this latest version is different.

“We are very clear and we are affirmatively thinking through what we want our digital ecosystem to look like,” she said. “And we made a very clear, intentional statement that we want it to be more defensible, we want it to be more resilient, and we want it to be aligned with our values. And I’ve been focused on the values piece.”

There has been some great progress; however, “what we’ve noticed is that we’ve allowed cybersecurity to devolve to those that are least capable,” Walden said.

“I love my kids,” she said. “They like Minecraft, like most kids do. Pick your game. On my computer, they could click on something nefarious that could literally cause a national security problem. That’s scary to me as a mom, but that’s what’s wrong. It’s not effective. We need to try to figure out what our policy solutions are to rebalance that responsibility, to make sure that those that are more capable … have the opportunity to bring it down, to buy it down. I’m talking producers. I’m talking cloud service providers, large companies, even not-so-large companies, but that really are key to our technology. I’m talking about federal government. Those of us that are more capable should be able to buy down cybersecurity risk.”

Cyber Resilience Key

We’re never going to get down to zero risk, Walden said.

“You don’t get to zero. You can try, but you have to make sure that when there is a cybersecurity attack, when there is a cybersecurity event, that downtimes are minimal, that uptimes are swept up and that cyber space is resilient,” she said. “So we have to invest in resilience of cyber space, not just in the technology.”

There are 27 objectives all across five pillars in the national cybersecurity strategy, Walden said.

“It has to be wonky,” she said. “It is from Washington, so you have all the bits and pieces. But that’s really what we’re after. We’re after making sure that we have a …

… digital ecosystem that’s defensible and resilient, and that we are the ones setting the agenda, that we’re not just constantly reacting to the bad guy.”

Input Welcome

The implementation plan is available online for the cybersecurity community to read and provide feedback, Walden said.

“I welcome input into how to make it work better,” she said. “You’ll see this is an evolving process. We’ll do an implementation version two probably in the spring so that we can update, we can iterate, we can make sure that we are getting the right actions at the right time with the right metrics.”

In terms of the cybersecurity workforce plan, Walden said there’s an urgent need for more workers in cybersecurity.

“It’s the urgent need to fill cyber jobs now; we’ve got that,” she said. “We know that … hundreds of thousands of cyber jobs are unfilled, and as a national security lawyer, that’s a national security problem in my mind. But then we realized really there’s an economic opportunity here. There are people out there in the world, in our communities, that have the right talent, the right skills, the right thinking skills to be able to contribute to cybersecurity, cyberspace. How do we bring them in? How do we bring them into the fold? So there’s an economic opportunity, too. We need to fill these roles. But then what’s the pipeline look like? What are we teaching our kids? How do we get our kids [where] they can do cybersecurity? They become integral into how we think about cybersecurity.”

Sophos Previews Upcoming Incident Response Report

Also at Black Hat USA, John Shier, field CTO at Sophos, gave a preview of his upcoming report on the first six months of incident response cases.

Sophos’ John Shier

“In that report, I look at all assets, all aspects of the attack chain, all aspects of the attacks, the actual real-world attacks and the victims that were breached, and we’re seeing that dwell time is continuing to drop, he said. “Well, it is and it isn’t OK. So I think the reason it’s dropping is in part because of good reasons, because people are getting better at proactively monitoring their environments. They’re deploying the tools that give them visibility and telemetry that allow them to do that. And so that time to detect is coming down.”

However, the bad news is more capable gangs and the more well-resourced threat actors out there are able to tweak their operations and their playbooks to go faster, Shier said.

“So if I know you’re watching more intently, then I’m going to make sure that I can get in and get out before you have a chance to react,” he said. “The median dwell time was 10 days in the first half of 2022, and this year it’s gone down to eight days. But for ransomware specifically, it’s gone from nine days in 2022 to five days in the first half of this year. So that’s not to say that it’ll stay there because in the last half of the year, we might see a rise or it might level out.  But ransomware specifically, I think the operators behind the ransomware gang or ransomware payloads know this. I think they’re moving faster and I think that they are doing that expressly to get around some of the good that we’ve been doing.”

Among other trends in the upcoming Sophos report, many attacks are happening off hours, Shier said.

“If you’re a 24/5 security operations center, you’re going to miss it,” he said. “So 24/7/365 really is the way to go. It’s just it’s not an option anymore. You have to be constantly watching and monitoring, and you have to have the capabilities to monitor and watch, and be able to respond. Beyond that, we saw compromised credentials actually …

… flipped. So for the last three reports, exploiting vulnerabilities was the top and compromised credentials was second. This year for this reporting period, they flipped.”

Trend Micro Illustrates Real Attack, Incident Response

Eric Skinner, Trend Micro‘s vice president of market strategy, led a Black Hat 2023 session that showed a real incident from Trend Micro’s incident response team.

Trend Micro’s Eric Skinner

“We wanted to pick something recent and we wanted to pick something that was fresh in the sense of showing off new techniques, because at the end of the day, a lot of these ransomware incidents, they’re still using the same techniques over and over again,” he said. “But one of the shifts that the incident response team has seen is that increasingly attackers are avoiding using malware. Instead, what they’re doing is using built-in tools in Windows, not just PowerShell, but other networking tools or management tools like WMIC and things like this. And that evades suspicion because IT would use those same tools and they’re also abusing legitimate tools that they may download and install. So something that an IT organization might be using like a remote desktop client or a fast copying product or things like this. So from start to finish, this attack is not using any malware. And yet companies need to be able to detect and defend against that. And we showed how you can do that, too.”

Before the data was encrypted in the customer’s environment, the managed detection and response (MDR) team found the attacker and terminated their presence, Skinner said.

This whole attack took 31 minutes, so attackers are definitely moving faster, but aggressive monitoring does help, he said.

CrowdSec Launches Revamped Partner Program at Black Hat

Also during Black Hat USA, CrowdSec, an open source and collaborative cybersecurity company, announced the launch of its revamped partner program, which aims to accelerate collective security and partner growth worldwide, while also giving partners access to the world’s largest threat intelligence network.

CrowdSec is looking for MSPs, resellers and technical partners to join the program.

The CrowdSec Partner Program operates on three different tiers: silver, gold and platinum. Each partner receives free training and certification through the CrowdSec Academy, and will have the opportunity to grow through the tiers, which offer different business benefits, such as revenue sharing, dedicated training and exclusive access to product features. With a partner-first approach, CrowdSec’s primary goal is to elevate existing and future partners, and boost their revenue by providing them with comprehensive marketing resources, training and support.

“From the beginning of the company, CrowdSec has stood for collaboration,” said Andrea Hervier, CrowdSec’s head of global partner marketing. “We understand that in today’s rapidly evolving threat landscape, collaboration and strategic alliances are key to combating cyber risks effectively. Our global partners have the experience and knowledge to enhance the customer experience in their local market, as CrowdSec continues its rapid expansion.”