BLACK HAT USA — The new director of the Cybersecurity and Infrastructure Security Agency (CISA) invited Black Hat attendees to join in a public-private collaboration to fight cybercrime.

Jen Easterly began serving as the new CISA director just weeks ago. She said she plans build on the work accomplished by Chris Krebs, who founded the agency.

During her keynote, the CISA director announced the launch of the Joint Cyber Defense Collaborative. It brings together the public and private sectors to build plans for pre-attack planning.

It will foster collaboration between federal agencies, private companies, and state and local governments before – rather than after attacks have occurred – the CISA director said.

Private-Sector Participants

The initial set of private-sector participants includes CrowdStrike, Palo Alto Networks, FireEye, Google, Microsoft, Amazon Web Services (AWS), AT&T, Verizon and Lumen.

The goal is to come together to formulate mature cyber defense plans, Easterly said.

Specifically, the JCDC will:

CISA Director Says Federal Agencies Have a Lot to Contribute

The CISA director said federal agencies like the Department of Energy, the Treasury Department and the Department of Transportation have a lot of expertise to offer JCDC in its planning efforts.

JCDC’s first areas of focus will be ransomware and cyberattacks on cloud providers.

“If you’re interested in joining us, we encourage you,” Easterly said. “My goal is to breathe new life into … public-private operational collaboration.”

Roger Grimes is KnowBe4‘s data-driven defense evangelist. He said JCDC is “fantastic news,” and applauded the CISA director and the agency.

KnowBe4’s Roger Grimes

“Microsoft has fantastic, firsthand experience about the issues and attacks their users are facing,” he said. “They can use their data to put the right solutions in the right places in the right amounts against the right things. Anything these businesses can contribute to improve our defenses is wanted.”

Deep Instinct Discovers Malware in Microsoft Office

Deep Instinct has unveiled data exploring how Excel 4.0 Macro (XL4) legacy scripting language in Microsoft Office has been the vehicle for a recent rise in malware delivery.

Robert Boudreaux is field CTO at Deep Instinct.

Deep Instinct’s Robert Boudreaux

“It’s not a new attack, but it’s become a very popular attack,” he said. “The principal is very simple. You’ve got vulnerabilities in the code or you’ve got legitimate calls for business functions. The paradigm is determining what is malicious and what is not legitimate. There are two approaches you can take. One is a detection, and EDRs do it really well. They look at all the parent-child process relations. They look at the code within the scripts and determine mostly based on rules that it’s a legitimate or not a legitimate function. A lot of that is going to be recursive, meaning it’s already happened, you have patient zero and then you can stop it from there once you know about it.”

Microsoft is popular among cybercriminals because it has one of the largest install bases in the world, Boudreaux said. And Office, whether on-premises or Office 365, has controlled the market.

“Office is a very popular medium, a very adopted platform and is built into a lot of business operations today,” he said. “So that’s why it’s popular. If you’re an attacker, you’re going to try to get your word out as best you can, so you want to hit something that’s very common. The other piece is …

… how it interacts with the operating system. You don’t have to go through compromising the machine and then elevating your permissions. You already have system access when you’re exploiting these.”

Double Exploitation Possible

By exploiting the machine, “you can then do whatever you want,” Boudreaux said.

“You have an interactive shell in most cases and you can then do whatever you want to the system,” he said. “If you look at the business of malware, compromising the machine is the first target, and then you want to do recon, lateral movement. You want to find out what’s on the machine, or sometimes you know what’s on the machine; you’re just trying to find a way to get to it. But when you have system-level access, you can do anything you want to that machine. And if you’re able to establish persistence, even if the machine reboots, you can still do whatever you want to that machine.”

In addition, one of the things they can do is dump the credentials, Boudreaux said.

“And when you look at some of the more recent attacks, there’s the double extortion of, ‘First I’m going to exfiltrate your data and then you’re going to pay the ransom,'” he said. “‘And then I’m going to come back a couple months later and say I still have your data; if you don’t want me to leak that, pay me some more money.'”

Showcase for Cybersecurity Startups

Usually Black Hat is dominated by all the major cybersecurity vendors, with the smaller companies and startups off to the side. But thanks to COVID-19, many of the major vendors elected not to attend and didn’t erect massive booths in the expansive business hall.

Randy Watkins is CriticalStart‘s CTO. He said a lot of the security staples weren’t represented in the business hall or personally because they pulled out at the last minute.

Critical Start’s Randy Watkins

“If we look at the technology buzz, down on the floor it’s pretty much CrowdStrike and SentinelOne, and the startups,” he said. “So even the startups have big booths now. So you have folks like Noname that have a massive booth in the middle of the floor, and I thought, that’s kind of cool. If you look at the problems that these startups are solving, you have API security that’s coming to the forefront; you have email security, which is perpetually being solved; you have a lot of identity solutions, and then you have a lot of attack surface management. So there are staples that don’t go away.”

Email Threat Protection Hot

The year before last, it was all about getting rid of passwords; now, we’re seeing better prevention around email, Watkins said.

“There are a couple of cool techs [on the business hall floor], and I think with the lack of super large players that are typically eating the entire floor, I think there’s a little bit more spotlight to go around to some of these earlier ones for the folks who actually attended,” he said. “CriticalStart has always prided itself on representing bleeding-edge technologies to our customers and I’m always happy to see startups get the attention that they deserve because there’s a lot of good ideas down on the floor that will get acquired, and nobody will ever hear about it. But when they have a premium booth at Black Hat, they get exposure to CISOs that otherwise wouldn’t be walking around the innovative floor.”

CriticalStart is seeing a lot of its partners struggle to keep up with their clients’ demands and making sure they’re operationalizing the technology they’re buying, Watkins said.

“We’re seeing that problem where industries are saying, ‘We need solutions for this, we need to stop ransomware, we need to stop [incidents like the] Kaseya [VSA attack], we need to stop [attacks such as those on] SolarWinds and Sunburst, and all of those things,” he said. “All of that requires some level of technology, but they’re buying the technology faster than they’re operationalizing it. So we know a lot of partners that are struggling to help the customers operationalize it, and they’re starting to look more toward service providers like CriticalStart to offer expertise, that headcount and offload the risk of just more shelfware.”