Black Hat 2022 Reveals Trends in Enterprise Security

Highlights:

• At Black Hat 2022, more than 300 cybersecurity manufacturers displayed and a majority of new product announcements were focused on API security.
• A separate session on SAP’s proprietary HTTP server revealed how attackers might exploit two memory corruption vulnerabilities utilizing high-level protocol exploitation techniques.

The blast radius of cyberattacks on businesses is anticipated to expand, penetrating many layers into software supply chains, DevOps, and tech stacks. Black Hat 2022’s presentations and announcements for enterprise security offer a grim look at how business tech stacks are at risk of more complex and destructive cyberattacks. Black Hat’s reputation for investigative study and reporting large-scale security vulnerabilities, holes, and breaches is unrivalled in cybersecurity. The event was held last week in Las Vegas and is in its 25th straight year.

The more complex the tech stack and the more it relies on implicit trust, the more the chances of it getting hacked. This was one of the messages conveyed by Chris Krebs, the former and founding director of the US Cybersecurity and Infrastructure Security Agency (CISA), who spoke at the Black Hat 2022 conference last week. He added that overly complicated tech stacks create additional attack surfaces for attackers to attempt and exploit.

Krebs also stressed the importance of software supply chain security, explaining that corporations and international governments are not doing enough to prevent another assault of SolarWinds’ magnitude.

Chris Krebs, former and founding director of the US Cybersecurity and Infrastructure Security Agency (CISA), said, “Cybercriminals understand the dependencies and the trust connections we have on our software services and technology providers, and they’re working up the ladder through the supply chain.”

In addition, eliminating implicit trust is a prerequisite for mitigating supply chain threats, an aspect emphasized by Krebs throughout his presentation.

Reducing enterprise security’s blast radius

Infrastructure, DevOps, and enterprise software vulnerabilities uncovered by researchers made it worthwhile to attend specific talks. Moreover, strengthening Identity Access Management (IAM) and Privileged Access Management (PAM), preventing ransomware attacks, decreasing Azure Active Directory (AD) and SAP HTTP server attacks, and securing software supply chains dominated the enterprise sessions.

Continuous integration and continuous delivery (CI/CD) pipelines are software supply chains’ most vulnerable attack surfaces. CI/CD software pipelines are still susceptible to hacking despite the best efforts of many firms to include cybersecurity in their DevOps procedures.

Several conference presentations examined how cybercriminals can compromise software supply chains utilizing Remote Code Execution (RCE) and corrupted code repositories. One session, in particular, explored how sophisticated hackers could use code-signing to impersonate DevOps team members.

As cybercriminals’ skills improve, tech stacks are also becoming a prime target. One presentation on how Azure AD user accounts might be backdoored and hijacked by exploiting external identity ties to evade Multi-factor Authentication (MFA) and conditional access controls illustrated how businesses can lose control of a core part of their tech stack in minutes.

A separate session on SAP’s proprietary HTTP server revealed how attackers might exploit two memory corruption vulnerabilities utilizing high-level protocol exploitation techniques.

Unauthenticated attackers might remotely exploit CVE-2022-22536 and CVE-2022-22532 to compromise any SAP installation.

Malware attacks continue to increase throughout businesses, with the ability to overcome technology stacks that rely on implicit trust and disable infrastructure and networks. An interesting field of study is to use Machine Learning (ML) to identify and prevent future malware threats and eliminate them before they happen using advanced classification algorithms.

Dmitrijs Trizna, a security software engineer at Microsoft, shared, “AI (artificial intelligence) is not magic; it’s not the silver bullet that will solve all your (malware) problems or replace you. It’s a tool that you need to understand how it works and the power underneath. So don’t discard it completely; see it as a tool.”

Trizna makes the ML code for the models he’s developing available on GitHub.

AI, API, and supply chain security are priorities for cybersecurity vendors

At Black Hat 2022, more than 300 cybersecurity manufacturers displayed and a majority of new product announcements were focused on API security and how to safeguard software supply chains. Moreover, CrowdStrike’s disclosure of the first-ever AI-based Indications of Attack (IOA) demonstrates how quickly cybersecurity companies are evolving platform tactics based on AI and ML advancements.

AI-powered IOAs are a first for CrowdStrike

CrowdStrike’s AI-based IOAs unveiled at Black Hat combine cloud-native ML with human knowledge, a process launched by CrowdStrike more than a decade ago. Resultantly, IOAs have successfully identified and stopped breaches based on actual adversary behavior, no matter the malware or exploit used in the attack.

AI-powered IOAs use cloud-native ML models trained using CrowdStrike Security Cloud telemetry data and the expertise from the firm’s threat-hunting teams. AI and ML are used to analyze IOAs at machine speed, offering accuracy, speed, and scale to combat intrusions.

Amol Kulkarni, chief product and engineering officer at CrowdStrike, said, “CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators. Now, we are changing the game again with the addition of AI-powered indicators of attack, which enable organizations to harness the power of the CrowdStrike Security Cloud to examine adversary behavior at machine speed and scale to stop breaches in the most effective way possible.”

Over 20 never-before-seen adversary patterns have been found by AI-powered IOAs, which specialists have validated and implemented on the Falcon platform for automated detection and prevention.

Lou Lwin, CIO at Cundall, a leading engineering consultancy, said. “Using CrowdStrike sets Cundall apart as one of the more progressive organizations in an industry that typically lags behind other sectors in IT and cybersecurity adoption. Today, attacks are becoming more sophisticated, and if they are machine-based attacks, there is no way an operator can keep up. The threat landscape is ever-changing. So, you need machine-based defences and a partner that understands security is not ‘one and done.’ It is evolving all the time.”

CrowdStrike presented AI-powered IOA use cases, including post-exploitation payload detections and PowerShell IOAs that identify malicious behaviors and scripts by utilizing AI.

Preventing supply-chain attacks

Of more than 300 vendors at the event, most with CI/CD, DevOps, or zero-trust solutions, advertised ways to stop supply chain threats. It was Black Hat’s most buzzed-about vendor theme. Software supply chain risks have become so grave that the National Institute of Standards and Technology (NIST) is upgrading existing standards, particularly NIST SP 1800-34, to focus on supply chain security systems and components.

Cycode, a supply-chain security specialist, announced the addition of application security testing (SAST) and container scanning to its platform and introduced software composition analysis (SCA).

Veracode, recognized for its security testing solutions, added new features to its Continuous Software Security Platform, including a software bill of materials (SBOM) API and support for PHP Symfony, Rails 7.0, and Ruby 3. x.

OCSF meets an enterprise security need

The most common concern among Chief Information Security Officers (CISOs) regarding Endpoint Detection and Response (EDR), endpoint management, and security monitoring platforms is the lack of a standard for activating alerts across platforms. The Open Cybersecurity Schema Framework (OCSF) initiative is the result of collaboration between 18 of the industry’s top security providers. The project comprises an open specification that standardises security telemetry across various security devices and services. There are also open-source technologies available to facilitate and expedite OCSF schema adoption.

AWS and Splunk are cofounders of the Open Cloud Security Framework (OCSF), with backing from CrowdStrike, Palo Alto Networks, IBM Security, and others. The objective is to continuously develop new products and services that support the OCSF specifications, allowing for the standardization of alerts from cyber monitoring tools, network loggers, and other applications to simplify and accelerate the analysis of such data.

Michael Sentonas, chief technology officer, CrowdStrike, said, “At CrowdStrike, our mission is to stop breaches and power productivity for organizations. We believe strongly in the concept of a shared data schema, which enables organizations to understand and digest all data, streamline their security operations, and lower risk. As a member of the OCSF, CrowdStrike is committed to doing the hard work to deliver solutions that organizations need to stay ahead of adversaries.”