Observations from Black Hat Asia

Posted 18 May 2017 4:18 PM by Mark Bentkower



Your antivirus, anti-phishing and intrusion detection vendors all have their heads in the sand when it comes to data protection. And you need to protect yourself from their short sightedness!

That’s one of the big the takeaways from last month’s Black Hat Asia conference in Singapore. And given last week’s unprecedented ransomware attack that affected more than 75,000 systems in 150-plus countries and counting, they were definitely on to something.

Black Hat is one of the two major 'hacker conventions' that happen in the professional IT world, and the only one of the two that offers shows in both North America and in Asia.

Like any IT convention, there are also corporate sponsors who help fund the event by setting up booths and hawking their wares; in this case, those wares are hardware and software solutions for intrusion detection and remediation, new generation antivirus solutions that offer machine learning and AI capabilities, and friendly front-ends for deep log analytics.

Which brings me back to your vendors having their heads in the sand on data protection. You see, unlike most convention attendees, professional hackers are willing to bite the hands that feed them. A lot of the breakout sessions talked about how the sponsoring vendors just outside of the ballroom were selling solutions that were only partially useful, if at all. And on the surface that’s kind of shocking behaviour.

But when you stop to think about it for a moment, maybe it isn’t so much – and maybe it’s time to think about what happens when all of our best efforts at border protection, antivirus, anti-phishing, behaviour analytics, etc. – fail. Because the vendors selling those technologies just don’t go there. They can’t. None of them want to raise that idea, and I didn’t see any of them talking about data protection or disaster recovery. They all live in a bubble where bad things won’t happen when you use their products.

Throughout the day, the hackers were showing these kinds of exploits:

  • Advanced email phishing with very clever social engineering - whereby emails could appear to be sent by a company officer from an internal corporate email server, with explicit instructions that a representative from an outside entity (such a bank or accounting company) will be calling by telephone to receive sensitive financial or other similar information.
  • The ability to hollow out otherwise friendly system processes and fill them with malicious codes, allowing back doors that open up pathways for more malicious malware. The idea here is that traditional antivirus software, which uses signatures to look for infected files, can be foiled because the infected files are now normal system processes with good checksums that have become zombies.
  • IoT malware that exists in dynamic memory for mere moments, and only for the purpose of opening a port, and then disappearing. This is undetectable by traditional antivirus software and the open port allows for scanning of files and possible planting of files that can be turned on at a later time for nefarious purposes.

These cat-and-mouse games have gone on in various forms for years and will continue to do so, but as they continue to become more sophisticated and as the attacks happen with greater speed, our ability to react and protect ourselves becomes shorter and shorter.

The conversations we were hearing centered on both sandboxing data and nearline archiving data for the express purposes of creating smaller attack surfaces. Once you get past the idea that any one piece of technology is truly attack proof, then you can start to have conversations around real data classification and mapping specific pieces of data to business value.

In this era of big data, keeping all of the company assets exposed is extremely dangerous. We can’t responsibly expect to keep using the same antivirus, firewall and storage technologies from the last 20 years in a hyper-connected cloud enabled world and expect to maintain good data security against modern attack vectors. And we can’t expect to protect our data at the borders without fail; proper data classification, data protection and disaster recovery planning are more important today than ever.

Share: