Black Hat 2022 reveals enterprise security trends

The blast radius of cyberattacks on an enterprise is projected to keep growing, extending several layers deep into software supply chains, devops and tech stacks. Black Hat 2022’s presentations and announcements for enterprise security provide a sobering look at how enterprises’ tech stacks are at risk of more complex, devastating cyberattacks. Held last week in Las Vegas and in its 25^th consecutive year, Black Hat‘s reputation for investigative analysis and reporting large-scale security flaws, gaps and breaches are unparalleled in cybersecurity.

The more complex the tech stack and reliant on implicit trust, the more likely it is to get hacked. That’s one of several messages Chris Krebs, the former and founding director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), delivered in a keynote to the audience at the Black Hat 2022 conference last week. Krebs mentioned that weaknesses often start from building overly complex tech stacks that create more attack surfaces for cybercriminals to then attempt to exploit.

Krebs also emphasized how critical software supply chain security is, explaining that enterprises and global governments aren’t doing enough to stop another attack at the scale of SolarWinds.

“Companies that are shipping software products are shipping targets,” he told the keynote audience.

Cybercriminals “understand the dependencies and the trust connections we have on our software services and technology providers, and they’re working up the ladder through the supply chain,” Krebs added.

Additionally, eliminating implicit trust is table stakes for reducing supply chain attacks, a point Krebs alluded to throughout his keynote. 

Enterprise security: Reducing the growing blast radius 

Infrastructure, devops, and enterprise software vulnerabilities discovered by researchers made the enterprise-specific sessions worth attending. In addition, improving identity access management (IAM) and privileged access management (PAM), stopping ransomware attacks, reducing Azure Active Directory (AD) and SAP HTTP server attacks, and making software supply chains more secure dominated the enterprise sessions. 

Continuous integration and continuous delivery (CI/CD) pipelines are software supply chains’ most dangerous attack surfaces. Despite many organizations’ best efforts to integrate cybersecurity as a core part of their devops processes, CI/CD software pipelines are still hackable.

Several presentations at the conference explored how cybercriminals can hack into software supply chains using remote code execution (RCE) and infected code repositories. One session in particular focused on how advanced hackers could use code-signing to be indistinguishable from a devops team member. 

Another illustrated how hackers quickly use source code management (SCM) systems to achieve lateral movement and privilege escalation across an enterprise, infecting repositories and gaining access to software supply chains at scale.

Tech stacks are also becoming a more accessible target as cybercriminals’ skills increase. One presentation on how Azure AD user accounts can be backdoored and hijacked by exploiting external identity links to bypass multifactor authentication (MFA) and conditional access policies showed just how an enterprise can lose control of a core part of their tech stack in only minutes. 

A separate session on SAP’s proprietary HTTP server explained how cybercriminals could leverage two memory corruption vulnerabilities found in SAP’s HTTP server using high-level protocol exploitation techniques. CVE-2022-22536 and CVE-2022-22532 are remotely exploitable and could be used by unauthenticated attackers to compromise any SAP installation globally.

Malware attacks continue to escalate across enterprises, capable of bypassing tech stacks that rely on implicit trust and disabling infrastructure and networks. Using machine learning (ML) to identify potential malware attacks and thwart them before they happen using advanced classification techniques is a fascinating area of research. Malware Classification with Machine Learning Enhanced by Windows Kernel Emulation presented by Dmitrijs Trizna, security software engineer at Microsoft, provided a hybrid ML architecture that simultaneously utilizes static and dynamic malware analysis methodologies. 

During an interview prior to his session, Trizna explained that  “AI [artificial intelligence] is not magic, it’s not the silver bullet that will solve all your (malware) problems or replace you. It’s a tool that you need to understand how it works and the power underneath. So don’t discard it completely; see it as a tool.” Trizna makes ML code for the models he’s working on available on GitHub at Hybrid Machine Learning Model for Malware Detection based on Windows Kernel Emulation.  

Cybersecurity vendors double down on AI, API and supply chain security 

Over 300 cybersecurity vendors exhibited at Black Hat 2022, with most new product announcements concentrating on API security and how to secure software supply chains. In addition, CrowdStrike’s announcement of the first-ever AI-based indicators of attack (IOA) reflects how fast cybersecurity providers are maturing their platform strategies based on AI and ML advances. 

CrowdStrike’s announcement of AI-powered IOAs is an industry first

Their AI-based IOAs announced at Black Hat combine cloud-native ML and human expertise, a process invented by CrowdStrike more than a decade ago. As a result, IOAs have proven effective in identifying and stopping breaches based on actual adversary behavior, irrespective of the malware or exploit used in an attack.

AI-powered IOAs rely on cloud-native ML models trained using telemetry data from CrowdStrike Security Cloud, as well as expertise from the company’s threat-hunting teams. IOAs are analyzed at machine speed using AI and ML, providing the accuracy, speed and scale enterprises need to thwart breaches. 

“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Now, we are changing the game again with the addition of AI-powered indicators of attack, which enable organizations to harness the power of the CrowdStrike Security Cloud to examine adversary behavior at machine speed and scale to stop breaches in the most effective way possible.” 

AI-powered IOAs have identified over 20 never-before-seen adversary patterns, which experts have validated and enforced on the Falcon platform for automated detection and prevention. 

“Using CrowdStrike sets Cundall apart as one of the more advanced organizations in an industry that typically lags behind other sectors in I.T. and cybersecurity adoption,” said Lou Lwin, CIO at Cundall, a leading engineering consultancy. “Today, attacks are becoming more sophisticated, and if they are machine-based attacks, there is no way an operator can keep up. The threat landscape is ever-changing. So, you need machine-based defenses and a partner that understands security is not ‘one and done.’ It is evolving all the time.” 

CrowdStrike demonstrated AI-powered IOA use cases, including post-exploitation payload detections and PowerShell IOAs using AI to identify malicious behaviors and code.  

For many enterprises, API security is a strategic weakness 

Cybersecurity vendors see the opportunity to help enterprises solve this challenge, and several announced new solutions at Black Hat. Vendors introducing new API security solutions include Canonic Security, Checkmarx, Contrast Security, Cybersixgill, Traceable, and Veracode. Noteworthy among these new product announcements is Checkmarx’s API Security, which is a component of their well-known Checkmarx One platform. Checkmarx is known for its expertise in securing CI/CD process workflows

 API Security can identify zombie and unknown APIs, perform automatic API discovery and inventory and perform API-centric remediation. In addition, Traceable AI announced several improvements to their platform, including identifying and stopping malicious API bots, identifying and tracking API abuse, fraud and misuse, and anticipating potential API attacks throughout software supply chains.

Stopping supply chain attacks before they get started 

Of the more than 300 vendors at Black Hat, the majority with CI/CD, devops, or zero-trust solutions promoted potential solutions for stopping supply chain attacks. It was the most hyped vendor theme at Black Hat. Software supply chain risks have become so severe that the National Institute of Standards and Technology (NIST) is updating its standards, including NIST SP 1800-34, concentrating on systems and components integral to supply chain security. 

Cycode, a supply-chain security specialist, announced it has added application security testing (SAST) and container-scanning capabilities to its platform, as well as introducing software composition analysis (SCA). 

Veracode, known for its expertise in security testing solutions, introduced new enhancements to its Continuous Software Security Platform, including software bill of materials (SBOM) API, support for software composition analysis (SCA), and support for new frameworks including PHP Symfony, Rails 7.0, and Ruby 3.x. 

The Open Cybersecurity Schema Framework (OCSF) meets an enterprise security need  

CISOs’ most common complaint regarding endpoint detection and response (EDR), endpoint management, and security monitoring platforms is that there is no common standard for enabling alerts across platforms. Eighteen leading security vendors have collaborated to take on the challenge, creating the Open Cybersecurity Schema Framework (OCSF) project. The project includes an open specification that enables the normalization of security telemetry across a wide range of security products and services. Open-source tools are also available to support and accelerate OCSF schema adoption.

Leading security vendors AWS and Splunk are cofounders of the OCSF project, with support from CrowdStrike, Palo Alto Networks, IBM Security and others. The goal is to continually create new products and services that support the OCSF specifications, enabling standardization of alerts from cyber monitoring tools, network loggers, and other software, to simplify and speed up the interpretation of that data. 

“At CrowdStrike, our mission is to stop breaches and power productivity for organizations,” said Michael Sentonas, chief technology officer, CrowdStrike. “We believe strongly in the concept of a shared data schema, which enables organizations to understand and digest all data, streamline their security operations, and lower risk. As a member of the OCSF, CrowdStrike is committed to doing the hard work to deliver solutions that organizations need to stay ahead of adversaries.”