Members of the Terbium Labs team once again made the summer trek to Las Vegas for Black Hat USA in search of the latest developments in information security. The annual conference, which overlaps BSides Las Vegas, the infamous DEFCON, and a host of other security gatherings, sprawls across the Mandalay Bay Convention Center for a week of trainings, briefings, and events.
Black Hat provides a forum for security professionals to gather, trade notes, connect with friends, and assess the most recent industry developments heading into the second half of the year.
Tackle the Root Problem
The conference opened with a powerful keynote from Parisa Tabriz, Director of Engineering at Google and head of Google’s Project Zero team. Tabriz spoke passionately and pragmatically about the state of the security industry, stressing the need to move beyond “whack-a-mole” solutions and instead focus on strategic, ambitious, and collaborative work (or, as she phrased it: “F**ck the status quo”). To cheers from the crowd, Tabriz also said plainly: “Blockchain is not the answer.” She went on to charge teams with a three-pronged approach to developing sustainable project management in technology: tackle the root problem, choose milestones and celebrate them, and build yourself a coalition in the process.
Tabriz went on to defend the users—a refrain we’d like to hear from security professionals more regularly—by referencing challenges her team at Project Zero faced in redesigning Chrome’s HTTPs security warnings. How, Tabriz asked the audience, can users determine risk if they are only presented with the absence of a warning? How can they determine risk if they’re only presented with confirmation of security? If we are going to ask users to make informed decisions about risk and security, she stressed, we need to clearly inform them about risk and security. Expecting users to measure risk, absent context, is unreasonable.
Hugh Thompson, SVP and CTO at Symantec, followed Tabriz’s argument for new approaches to help users to understand, measure, and respond to risk. Thompson argued to include research from anthropology and psychology to inform the way we present risk in information security. Thompson referenced the natural, inherent human responses to risk—instinctively, we recognize the dangers in a dark alley or developed heightened awareness in response to situations we understand as potentially threatening.
A Hard Look at Cyber Crime
Is the mafia taking over cyber crime? Well, no.
Jonathan Lusthaus, Director of the Human Cybercriminal Project at Oxford, presented early research on the role of the Russian mafia in cybercrime operation, intent on debunking the myths of mafia mayhem in mainstream media and pop culture. Drawing on work from a host of international sources, Lusthaus first set the audience straight on organized crime groups and mafias before turning to the origins and motivations of the Russian mafia we know today (note: we at Terbium Labs applaud specificity and historical context). Lusthaus stressed the strengths of the Russian mafia—or, as he characterizes it, the “post-Soviet mafia”—noting the emphasis on money and manpower. These groups are tactical, not technical. While they may not support cyber crime teams in-house, Lusthaus was quick to emphasize the role the post-Soviet mafia plays in supporting cyber crime activity through financing, partnerships, and protection. Suffice to say, they know a guy.
If the mafia is not taking over cyber crime, who is? Lusthaus’ research suggests cyber criminals are instead a new breed of entrepreneurs, armed with technical skill and business acumen, ready to build a name for themselves. These cyber criminals might appreciate the investment and enforcement the mafia provides, but they recognize that mob bosses are poorly placed to provide a get-out-of-jail free card. Instead, they look for partnerships with crooked state officials or law enforcement, operating under the assumption that they need a legal shield more than a mob enforcer.
The Changing Face of Black Hat
This year, Black Hat introduced a “community” track to its briefings and featured sessions. Designed to promote a dialog amongst infosec professionals, this track hosted talks on addiction, assault, hiring and retention, culture, stress, and diversity. After a tumultuous year of the #MeToo movement, the shortcomings in diversity from other major security conferences (ahem), and painful losses in the infosec community, Black Hat made moves to bring practitioners together for some difficult conversations and, perhaps, some progress. Joe Slowik of Dragos, Inc., gave a moving presentation about his experiences working with PTSD in the cybersecurity industry, while Ashley Holtz of NBC Universal shot down the evergreen excuse that hiring and retaining female talent in the industry is exclusively a pipeline issue.
The team from Terbium Labs learned a lot this year—we made some new connections and ran into some old ones, we hung out with sharks and asked hard questions about the surveillance state, and our CTO, Dr. Clare Gollnick, presented original research with Cathal Smyth from the Royal Bank of Canada about the changing face of automation in payment card fraud.
Another year done and dusted in the deserts of Las Vegas.