Risk, Cyber Crime and Strategic Security: Highlights from Black Hat 2018

Next: Book Review: Into the Web of Profit
Previous: Sharks and Shpiony: A Conversation with Andrei Soldatov...
Writer Emily W.
August 30, 2018

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

Members of the Terbium Labs team once again made the summer trek to Las Vegas for Black Hat USA in search of the latest developments in information security. The annual conference, which overlaps BSides Las Vegas, the infamous DEFCON, and a host of other security gatherings, sprawls across the Mandalay Bay Convention Center for a week of trainings, briefings, and events.

Black Hat provides a forum for security professionals to gather, trade notes, connect with friends, and assess the most recent industry developments heading into the second half of the year.

Tackle the Root Problem

The conference opened with a powerful keynote from Parisa Tabriz, Director of Engineering at Google and head of Google’s Project Zero team. Tabriz spoke passionately and pragmatically about the state of the security industry, stressing the need to move beyond “whack-a-mole” solutions and instead focus on strategic, ambitious, and collaborative work (or, as she phrased it: “F**ck the status quo”). To cheers from the crowd, Tabriz also said plainly: “Blockchain is not the answer.” She went on to charge teams with a three-pronged approach to developing sustainable project management in technology: tackle the root problem, choose milestones and celebrate them, and build yourself a coalition in the process.

Tabriz went on to defend the users—a refrain we’d like to hear from security professionals more regularly—by referencing challenges her team at Project Zero faced in redesigning Chrome’s HTTPs security warnings. How, Tabriz asked the audience, can users determine risk if they are only presented with the absence of a warning? How can they determine risk if they’re only presented with confirmation of security? If we are going to ask users to make informed decisions about risk and security, she stressed, we need to clearly inform them about risk and security. Expecting users to measure risk, absent context, is unreasonable.

Hugh Thompson, SVP and CTO at Symantec, followed Tabriz’s argument for new approaches to help users to understand, measure, and respond to risk. Thompson argued to include research from anthropology and psychology to inform the way we present risk in information security. Thompson referenced the natural, inherent human responses to risk—instinctively, we recognize the dangers in a dark alley or developed heightened awareness in response to situations we understand as potentially threatening.

A Hard Look at Cyber Crime

Is the mafia taking over cyber crime? Well, no.

Jonathan Lusthaus, Director of the Human Cybercriminal Project at Oxford, presented early research on the role of the Russian mafia in cybercrime operation, intent on debunking the myths of mafia mayhem in mainstream media and pop culture. Drawing on work from a host of international sources, Lusthaus first set the audience straight on organized crime groups and mafias before turning to the origins and motivations of the Russian mafia we know today (note: we at Terbium Labs applaud specificity and historical context). Lusthaus stressed the strengths of the Russian mafia—or, as he characterizes it, the “post-Soviet mafia”—noting the emphasis on money and manpower. These groups are tactical, not technical. While they may not support cyber crime teams in-house, Lusthaus was quick to emphasize the role the post-Soviet mafia plays in supporting cyber crime activity through financing, partnerships, and protection. Suffice to say, they know a guy.

If the mafia is not taking over cyber crime, who is? Lusthaus’ research suggests cyber criminals are instead a new breed of entrepreneurs, armed with technical skill and business acumen, ready to build a name for themselves. These cyber criminals might appreciate the investment and enforcement the mafia provides, but they recognize that mob bosses are poorly placed to provide a get-out-of-jail free card. Instead, they look for partnerships with crooked state officials or law enforcement, operating under the assumption that they need a legal shield more than a mob enforcer.

The Changing Face of Black Hat

This year, Black Hat introduced a “community” track to its briefings and featured sessions. Designed to promote a dialog amongst infosec professionals, this track hosted talks on addiction, assault, hiring and retention, culture, stress, and diversity. After a tumultuous year of the #MeToo movement, the shortcomings in diversity from other major security conferences (ahem), and painful losses in the infosec community, Black Hat made moves to bring practitioners together for some difficult conversations and, perhaps, some progress. Joe Slowik of Dragos, Inc., gave a moving presentation about his experiences working with PTSD in the cybersecurity industry, while Ashley Holtz of NBC Universal shot down the evergreen excuse that hiring and retaining female talent in the industry is exclusively a pipeline issue.

The team from Terbium Labs learned a lot this year—we made some new connections and ran into some old ones, we hung out with sharks and asked hard questions about the surveillance state, and our CTO, Dr. Clare Gollnick, presented original research with Cathal Smyth from the Royal Bank of Canada about the changing face of automation in payment card fraud.

Another year done and dusted in the deserts of Las Vegas.

RELATED ARTICLES
events January 27, 2018
Breaking Through Convention with BSidesNYC

For the past several years, the information security community has heard the constant refrain: use Signal, Tor, and two-factor authentication (2FA). At BSidesNYC, however, conference speakers urged attendees to dig deeper than simply “more...

industry August 09, 2016
The Security Industry Mindset: Black Hat 2015 vs. Black Hat 2016

The contrast in marketing imagery at Black Hat in 2016, compared to Black Hat 2015, represents a palpable shift in the industry away from fear, uncertainty, and doubt toward rational risk management and a...