By Edward E. Serafin III, C|EH, Security Architect
This blog is the first in a series of blogs discussing security concepts and tactics I observed and participated in at Black Hat 2019 / DEF CON 27.
I just returned from Black Hat USA 2019 / DEFCON 27 in Las Vegas and what an overwhelming experience it was! For those of you that don’t know, Black Hat USA is the world’s leading information security event, providing attendees with the very latest in research, development, and trends. DEFCON is the security/hacker community conference that occurs right after the Black Hat Conference. Thousands of hackers and security professionals from around the world congregate to learn about new technology vulnerabilities, cyberattacks, and more.
At the conference, I had access to all sorts of goodies such as IoT devices, industrial control systems (ICS), ATMs, ICS controlled nuclear reactor cooling systems and cargo ship navigational systems (Fun!). I also gained new insights into Purple Teaming and the Mitre Att&ck Matrix threat model. To say the least, it was an incredible amount of information, an abundance of hands-on exercises, with plenty of insightful talks and discussions. As a security professional, I highly recommend that anyone who is responsible for their organization’s security consider attending in 2020!
While at Black Hat, I spent time with the Booz Allen Hamilton team and was able to practice my ICS and GPS hacking skills. They set up two scenarios, one was a cargo ship where you could hack the ship’s GPS to modify its location. The other simulation was a smart building complete with ICS systems controlling maglocks, HVAC, and fire alarm. The challenge was to exploit the system and open a magnetically locked door without tripping the fire alarm. Both of these exercises were informative, but more importantly, they demonstrated the need for proper security controls to reduce the risk of a breach.
Another unique exercise involved hacking an ATM machine and cloning RFID/NFC cards. It is scary to see just how easy it was to compromise these “secure” systems. Again, the exercise highlighted just how easy it is to have our defenses compromised if we are not careful. It is clear that IoT and ICS systems present a unique risk surface. Even when secured properly, these devices can still pose a significant security risk to an environment. This reinforces the need to invest in ongoing training and research for all security professionals in this never-ending game.
Speaking of games, I attended a presentation regarding Purple Teaming. For some time now, organizations have leveraged red teams and blue teams to confirm that their security controls are up to the task of defending their environment.
For those who may not be aware, I will explain Red/Blue Teaming: On one side of the coin, red teams focus on long-term or continuous offensive operations such as penetration testing of systems/networks. The red team is there to detect and exploit system/network vulnerabilities by simulating real-world attacks leveraging various state-of-the-art exploits and techniques. A blue team is the other side of the same coin; they engage in defensive operations and are similar to the red team in that they protect networks/systems by identifying possible security vulnerabilities and malicious patterns. However, what differentiates blue from red is that once the red team imitates an attacker and engages in an attack, the blue team confirms the red team’s actions in real-time and attempts to defend against said attacks to improve the overall security posture of an organization. Both teams play out this game repeatedly in a safe, controlled manner for the greater good of an organization.
For the most part, people believe that there is an adversarial relationship between the two teams. However, that is not true nor should it be. Both teams need to work closely together and one cannot exist without the other.
This brings us to a concept known as Purple Teaming. This is not a new team, but rather a new concept to reconcile how these teams interact with one another. Purple Teaming is the fusion of both the red and blue teams operations where their collaboration yields benefits for an entire organization.
Black Hat and DEFCON were awesome and an excellent investment of time. This blog just barely scratches the surface of my experience, so stay tuned for the next blog where we will discuss insider threats, explore how the Mitre Att&ck Matrix is reshaping the security industry, and other topics.