What’s Hot in Cybersecurity? Recapping the Top 2023 Cybersecurity Trends from Black Hat, DEFCON, and BSides
If you couldn’t make it to Hacker Summer Camp this month, we’ve got you covered. Our team was out in force teaching, presenting, and listening to the exciting presentations at Black Hat USA, DEFCON, and BSides. Here’s our recap of some of the top 2023 cybersecurity trends and discussions, as well as Matt Durrin’s pick for his favorite cool tech tool from these events.
Black Hat Keynotes Highlight Virtual Warfare & Federal Cybersecurity Initiatives
Phoenix Soaring’s keynote presentation about today’s virtual warfare and how the Russia/Ukraine war illustrates changing attack strategies was a hot topic of conversation. Virtual warfare with misinformation campaigns, restricted communications, and cyberattacks that target critical infrastructure such as water, electricity, and pipelines, as well as disruption of commercial operations for supply chain and financial disruptions is, unfortunately, a 2023 cybersecurity trend with global implications for the public and private sector. This is a wakeup call to ensure that every organization gets back to the basics in terms of cybersecurity controls and has a multi-year cybersecurity plan that continuously assesses and reduces risk.
However, you can’t talk about virtual warfare without discussing the changing approach to Federal cybersecurity policy. Acting National Cyber Director Kemba Walden’s keynote about the new federal government approach to cybersecurity dovetailed nicely with the virtual warfare theme. Her session emphasized how government and private industry technology sharing will be crucial for cybersecurity, and that we need to move towards more coordinated patching, exploit prevention, and integrated threat analysis. In the face of changing virtual warfare and nation state attacks, it’s important that everyone in the public and private sector is prepared for cyberattacks by reducing risk wherever possible and creating a culture of cybersecurity in every organization. Let’s look at some of the top 2023 cybersecurity trends from this year’s events and how these issues may impact your security planning.
Four 2023 Cybersecurity Trends that Were Hotter than the Las Vegas Weather
Trend 1: AI is changing both cybersecurity attack and defense tactics.
Maria Markstedter’s keynote address focused on one of the hottest cybersecurity trends at the show—how AI and ChatGPT are impacting cybersecurity. Markstedter pointed out that AI is a double-edged sword that is simultaneously helping and hurting cybersecurity efforts. She also noted that many organizations are banning the act of entering company information into ChatGPT and similar AI tools. Any information you enter into these chatbots can be incorporated into their learning dataset, so the risk of exposing intellectual property is high. Employees can accidentally expose company data by using an AI chatbot for anything from code support to generating summaries from meeting notes.
But the conversation did not stop there; many conference sessions touched on both the positive and negative impacts of AI on cybersecurity. Unfortunately, one of the 2023 cybersecurity trends is that AI is helping attackers dramatically improve phishing and spear phishing attacks. Even with the safeguards today’s AI large language models have programmed into their systems, the reality is that these guard rails are not that difficult to bypass. To test this point, DEFCON had a bank of laptops loaded with AI that participants could use to try to hack aka “jailbreak” (getting AI to do something that violates their programming) the AI safeguards to generate malicious code.
One user was able to thwart AI assisted AV software by adding a single line of code to a malicious PowerShell script that said, “this is safe to use.” There are many ways to enable AI to perform malicious analysis, create malware, design phishing emails, and more. In fact, the recently defunct project “WormGPT” is an example of a hacker chatbot that ran with the safeguards removed, allowing it to freely generate malware and malicious content. This tool demonstrated how easy it would be for a hacker to generate high-quality spear phishing campaigns that are difficult to detect, and more malicious AI engines are likely to appear as the technology advances.
There was also a lot of discussion on defensive AI cybersecurity trends, including new tools like CheckGPT which can be used to scan and predict if content is written by AI. This tool can be part of your detection defense against new AI generated phishing attacks. Other organizations are also developing AI-powered solutions including Microsoft’s Sentinel that incorporates new AI attack detection technologies and CrowdStrike’s Charlotte AI solution that reduces the complexity of writing queries to identify vulnerabilities in large databases. The ability to use AI to quickly detect attacks and use natural speech to identify and summarize vulnerabilities will be crucial for streamlining and strengthening cybersecurity defenses.
Trend 2: Hard coded private keys without adequate security are an increasing threat.
Another hot topic was private key security. Our Pentest Manager Tom Pohl illustrated the dangers from this common but often-overlooked security threat by announcing his discovery of a new private key zero-day vulnerability during the DEFCON conference. This new Dell vulnerability enables attackers to extract a static Dell encryption key that provides attackers with access to the setup credentials in a connected vCenter environment. Any adversary with access to an instance of Dell Compellant’s Integration Tools for VMware can use this key to decrypt the administrative credentials for a VMware vCenter and leverage this access into a complete takeover.
This vulnerability underscores the concept that attackers often “log in” rather than “break in,” and emphasizes the importance of robust identity and access management practices. Hardcoded keys are a big issue. Thousands of secret keys have been leaked or stolen from other suppliers such as Samsung, Android, and NVIDIA.
Attackers employ diverse strategies to access keys and source code that they use to breach networks. Common tactics include buying and selling them on criminal forums, phishing developers for repository credentials, exploiting misconfigurations, and launching supply chain attacks. To mitigate these risks, organizations are utilizing tools like Amazon’s CodeGuru, GitHub’s scanning capabilities, and applications like Cycode, designed to detect hard-coded secrets in files and code. The goal is to prevent inadvertent data leakage and curb the exposure of sensitive information, such as API keys, which could provide attackers with unauthorized access to critical infrastructures. For more information, check out the press release and Tom’s DEFCON presentation slides.
Hot topic 3: Every IoT device is vulnerable, including Tesla cars.
If it’s connected to the internet, it will likely be hacked. In 2023, attackers successfully jailbroke a Tesla—they basically “rooted” it, uncovering a concerning vulnerability. Why is this important? Jailbreaking a Tesla entails gaining unauthorized access to its software, enabling attackers to replace software, unlock hidden features within the vehicle, and alter elements like battery safeguards and vehicle tuning. Aside from the risks of hackers altering safety protocols, there are also data breach concerns, such as exposing personal driving habits and information that could be exploited by attackers for various malicious purposes.
To root the Tesla, researchers employed a voltage fault injection attack which involved manipulating the boot cycle of the car’s computer system during startup. This attack provided them with a root shell, allowing them to insert their own code and modify the operating system’s components before it underwent validation checks. Although this required physical access to the vehicle, it highlighted the potential vulnerability of engine control units (ECUs) in modern vehicles. The researchers’ success in jailbreaking the Tesla serves as a proof of concept, illustrating the potential for manipulation of data stored in any connected device–including an electric car. But in today’s connected world, everything from your toaster to your medical devices can be an IoT device, and shining a spotlight on the need for stronger onboard security for connected devices is a cause we wholeheartedly support.
Hot topic 4: Evading logging in the cloud.
Another Black Hat 2023 cybersecurity trend was highlighted in Nick Frischette’s presentation on evading cloud logging. Since the cloud remains a high priority attack target, Nick showed the possibilities and impacts from bypassing AWS CloudTrail logging mechanisms, a vital service in the Amazon AWS ecosystem. Data from CloudTrail supports security incident management (SIM) platforms, automated detection, and Security Orchestration, Automation, and Response (SOAR) features. If bypassed, the lack of alerting can provide attackers with valuable data and access that hinders response efforts. Common strategies include:
- Tampering with Settings: From using evasion techniques like modifying or disabling CloudTrail logging directly or deleting the S3 bucket that stores the CloudTrail logs, changing these settings can prevent security software from effectively monitoring the environment and tracking potential threats.
- Protocol Mutation: Protocol mutation is achieved by using Amazon’s command line APIs to perform actions that might not normally be permitted without triggering alerts. Attacks can utilize this tactic to gain insights into your environment’s security posture without leaving traces in the logs.
- Undocumented APIs: Some APIs can provide attackers with unintended capabilities. By exploiting these APIs, attackers can bypass CloudTrail logging and gain undetected access to sensitive information.
Understanding these evasion techniques is crucial for enhancing AWS security configurations and maintaining the effectiveness of CloudTrail for detecting and responding to potential security incidents. We also strongly recommend including your cloud environment in your penetration testing.
Matt’s Cool Technology Pick
During cybersecurity conferences, security researchers often showcase new tools that benefit the cybersecurity community. Here is Matt Durrin’s favorite from the cool new tools:
- Bloodhound 5.0. Bloodhound is an offensive security tool that maps attack paths within a network and helps you visualize potential attack routes. By analyzing configurations, Bloodhound provides insights into the possible hurdles, choke points, and pathways an attacker might encounter, offering a detailed perspective on network vulnerabilities. The latest version of the tool shown at Black Hat includes an enterprise version that is compatible with various identity and access management solutions and is designed to operate as a network defender, scanning the network, presenting findings in a way that aids defenders, and even implementing configuration hardening based on identified vulnerabilities. For those interested in exploring the capabilities of Bloodhound, there’s a Community Edition available for trial. This edition provides valuable insights into potential attack paths and can be a powerful asset in understanding the security posture of your network. Bloodhound’s ability to illustrate how an attacker might infiltrate a network makes it a valuable tool for both offensive and defensive cybersecurity practices.
We hope you found this information helpful! For more detailed information on these topics, watch Matt’s Summer Hacking Update webinar. Please contact us if you need advice or assistance securing your organization from today’s cybersecurity threats.