5 Key Takeaways from Black Hat USA 2024

The infosecurity world converged in Las Vegas this week for Black Hat USA 2024, featuring keynotes and product announcements that will give CISOs something to think about.

Here are the key takeaways CISOs should keep in mind as they adapt their cybersecurity strategies going forward.

(For more information on Black Hat USA, see “Black Hat: Latest News and Information.”)

Cloud security under scrutiny

Security researchers from Aqua Security used a presentation at Black Hat to explain how they discovered security vulnerabilities involving the automatic provisioning of AWS S3 storage buckets.

The attack vector, dubbed Shadow Resource, created a potential mechanism for AWS account takeover, data breach, or even remote code execution.

Predictable bucket naming conventions created a potential mechanism for attackers to wait for targeted users to enable vulnerable services, potentially leading to the recovery of sensitive files and configurations in attacker-controlled buckets.

Six AWS cloud services were potentially vulnerable: CodeStar, CloudFormation, EMR, Glue, ServiceCatalog, and SageMaker.

The issues were responsibly disclosed to Amazon Web Services before Aqua Security was unveiled, allowing AWS to address the vulnerabilities, which it did.

CSO’s Lucian Constantin dives into the details of the shadow bucket attack and potential remediation measures here.

Symantec also warned that a growing number of hacking groups are exploiting Microsoft and Google cloud services to execute commands and extract data. The misuse of widely used services such as Google Drive and Microsoft OneDrive allows attackers to remain more stealthy because malicious communications are harder to detect.

This tactic isn’t new, but it’s evolving and becoming a bigger threat. Considering AWS vulnerabilities, as well as cloud exposures as a site of initial access and potential for privilege escalation, it’s clear that cloud security remains a top concern for today’s businesses.

CrowdStrike collapse puts cyber resilience in focus

The CrowdStrike-Microsoft collapse in July was still fresh in the minds of Black Hat delegates this week.

During the opening panel discussion, Hans de Vries, Chief Operating Officer of the European Union Agency for Cybersecurity, warned delegates that the industry must prepare for more supply chain attacks, which, like CrowdStrike’s validation failure, are testing CISOs’ resilience plans.

Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said the incident underscores the importance of security vendors developing a security-by-design approach. Companies need to build cyber resilience, Easterly said, according to Secure Computing, adding that adversaries like China or North Korea would likely exploit any weaknesses.

During the conference, CSO Online sat down with CrowdStrike’s Counterattack Team to discuss the latest tactics from North Korean state-sponsored hackers and others.

Patching is not a panacea

The comforting notion that simply keeping systems up to date and patched was enough to ensure security was seriously shaken by the release of a SafeBreach presentation at Black Hat.

Alon Leviev, a security researcher at SafeBreach, explained how it might be possible to downgrade systems via Windows Update, exposing them to old vulnerabilities, through a form of version rollback attack.

The so-called Windows Downdate attack relies on hijacking the Windows Update process to create custom downgrades on critical operating system components, escalate privileges, and bypass security features.

In a statement, Microsoft said it is not aware of any attempts to exploit the vulnerability. The software giant has published two advisories (including CVE-2024-21302) offering recommended actions and detections while it works to implement more comprehensive mitigations.

CSO’s Gyana Swain tells us more about the Windows Downdate attack here.

AI is a double-edged sword

AI, particularly generative AI and large language models (LLM), received particular attention at Black Hat.

Many sessions explored the risks and vulnerabilities associated with AI technologies.

For example, Wiz security researchers presented their research on hacking AI infrastructure providers. This work uncovered new attack techniques for penetrating AI-as-a-service providers, including Hugging Face and Replicate.

“On each platform, we used malicious models to breach security boundaries and move laterally into the underlying infrastructure of the service,” the researchers said. This research opened the door to accessing customers’ private data, including private models, weights, datasets, and even user prompts.

In another session, a security architect from chip giant Nvidia’s Red Team presented practical findings on LLM security, including the most effective offensive and defensive security strategies and methodologies.

Black Hat also allowed cybersecurity vendors to launch new products and services. Many vendors added AI-powered capabilities to their technologies, as detailed in CSO’s roundup of what’s new.

CISOs are personally exposed to risks related to the management of data breaches within the company

A session titled “Around the Tornado: Essential Strategies for CISOs to Avoid Government Fallout Following Major Cyberattacks” highlighted strategies CISOs should implement to stay on the right side of regulators in the event of security breaches.

Recent cases, such as that of SolarWinds’ Tim Brown, have highlighted how senior security executives face individual regulatory and criminal liability for alleged corporate reporting failures.

The session focused on practical strategies to mitigate damage, ensure IT compliance and maintain stakeholder trust in an environment of increasing regulatory pressure.

(For more information on Black Hat USA, see “Black Hat: Latest News and Information.”)