Black Hat Day 1: Threats Big and Small
The Cipher Brief’s Luke Penn-Hall is currently attending Black Hat, a premiere information security conference in Las Vegas, Nevada. Here’s his update from Day 1:
What is a USB Drop Attack? That’s what I learned about today at a brief focused on assessing how often people actually plug strange USB drives into their computer. Just to be clear, you should never do that – but this study found that 45% of the 297 drives they left lying around a university were both plugged in and accessed by the people who found them. Discussions raised many interesting questions – but fewer answers – about cyber-hygiene and social engineering.
So what else is buzzing among the cybersecurity professionals at Black Hat? Across all the conversations I had today, two concerns emerged again and again: ransomware and insider threats. Ransomware is a type of malware that encrypts information or stops a device from working until a ransom is paid, usually using Bitcoin in order to preserve the anonymity of the attacker. An “insider threat” is a person within an organization who, through malice or negligence, causes damage to the organization’s networks or data.
The rise of ransomware has truly changed the threat landscape for businesses, and almost everyone I spoke to listed it as a primary issue for the future. Researchers from Intel Security showed me an array of different attacks that could be leveled against Internet of Things (IoT) devices using ransomware. These varied from causing IoT lights to constantly flicker on and off until the ransom is paid, to using rogue wifi access points to infect competitors’ phones with ransomware that would cripple their office systems once the phone connected to their office’s wireless internet.
Beyond the risk posed by ransomware in and of itself, there is also the rising specter of cyber-extortion, where individuals or organizations are essentially blackmailed into paying a ransom in order to avoid having their information released to the public. This differs from ransomware in a mechanical sense, as it involves threatening to release information rather than encrypt it, but the core idea remains the same – to force a payment directly from the victim in exchange for their data.
The threat from insiders has been a concern for some time, and many of the people I spoke with were very focused on finding ways to mitigate the damage that such insiders could cause. For example, a former FBI profiler told me about remote personality assessments and behavioral analysis that can be used to identify individuals who may pose a threat to their employers. Similarly, I heard from an expert in data visualization on how anomalous behaviors tend to visually cluster in a way that allows analysts to identify employees who are engaged in malicious activity.
Possibly the most distressing scenario I heard today was from researchers at Flashpoint, who envisioned the scenarios where cyber-extortion and the insider threat are combined into one major problem. According to them, we could soon be seeing criminals – or states – using cyber-extortion to coerce individuals into acting as insider threats against their own organizations.
Hopefully these coerced insiders would still be identifiable by the systems meant to identify malicious insiders, but it is possible that it would be harder for the programs to find them since their behavior would be product of duress rather than disgruntlement. That being said, cybersecurity professionals appear to have their work cut out for them as they continue to develop tools to keep their organizations’ networks safe.
