Product enhancements to offer full IT and OT threat intelligence services for OPSWAT customers.

**Las Vegas, Nev., August 10, 2022** – OPSWAT, a global leader in critical infrastructure protection (CIP) cybersecurity solutions, today announced new malware analysis capabilities for IT and OT at the Black Hat USA 2022 Conference. These enhancements include OPSWAT Sandbox for OT with detection of malicious communications on OT network protocols and support for open-source third-party tools in its MetaDefender Malware Analyzer solution.

With increased threats and growing concerns around propagation into OT networks within critical infrastructure environments, threat intelligence for both the IT and OT sides of the business is essential in providing the necessary data and analysis capabilities to the entire organization. OPSWAT MetaDefender Malware Analyzer now offers the ability to map malware detected via OPSWAT Sandbox to the MITRE ATT&CK Industrial Control Systems (ICS) framework, enabling malware analysis teams to quickly understand malware tactics, techniques, and procedures (TTPs) specifically targeting OT environments. This alignment to a common security lexicon about cyberattacks targeting ICS/OT environments also helps bridge the communication gaps between IT and OT security teams.

“There is no better time and place than Black Hat to launch these new enhancements for OPSWAT MetaDefender Malware Analyzer,” said Yiyi Miao, Senior Vice President of Products. “Not only are we showcasing our heavy investment in R&D for our products, but through better malware analysis for OT, we are furthering our mission of protecting critical infrastructure. We’re excited for thousands of industry-leading InfoSec professionals to be the first to see these new capabilities and understand how we can help protect their critical environments.”

As an automation and orchestration platform, MetaDefender Malware Analyzer orchestrates the process of receiving suspicious files and submitting them to different tools like OPSWAT Sandbox, aggregating results, and then submitting those results, with actionable information and indicators of compromise (IOCs), to threat intelligence platforms. The solution also enables organizations to efficiently process and triage high volumes of suspicious files while correlating against multiple in-house and cloud threat intelligence sources. These capabilities extend the breadth of intel for malware analysis teams, giving them more actionable insights on premises about known threats and then ultimately helping them mitigate these threats.

These enhancements follow OPSWAT’s State of Malware Analysis 2022 report and the initial launch of OPSWAT MetaDefender Malware Analyzer earlier this year.

To learn more about these enhancements, visit https://www.opswat.com/solutions/malware-analysis.

Find OPSWAT at Black Hat USA 2022 at booth #1186, or schedule a time to meet the team here: https://info.opswat.com/black-hat-usa-2022.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OPSWAT Presents New Malware Analysis Capabilities for Operational Technology at Black Hat USA 2022

Bugcrowd, the leader in crowdsourced cybersecurity, announced a live hacking event to test business-critical attack surface and mobile applications for Indeed.com, during the 2022 Black Hat USA and DEF CON cybersecurity conferences in Las Vegas.

Live hacking, or "Bug Bashes," are competitive, in-person events that connect organisations with top security researchers—sometimes called ethical hackers—to dig deeper into their evolving attack surface and enrich testing methodologies. These highly curated teams of security researchers possess a diverse arsenal of in-demand skills and collectively represent the most powerful intelligence available for modern use cases and emerging threats.

Motivated by lucrative rewards and time-bound incentives, these researchers will work hand in hand with Indeed to uncover critical blind spots and improve testing methodologies. Indeed's security and engineering teams will specifically collaborate with Bugcrowd researchers to secure Indeed's mobile applications and user data. A longtime customer of Bugcrowd, Indeed has already rewarded 1,500+ vulnerability submissions through its public bug bounty program with Bugcrowd.

"At Indeed, job seekers and employers alike trust us to protect their information," said Indeed Chief Information Officer and Chief Security Officer Anthony Moisant. "As we continue rapid growth and product development, we all know that bad actors continue advancing their tactics. By engaging Bugcrowd researchers in this Bug Bash, we're partnering with good actors to help spot—and fix—vulnerabilities to help people get jobs securely."

"We are excited about this latest Bug Bash because working in teams showcases the power of human ingenuity, and we want to congratulate Indeed on being a security-first company looking to further ensure their digital assets are secure," said Ashish Gupta, Chief Executive Officer of Bugcrowd. "With the sprawling digitisation of information and assets, and the resulting increase in cyber threats, business leaders need to adopt continuous testing practices that align with their continuous innovation."

Bug Bashes are one of the most proactive and advanced security initiatives that an organisation can take in the current, ever-evolving landscape today—concentrating the combined intelligence of some of the world's top bug hunters to help secure an expanding and expansive asset footprint.

_"Bugcrowd" and "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies._

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organisation, reputation, and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organisations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Taps Top Hackers for Live Hacking Event with Indeed at 2022 Black Hat Conference

New release also includes enterprise-grade cloud security posture management (CSPM) and YARA-based malware scanning capabilities.

SAN FRANCISCO---Deepfence, a pioneer in the emerging security observability and protection space, today announced the 1.4 release of its open source project ThreatMapper, a cutting-edge, cloud native offering that expands attack path visualization, adds enterprise-grade cloud security posture management, and now includes the industry’s first cloud native, YARA-based malware scanner.

> “Security is a collective good and a basic right, and we are proud to offer an open platform that addresses the most pressing day one needs of cloud security teams”

ThreatMapper is an open platform for scanning, mapping, and ranking vulnerabilities in running pods, images, hosts, and repositories. ThreatMapper scans for known and unknown vulnerabilities, secrets, cloud misconfigurations and then puts those findings in context. With ThreatMapper, the scans happen as part of CI/CD or at runtime. This empowers organizations to not only identify threats but also to determine how–and how quickly–to deal with them. In a globally connected environment in which a single vulnerability can put untold numbers of organizations and their customers at risk (e.g. Log4j), a platform like ThreatMapper is critical.

Deepfence is a firm believer in a community-based approach to security, and open source ThreatMapper 1.4 provides more comprehensive threat mapping — of vulnerabilities, sensitive secrets, and, now, cloud misconfigurations and malware — as well as the ability to contextualize and correlate scan results in an intuitive graph that makes it easier to see, respond to, and proactively prevent potential attacks. This is truly an industry first. There is no other project, open source or commercial, that applies these comprehensive features and capabilities across the cloud native continuum.

Specifically, ThreatMapper 1.4 includes:

*   ThreatGraph, a powerful a new feature that uses runtime context like network flows to prioritize threat scan results and enables organizations to narrow down attack path alerts from thousands to a handful of the most meaningful (and threatening)
*   Agentless cloud security posture management (CSPM) of cloud assets mapped to various compliance controls like CIS, HIPAA, GDPR, SOC 2, and more
*   YaraHunter, the industry’s first open source malware scanner for cloud native environments

“The cloud native ecosystem is built on OSS libraries and components, yet the majority of tools available to secure cloud native workloads are closed source proprietary software that you can never fully understand how they work, and which only companies with deep pockets can afford. If we truly want to materially improve security of our cloud native workloads, we need to make the tooling accessible to everyone in the community, so we can build and innovate together. With ThreatMapper 1.4, Deepfence is rolling out what I see as another credible open source win for the industry – ThreatGraph, which provides a substantive range of threat detection, and more – combined into a single, easy-to-use open source tool," said Nick Reva, Engineering Manager, Security Engineering, Snapchat.

ThreatMapper 1.4 enables organizations to find and rank potential threats, such as the Log4j2 vulnerability, so security teams can make informed decisions and shore up critical gaps that may have otherwise gone unnoticed. This builds on the advanced security tools in Deepfence ThreatMapper 1.3, such as secret scanning at runtime and runtime Software Bill of Materials (SBOMs), protecting not only individual organizations but also our ever-more-interconnected society as a whole.

"Security is a collective good and a basic right, and we are proud to offer an open platform that addresses the most pressing day one needs of cloud security teams," said Sandeep Lahane, Co-founder and CEO of Deepfence. "ThreatMapper 1.4 is a giant leap forward for the security community, providing the most comprehensive security features and capabilities that security teams need, free of any cost or limitations. With version 1.4 we've strengthened ThreatMapper's capabilities to the point that we’re not aware of any other product – open source or commercial – that can match it."

ThreatMapper 1.4 is 100% open source and available on GitHub. Learn more about the latest features in the release blog here.

**About Deepfence**

Deepfence is an essential security observability and protection platform for cloud-native and container environments. Deepfence measures, maps, and visualizes your runtime attack surfaces, and provides full-stack protection from known and unknown threats. Deepfence ThreatMapper helps protect the increasingly vulnerable software supply chain by automatically scanning, mapping, and ranking application vulnerabilities and sensitive secrets in running containers, images, hosts, and repositories — from development through production. Deepfence ThreatStryker uses industry attack heuristics to interpret ThreatMapper intelligence and telemetry, identifying attacks-in-progress and deploying mitigating firewall and quarantine measures. To learn more, visit deepfence.io.

Deepfence ThreatMapper 1.4 Unveils Open Source Threat Graph to Visualize Cloud-Native Threat Landscape

Because demonstrating compliance with industry regulations can be cumbersome and expensive, it's important to ensure they're also absolutely essential.

While I was recently helping a client mitigate a data breach, there was another team on the premises ensuring that the organization met the standards for a popular security compliance certificate. This is not the first time that I have encountered certifying bodies signing off on an organization's compliance even as it was under cyberattack. This ironic situation illustrates the confusing role that the growing number of different compliance certifications play. On the one hand, these certifications increase security efforts, but it is also clear they are not a blanket solution, as certified companies are attacked all the time.

While SOC2 and ISO 27001 are among the best known certifications, there are dozens of voluntary compliance schemes that companies can adopt. In fact, companies often have more than one certificationbecause there is no real international standard, meaning that organizations seek out additional compliance certifications when entering new markets in order to satisfy demands of clients, customers, and partners. With SOC2 taking up to three months to implement, while ISO takes up to six months, companies are spending large amounts of human and financial resources on these certifications. So it is time to ask if this endeavor is worth it.

**Certifications Can Bring Unexpected Benefits**

There is no doubt that such schemes offer benefits — but not necessarily the ones that organizations expect. Most importantly, they raise cybersecurity awareness throughout an organization, often in a bottom-up manner.  

Because potential customers and clients are routinely asking about certifications, it is often an organizations'marketing and sales teams that approach their CISO to request seeking out certifications. Whether a certification is ultimately pursued — and what actual security benefits, if any, it brings — this momentum is important and creates stronger links between cybersecurity teams and the rest of the business. These relationships can help lay the foundation for more holistic cybersecurity practices and policies, and emphasize to the entire business the importance of investing in cybersecurity.

Requests for certifications from sales, marketing and other teams also illustrate to the CISO and the entire C-suite how cybersecurity can be a business enabler, and a marketing tool; for example, if an organization has a certain certification they can highlight that to appeal to potential customers and clients.

In fact, many organizations require that their service-providers, from payroll solutions to delivery services, have a certain compliance certificate. So not having such a certification could mean, for example, that a vehicle fleet management company will not win a contract from a startup that wants transportation services. This helps companies understand in general how any cybersecurity spending and practices should be aligned with business goals and not happen in a vacuum or with a pure-compliance mindset.

**False Sense of Security**

But organizations seeking out these certifications must also realize that they can only do so much. Certified organizations are attacked all the time. The number of companies with ISO certifications has more than quadrupled in the last decade, but attacks continue to rise. This is partly because in the current environment, nothing can completely prevent attacks. While certifications are a starting point, they do not make up for holistic security assessments that map out the most probable attack routes, the most valuable and vulnerable targets, and then focus on protecting those assets.

In addition, these certifications and audits can be implemented in a wide-ranging manner, and it is difficult to tell how thorough they actually are. This is because there are hundreds of different companies that offer official certification for SOC2, ISO 27001, and others. Although there are basic guidelines, their methods differ, and, frankly, some probably do a better job than others.

**What Should Organizations Do?**

At the end of the day, businesses should seek out the certifications that are popular in their markets. It is a way to build security awareness and momentum inside an organization, and also creates a vehicle for integrating an emphasis on cybersecurity into marketing and sales efforts, as well as fostering an environment where cybersecurity spending is linked to business goals. On a practical level, many certifications, including ISO, can prevent fines or reputational damage in the event of an attack because they demonstrate to the public that the organization was taking preventative steps.

At the same time, businesses should make sure the organization they select for any certification does a thorough job. For example, there should be actual penetration or other testing performed as part of the evaluation, not just a questionnaire that is completed about testing done in the past.

Most importantly, organizations cannot let their guard down even after they have completed the long, tedious and costly process of certification. They must continue to engage in ongoing risk assessment, focus on protecting the most valuable parts of a business and use proactive defensive measures, like threat hunting and ethical hacking.

In sum, the value of these certifications is derived by viewing them as starting points, rather than end goals. These certifications are often critical in advancing the conversation and the priority of cybersecurity in organizations.

Compliance Certifications: Worth the Effort?

Zero trust and XDR are complementary and both are necessary in today's modern IT environment. In this article, we discuss the intersection of zero trust and XDR.

What do the Colonial Pipeline ransomware attack, Florida water hack, and Twitch data leak share in common? All were high impact, but none of them were sophisticated cyberattacks.

Rather, three years of rapid digital transformation have resulted in a sprawling and porous attack surface of distributed workforces and network environments (cloud, edge, on-premises). The game has changed, but most organizations are still operating on dated tech stacks and security models, making it easy for bad actors to take advantage.

Many companies are realizing it's time for a new security playbook that addresses the needs of the modern workforce.

**Zero Trust: Never Trust, Always Verify**

What keeps CISOs up at night? Uncertainty about the security posture of their endpoints and data; the massive potential for human error (Colonial Pipeline); and the complexity of, well, the evermore complex IT environment of today. In other words … _chaos_.

The solution? One simple rule: never trust, always verify — zero trust.

The official definition of zero trust from Forrester Research, originator of the concept, is:

_"Zero Trust is an information security model that **denies access to applications and data by default**. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and **comprehensive security monitoring is implemented."**_

Let's unpack that definition:

✔ You deny access to data and applications by default.

✔ You grant access only to users, networks and workloads adhering to the framework.

✔ You continuously verify the identity of all users and their devices.

✔ You enforce least privilege access by default.

✔ You implement comprehensive security monitoring.  

Since its introduction, the evolution to zero trust has greatly increased security over legacy-based approaches that granted frictionless access to users and applications once a perimeter was cleared, but it is not perfect.

A zero-trust posture works great at limiting access and the potential blast radius of an attack, but does not itself protect the kingdom from persistent attacks on IT environments and users.

While identity and access management (IAM) tools handle the never-trust-always-verify principles of the zero-trust security framework, additional tools such as XDR are still needed to insulate your network, applications, and endpoints from the constant attacks that most organizations face.

**XDR: The Solution to Siloed Security**

Considered an evolution of endpoint detection and response (EDR) and network detection and response (NDR), extended detection and response (XDR) offers protection throughout critical areas of your network, devices, applications, and IT infrastructure.

_How?_

Gartner's definition of XDR holds the answer:

_"Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."_

Put simply, XDR shatters the point-solution silos that prevent a complete view of your security posture, actively monitors all systems, AND intelligently identifies and acts on threats when they occur.

The capabilities under the hood making this possible include:

**\--Analytics and Detection**

✔ Internal and external traffic monitoring to identify threats _even if_ they bypass your network perimeter.

✔ Integrated threat intelligence to preempt attacks already executed elsewhere on your system.

✔ Machine learning-based detection for catching zero-day and anomalous threats that can bypass signature-based methods.

**\--Investigation and Response**

✔ Correlation of related alerts and data to help security teams stealthily determine the root cause of an attack and predict the adversary's next step.

✔ Centralized user interface (UI) to expedite documentation and response times.

✔ Response and orchestration capabilities, such as automatically blocking an endpoint attack and then updating org-wide endpoint policies.

**\--Dynamic and Flexible Deployments**

✔ Security orchestration integrating with existing controls to ensure unified and standardized responses.

✔ Scalable, cloud-based storage and compute so historical data (and the advanced persistent threat patterns it reveals) is preserved.

✔ Machine learning and threat intelligence for informed, iterative improvement over time.

**XDR and Zero Trust Working Together**

With the global average cost of a data breach reaching an all-time high of $4.35 million, it's no wonder 97% of IT and security pros see implementing zero trust as a top priority.

However, the implementation of zero trust in itself is not the full answer to modernizing security posture. XDR helps to complete the comprehensive security monitoring requirements of zero trust by stacking multiple security technologies into a single platform.

The evolution to a zero-trust security posture enhanced with XDR protections ensures that even the most distributed workforces remain protected across all users, applications, and environments.

**About the Author**

    

Bruno Darmon is the Chief Strategy Officer at Cynet, a provider of natively automated XDR platform. Bruno has over 25 years of high-tech leadership, sales and entrepreneurial experience. Prior to joining Cynet, Darmon served 17 years as Vice President of EMEA Sales at Check Point Software Technologies.

Zero Trust & XDR: The New Architecture of Defense

First-of-its-kind solution discovers and protects both data at rest and in motion.

**TEL AVIV, August 3, 2022 –** Flow Security today announced $10M in seed funding and launched the first data security platform that discovers and protects both data at rest and in motion. The funding was led by Amiti, with participation from GFC, Amdocs Ventures, and industry leaders such as CyberArk CEO Udi Mokady and Demisto CEO and co-founder Slavik Markovich.

Enterprises of all sizes continue to make heavy investments in technology stacks as they transition to modern cloud application architectures. This new era promises many benefits, but has also led to significant data sprawl and major difficulties in securing data. With the widespread adoption of modern architectures, securing sensitive data such as PII, PHI, financial information, and intellectual property has become a near-impossible task.

Flow Security helps organizations overcome these challenges by continuously mapping and detecting all data-related risks for an improved data security posture. Flow is the only data security platform that supports use cases including discovering and classifying data flows to external services, policy enforcement, automatic data-related threat modeling, and reducing data access permissions to the minimum. Flow has a growing customer base in highly-regulated markets such as e-commerce, fintech, healthcare, insurtech, and more.

"Discovery, mapping and protecting data is usually a manual process, which is not effective in large organizations," says Nir Chervoni, Head of Data Security of Booking.com, "Automatic data mapping should consist of analyzing the actual payload, and not only its metadata. So far, Flow is the only company I've seen that provides that capability for multiple scenarios."

“Security and data protection teams are struggling to keep up with the rapid pace of today, and Flow is making their lives exponentially easier,” said Ben Rabinowitz, Managing Partner and Founder at Amiti Ventures. “We’re thrilled to be a partner on this journey, and eager to help capitalize on this opportunity to give security teams the technology they need to become business enablers.”

“We’ve reviewed dozens of different data security tools lately, and we weren’t satisfied with any of them,” said Ralph Pyne, VP of Security at NextRoll. “But Flow’s data-in-motion approach is a game changer. It took the platform a few days to map data-related threats that usually take months of manual work to detect.”

“Data security is not a new problem, but the challenges are changing and growing,” said Jonathan Roizin, co-founder and CEO of Flow Security. “Organizations are moving at a record pace and quickly transitioning to the cloud and cloud-first applications. These transformations often make life easier, but they also make the jobs of security professionals even more difficult. With Flow, security teams are no longer forced to chase down information. It simplifies security and regulatory processes and bridges the gap between security and development teams."

**About Flow Security**

Flow Security revolutionizes data security with the first platform that discovers and protects data not only at rest, but also in motion. Founded in 2021 by Jonathan Roizin and Rom Ashkenazi, the Israel-based company is backed by Amiti, GFC, Amdocs Ventures, and market-leading angel investors.

Flow Security Launches Next-Gen Data Security Platform Following $10 Million Seed Round

LIVE NOW: Dark Reading News Desk returns to Black Hat USA 2022

Welcome to the Dark Reading News Desk, which will be livestreamed from Black Hat USA at Mandalay Bay in Las Vegas. Dark Reading editors Becky Bracken, Fahmida Y. Rashid, and Kelly Jackson Higgins will host Black Hat newsmakers ranging from independent researchers and threat hunters to reverse engineers and other top experts in security, today from 10 a.m. until 3 p.m. Pacific Time. Tune in for some of the biggest headlines and latest cybersecurity research. The livestream will be available from the top of the page and also on our YouTube page.

What to look for today: Dark Reading will be joined at the Black Hat News Desk by Allison Wikoff from PwC, to talk about the latest in job-themed APT social engineering scams; Brett Hawkins from IBM, to discuss supply chain management systems abuse; and many more. Dr. Stacy Thayer, a researcher specializing in burnout, will also be on hand to offer her best tips for helping cybersecurity professionals manage stress. Don't miss it!  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Reading News Desk: Live at Black Hat USA 2022

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

Back in 1997, when tech companies didn't understand hackers very well and didn't take them seriously, the founder of DEF CON, Jeff Moss, decided to create an event that would give everyone the chance to peek inside the minds of these creative geniuses. Black Hat was born.

"\[T\]he Black Hat Briefings will put your engineers and software programmers face-to-face with today's cutting edge computer security experts and 'hackers,'" the official announcement promised. "Only the Black Hat Briefings will provide your people with the tools and understanding they need to thwart those lurking in the shadows of your firewall."

Attendees of that first conference, held July 7-10, 1997, right before DEF CON, got to hear from a stellar list of speakers. Mudge gave a talk on secure coding practices, Bruce Schneier explained why cryptography is harder than it looks, Adam Shostack had a presentation on making code reviews worthwhile, and Dominique Brezinski showed how attacks against Windows NT networks work.

The keynote speaker was techno-philosopher Richard Thieme, who gave a prophetic talk about the role hackers would play in our society. 

"You are going to be the thought leaders in the 21st century," Thieme remembers saying. "The technological revolution was going to transform the context of everyone's life in ways that people could not foresee and didn't expect."

His words might have sounded far-fetched at that time because there weren't any degrees in cybersecurity yet and no certifications with endless letters. Moreover, software companies threatened those who dared to find flaws in their products.

"Every time hackers found a bug, software vendors would come up with some way of downplaying or criticizing it," says Ira Winkler, chief security architect at Walmart, of those early years. "They would criticize password crackers saying, 'Who's going to sit around and just try to brute-force a password?'"

Black Hat helped the corporate world understand the value hackers could bring to the table by giving these creative minds a certain stamp of legitimacy. Twenty-five years after its first edition, the event has expanded to include multiple niches and geographies. 

"We have additional tracks: Community & Career, Human Factors, or Policy," says Shostack, who's a member of the 2022 edition's review board. "I think the philosophy has broadened."

**The Early Days**

But let's turn back time to Black Hat's early beginnings, when Moss, aka The Dark Tangent, recognized the need for a more formal conference. DEF CON originated from the idea of throwing a party where everyone's invited, but Moss wanted an event that brought hackers and software companies together without being ultra corporate.

His idea was to create "a forum where everyone could exchange ideas and talk about what they were working on," says Jeremy Rauch, co-founder of Latacora.

Moss, who was a penetration tester before that term even existed, took a genuine interest in everyone's projects, which helped him to build a community around the event. 

"I would imagine everyone who was speaking at those early Black Hats would say Jeff was a friend doing a conference, and I was excited to be able to speak at his conference," Rauch says.

Thieme adds: "There are a number of ways Jeff manifests real genius. He gives you a chance, and he's willing to take risks."

Moss' gift for networking helped to address at least a bit the divide between the hackers and the software companies they were targeting. Microsoft, for instance, took part in Black Hat's first edition and even invited a few speakers to dinner.

"We came here to look at the hackers' perspective, to understand what they're thinking and what their concerns are," Carl Karanan, then Windows NT marketing director, told ITProToday. "It's good to look at things in perspective: this conference does that. We've opened up a dialogue. The hackers do a service. We're listening and we're learning."

Later on, the Seattle giant ended up sponsoring Black Hat. "And so, the big baddie, who people loved to hate, was showing up and paying for your drinks," Shostack says. "And by and large, not always agreeing, but at least listening to what you have to say."

The gap between the multimillion-dollar Microsoft and the hackers, who often used weird-sounding nicknames and didn't have traditional jobs, was visible. "I remember being in a hotel, and we literally ordered the cheapest bottle of wine on the menu because split four ways, it was what we could afford," Shostack says.

Little by little, the hacker community has grown wider, and its top professionals started to have lucrative jobs or build companies. "I am confident that there are still people who are \[splitting a cheap bottle of wine\], but I think there are fewer people who are doing that, who also are speaking at Black Hat," Shostack says.

The transition from doing it for fun to making money started slowly. One thing that helped the hackers raise their profile was the quality of their technical talks.

**Some of Black Hat's Iconic Hacks**

In its first decade, Black Hat grew by word of mouth. Its bold presentations touched on everything from cyberwarfare to cryptography, anonymity, or flaws in operating systems. The speakers took the stage excited to showcase their work, although sometimes they experienced pushbacks.

One defining moment in the history of Black Hat happened in 2001, when James Bamford, author of _The Puzzle Palace_ and _Body of Secrets_, gave a talk on the NSA, explaining how the agency has been listening to people since World War II. His presentation prompted a conversation on whether Bamford was a whistleblower or a traitor, 12 years before the Snowden revelations.

Another expert who wasn't afraid to speak his mind was Mike Lynn. In 2005, when he was 24, he prepared a presentation on a vulnerability in the Internetwork Operating System used for Cisco routers. But Cisco and the company Lynn worked for at that time, Internet Security Systems (ISS), were unhappy about it. They asked him to refrain from discussing the vulnerability, although it had been patched months before the conference — and threatened to sue him if he didn't comply.

The two companies also pressured Black Hat organizers, telling them not to include information about the talks in the proceedings of the event. Shostack remembers Moss coming to him with an unusual request: "He handed me a razor blade to help cut pages out of it because Cisco's lawyers had shown up in bulk and threatened to shut down the conference if we distributed this."

Lynn responded by quitting his job at ISS. And on the day of his speech, wearing a hat with the word "Good" written on it, he took up the stage and asked the audience: "Who wants to hear about Cisco?" Of course, he went on with his talk, and he was later sued.

This event, dubbed Ciscogate, put Black Hat on the front page of The Wall Street Journal. "When your mom's friends are asking her about the convention or about security, you know you're starting to reach prime time," Moss said in an interview for CNN.

With the publicity it attracted, Ciscogate eventually helped software companies understand how not to deal with vulnerability disclosures, thus moving the needle on making everyone safer. That year, though, Moss sold the conference (to CMP Media, now part of Informa, Dark Reading's parent company).

While some of Black Hat's presentations are highly technical, a few speak to large audiences, trying to show everyone how easy it can be to get hackers. For example, just a year after Ciscogate, researcher Joanna Rutkowska took inspiration from the movie _The Matrix_ and introduced the Blue Pill, a rootkit based on x86 virtualization.

During her talk, she argued that the new technology she built could create malware that would be "100 percent undetectable," with no performance penalty. The idea behind the Blue Pill is to start a thin hypervisor and virtualize the rest of the machine. 

"\[A\]ll the devices, like \[the\] graphics card, are fully accessible to the operating system, which is now executing inside \[the\] virtual machine," she wrote on her blog. Later, Rutkowska built the Red Pill, which can help detect a virtual machine's presence.

Then, in 2010, the late Barnaby Jack forced two ATMs to spit out cash on the conference's stage. One of those was hacked remotely, while for the other, he used a thumb drive loaded with malware.

Equally iconic was the talk security researchers Charlie Miller and Chris Valasek gave in 2015. They showed how they hacked a Jeep remotely while Wired journalist Andy Greenberg was driving it at 70 mph on a highway. The two researchers changed the car's air-conditioning settings, started its windshield wipers, cut the transmission, and toyed with the accelerator. In addition, they were also able to kill the SUV's engine at lower speeds and disable the brakes.

Such talks touch on the values Moss tried to instill into Black Hat, such as creativity, spontaneity, and collaboration.

**Growing Up**

The days when Shostack split a cheap bottle of wine with his friends in a hotel room are long gone. The security industry has matured, and so did Black Hat. The event has transformed from a rowdy bunch meet-up that was kicked out of hotels to a professional conference with a Code of Conduct that's taken "very seriously," according to its organizers.

"People should expect a professional, safe, and inclusive environment, and we regularly take action to ensure that's the case," says Steve Wylie, general manager of Black Hat. "As one of our industry's most established conferences, I think Black Hat plays an important role in promoting diversity and inclusivity."

This year, the event has a diverse speaker lineup and editorial board. It also includes scholarship programs for underrepresented groups. Keynote speakers include Kim Zetter and Chris Krebs; topics include the cyberattacks against Ukraine, the SpaceX Starlink system, elections and disinformation, surveillance vendors, and the burnout phenomenon that has impacted many professionals in the past years.

"There's not a Black Hat conference that goes by where I don't see several talks in the list and think, 'Wow, that's really cool. That's amazing,'" Rauch says. "It's amazing how far everything's come and how much really hard work people do these days in the name of security research."

Looking Back at 25 Years of Black Hat

A Q&A with NCC Group's Viktor Gazdag ahead of a Black Hat USA session on CI/CD pipeline risks reveals a scary, and expanding, campaign vector for software supply chain attacks and RCE.

Continuous integration/continuous development (CI/CD) pipelines may be the most dangerous potential attack surface of the software supply chain, researchers say, as cyberattackers step up their interest in probing for weaknesses.

The attack surface is growing too: CI/CD pipelines are increasingly a fixture within enterprise software development teams, who use them to a build, test, and deploy code using automated processes. But over-permissioning, a lack of network segmentation, and poor secrets and patch management plague their implementation, offering criminals the opportunity to compromise them to freely range between on-premises and cloud environments.

At Black Hat USA on Wednesday, Aug. 10, Iain Smart and Viktor Gazdag of security consultancy NCC Group will take to the stage during "RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise," to discuss the raft of successful supply chain attacks they've carried out in production CI/CD pipelines for virtually every company the firm has tested.

NCC Group has overseen several dozen successful compromises of targets, ranging from small businesses to Fortune 500 companies. In addition to security bugs, the researchers say novel abuses of intended functionality in automated pipelines have allowed them to convert pipelines from a simple developer utility into remote code execution (RCE)-as-a-service.

"I hope people will give some more love to their CI/CD pipelines and apply all or at least one or two recommendations from our session," Gazdag says. "We also hope this will spark more security research on the topic."

Tara Seals, Dark Reading's managing editor for news, sat down with Viktor Gazdag, managing security consultant of NCC Group, to find out more.

**Tara Seals:** _**What are some of the more common security weaknesses in CI/CD pipelines, and how can these be abused?**_

**Viktor Gazdag:** We see three common security weaknesses regularly that require more attention:

_1) Hardcoded credentials in Version Control System (VCS) or Source Control Management (SCM)._

These include shell scripts, login files, hardcoded credentials in configuration files that are stored at the same place as the code (not separately or in secret management apps). We also often find access tokens to different cloud environments (development, production) or certain services within the cloud such as SNS, Database, EC2, etc.

We also still find credentials to access the supporting infrastructure or to the CI/CD pipeline. Once an attacker gets access to the cloud environment, they can enumerate their privileges, look for misconfigurations, or try to elevate their privileges as they are already in the cloud. With access to the CI/CD pipeline, they can see the build history, get access to the artifacts and the secrets that were used (for example, the SAST tool and its reports about vulnerabilities or cloud access tokens) and in worst case scenarios, inject arbitrary code (backdoor, SolarWinds) into the application that will be compiled, or gain complete access to the production environment.

_2) Over-permissive roles._

Developers or service accounts often have a role associated with their accounts (or can assume one) that has more permissions than needed to do the job required.

They can access more functions, such as configuring the system or secrets scoped to both production and development environments. They might be able to bypass security controls, such as approval by other developers, or modify the pipeline and remove any SAST tool that would help searching for vulnerabilities.

As pipelines can access production and test deployment environments, if there is no segmentation between them, then they can act as a bridge between environments, even between on-prem and cloud. This will allow an attacker to bypass firewalls or any alerting and freely move between environments that otherwise would not be possible.

_3) Lack of audit, monitoring, and alerting._

This is the most neglected area, and 90% of the time we found a lack of monitoring and alerting on any configuration modification or user/role management, even if the auditing was turned on or enabled. The only thing that might be monitored is the successful or unsuccessful job compilation or build.

There are more common security issues, too, such as lack of network segmentation, secret management, and patch management, etc., but these three examples are starting points of attacks, required to reduce the average breach detection time, or are important to limit attack blast radius.

**TS:** _**Do you have any specific real-world examples or concrete scenarios you can point to?**_

**VG:** Some attacks in the news that related to CI/CD or pipeline attacks include:

*   CCleaner attack, March 2018
*   Homebrew, August 2018
*   Asus ShadowHammer, March 2019
*   CircleCI third-party breach, September 2019
*   SolarWinds, December 2020
*   Codecov's bash uploader script, April 2021
*   TravisCI unauthorized access to secrets, September 2021

**TS:** _**Why are weaknesses in automated pipelines problematic? How would you characterize the risk to companies?**_

**VG:** There can be hundreds of tools used in pipeline steps and because of this, the tremendous knowledge that someone needs to know is huge. In addition, pipelines have network access to multiple environments, and multiple credentials for different tools and environments. Gaining access to pipelines is like getting a free travel pass that lets attackers access any other tool or environment tied to the pipeline.

**TS:** _**What are some of the attack outcomes companies could suffer should an adversary successfully subvert a CI/CD pipeline?**_

**VG:** Attack outcomes can include stealing source code or intellectual data, backdooring an application that is deployed to thousands of customers (like SolarWinds), gaining access to (and freely moving between) multiple environments such as development and production, both on-prem or in the cloud, or both.

**TS:** _**How sophisticated do adversaries need to be to compromise a pipeline?**_

**VG:** What we're presenting at Black Hat are not zero-day vulnerabilities (even though I found some vulnerabilities in different tools) or any new techniques. Criminals can attack developers via phishing (session hijack, multifactor authentication bypass, credentials theft) or the CI/CD pipeline directly if it's not protected and is Internet-facing.

NCC Group even performed security assessments where we initially tested Web applications. What we found is that CI/CD pipelines are rarely logged and monitored with alerting, other than the software building/compiling job, so criminals don't have to be that careful or sophisticated to compromise a pipeline.

**TS:** _**How common are these types of attacks and how broad of an attack surface do CI/CD pipelines represent?**_

**VG:** There are several examples of real-world attacks in the news, as mentioned. And you can still find, for example, Jenkins instances with Shodan on the Internet. With SaaS, criminals can enumerate and try to brute-force passwords to get access as they don't have multifactor authentication enabled by default or IP restrictions, and are Internet-facing.

With remote work, pipelines are even harder to secure as developers want access from anywhere and at any time, and IP restrictions aren't necessarily feasible anymore as companies are moving towards zero-trust networking or have changing network locations.

Pipelines usually have network access to multiple environments (which they shouldn't), and have access to multiple credentials for different tools and environments. They can act as a bridge between on-prem and cloud, or production and test systems. This can be a very wide attack surface and attacks can come from multiple places, even those that have nothing to do with the pipeline itself. At Black Hat, we're presenting two scenarios where we originally started off with Web application testing.

**TS: Why do CI/CD pipelines remain a security blind spot for companies?**

**VG:** Mostly because of the lack of time, sometimes the lack of people, and in some cases, lack of knowledge. CI/CD pipelines are often created by developers or IT teams with limited time and with a focus on speed and delivery, or developers are just simply overloaded with work.

CI/CD pipelines can be very or extremely complex and can included hundreds of tools, interact with multiple environments and secrets, and be used by multiple people. Some people even created a periodic table representation of the tools that can be used in a pipeline.

If a company allocates time to create a threat model for the pipeline they use and the supporting environments, they will see the connection between environments, boundaries, and secrets, and where the attacks can happen. Creating and continuously updating the threat model should be done, and it takes time.

**TS:** _**What are some best practices to shore up security for pipelines?**_

**VG:** Apply network segmentation, use the least-privilege principle for role creation, limit the scope of a secret in secrets management, apply security updates frequently, verify artifacts, and monitor for and alert on configuration changes.

**TS:** _**Are there any other thoughts you would like to share?**_

**VG:** Although cloud-native or cloud-based CI/CD pipelines are more simple, we still saw the same or similar problems such as over-permissive roles, no segmentation, over-scoped secrets, and lack of alerting. It's important for companies to remember they have security responsibilities in the cloud as well.

Software Development Pipelines Offer Cybercriminals 'Free-Range' Access to Cloud, On-Prem

The computing giant issued a massive Patch Tuesday update, including a pair of remote execution flaws in the Microsoft Support Diagnostic Tool (MSDT) after attackers used one of the vulnerabilities in a zero-day exploit.

Microsoft patched 118 vulnerabilities in its software products and components on Aug. 9, including a flaw that attackers have exploited in the wild to run malicious code when users click on a link, according to security experts. 

The patches, part of Microsoft's regularly scheduled Patch Tuesday, fixed the zero-day vulnerability (CVE-2022-34713) and a second remote code execution (RCE) vulnerability (CVE-2022-35743) in the Microsoft Support Diagnostic Tool (MSDT) that has not yet been exploited. 

The MSDT vulnerabilities are a variant of an issue that researchers have called "DogWalk," public discussion of which began about 18 months ago, although it has been exploited only recently, Satnam Narang, a staff research engineer at cybersecurity firm Tenable, tells Dark Reading.

The MSDT vulnerabilities give attackers the ability to use the MSDT protocol through a URL contained in a document — such as a Microsoft Office Word file — that, when clicked, will execute code in the security context of the application.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft stated in its advisory for the previous MSDT exploit. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Security teams that cannot apply the patch can disable the MSDT URL protocol, update their Microsoft Defender detections, or rely on Protected View and Application Guard for Office to prevent the current attacks.

The zero-day vulnerability, and a previous one exploited in May, are being used by attackers in phishing campaigns, Narang says.

"\[I\]t would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spear-phishing attacks," he says. "We've seen flaws ... continue to be exploited years after patches have been made available. Therefore, it is vital that organizations apply the available patches as soon as possible."

**Security Teams Wrestle with Patching Tsunami**

The tranche of updates fixes 17 vulnerabilities rated critical and 101 rated important. Elevation-of-privilege issues dominated the patches, accounting for 64 of the CVEs, while RCE vulnerabilities make up 31 of the 118 security issues fixed in the software updates, according to Tenable's analysis of the updates. Information-disclosure vulnerabilities account for 12 of the patched vulnerabilities, and denial-of-service issues account for seven vulnerabilities. Another three vulnerabilities allowed security features to be bypassed.

The vulnerabilities — along with another 25 flaws issued by Adobe on the same day and nearly 20 issues released for Microsoft's Edge browser on Friday — highlight the workload faced by security teams on Patch Tuesday. 

"The volume of fixes released this month is markedly higher than what is normally expected in an August release," Dustin Childs, security communications manager for Trend Micro's Zero Day Initiative, wrote in a review of the updates released on Patch Tuesday. "It’s almost triple the size of last year's August release, and it's the second largest release this year."

Some companies have reported that Microsoft fixed 121 flaws, rather than 118, but that tally includes three issues in Windows Secure Boot that previously were reported through the CERT Coordination Center and are updates to third-party drivers, according to Tenable's analysis.

While the MSDT vulnerabilities are the most critical to fix, more than a third of the vulnerabilities fixed by the patches occur in local components of Microsoft Azure, including 34 vulnerabilities in Azure Site Recovery software, eight flaws in the Azure Real Time Operating Systems, and a single vulnerability for Azure Sphere and the Azure Batch Node Agent.

The updates also fix vulnerabilities in the code handling older tunneling protocols, such as Point-to-Point Protocol (PPP) and Secure Socket Tunneling Protocol (SSTP), including four vulnerabilities affecting Windows PPP and nine affecting the SSTP functionality.

"These are older protocols that should be blocked at your perimeter," Trend Micro's Childs wrote in the ZDI analysis of the patches. "However, if you're still using one of these, it’s probably because you need it, so don’t miss these patches."

**Adobe Patch Tuesday**

Microsoft is not the only company to drop significant monthly patches. Adobe also published updates to fix 25 vulnerabilities in five different products, including Adobe Commerce, Adobe Acrobat and Reader, Adobe Illustrator, Adobe FrameMaker, and Adobe Premier Elements.

"None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release," Childs wrote. "Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2."

Source

DARKReading