Attending the BCAware Security Conference

Meeting Brian Krebs at the BCAware Conference

One of the most exciting parts of the BCAware conference was getting to meet Brian Krebs live in person!

During his talk he shared some interesting topics such as how cyber criminals are using websites similar to https://haveibeenpwned.com/  

Except, that these “other” websites will actually list out the users leaked password(s) in plaintext. And, with this method attackers can now attack various social media, banking and other commonly used services online to possibly find valid emails/passwords to accounts.

Another topic was related to how cyber criminals determine how much money to ask for during a ransomware attack. The typical amount seems to point at about 10% of total revenue a business makes from the previous year. This way, they do not ask for too much or too little. It gets close to an amount that the organization can afford, and finds would be cheaper than to recover from backups or rebuilding the environment.

MFA is a must, and should be used everywhere if possible. This now should become a new standard and the new norm for all areas where authorization is required. Using just a username and password is no longer sufficient and secure any more.

Patching is still important and people still need to continue on with making sure their devices are always up to date. Organizations seem to always struggle with patches, and malicious adversaries try to take advantage of this fact.

Lastly, training is VERY important, and companies should be allocating funds to keep their security team trained on the latest and greatest techniques. The bad guys out there are getting better, and so should the defenders to be able to keep up.

What else did I learn?

There were various other discussions and presentations that took place. Here is a summary of a few that I attended at the conference.

The 1-10-60 rule

Crowdstrike shared an interesting idea on the idea of a 1-10-60 rule, which looks at detecting in no more than one minute. Investigating issues in less than 10 minutes. And, remediating in no less than 30 minutes. If you end up taking more time than the 1-10-60 rule, at that point you must deem you have been severely compromised. If you can meet the 1-10-60 rule expect that you have stopped or vastly slowed the attack vector down.

A stat I found very interesting that was also presented is that organizations state they tend to prevent attacks vs. detect attacks. This worried me a bit, as I’m not quite sure how you can prevent an attack, if you cannot at first detect and sense for it. If you don’t know about something it becomes difficult to anticipate and detect for it.

The last topic discussed by CrowdStrike stated that you must know your adversary. They have done their homework on your organization and are well prepared. And, so should you as a defender be prepared for these same adversaries.

Automation… Automation… Automation…

What are some things most security teams out there are suffering from? The answer is manual tasks! Therefore, if you can automate many of these manual tasks. It allows the team to concentrate on other objectives, or allows the team to become much more efficient. Scripting skills are becoming much more valuable and essential for security practitioners.

The other things teams suffer from is “Limited Context” meaning the time to investigate an incident could be days. But, with automation now you can reduce this level to minutes. More freed up time leads to more time being spent on investigating and detecting attacks along with other odd behaviors.

Cyber criminals are using automation, therefore as defenders you should be too! Remember, that many cyber criminals are automating their work, as there is an investment in their time when trying to attack and infiltrate systems. They want to speed up their attacks, which means you as a defender must automate detection and response mechanisms on your own end to even out the playing field.

AI is still new and young

KPMG had an interesting discussion the future of AI. 40% of organizations have either implemented some sort of AI, or are taking a look into some kind of solution. The big issue with any of these solutions is if any regulatory restrictions will be placed. There is a lot of uncertainty on AI technology, and if it needs to be regulated somehow to meet certain standards.

Another issue brought up relates to the data fed to the AI. If the data is not clean, or trustworthy data. Well the AI cannot make a good and informed decision due to this issue. This goes back to finding a method to be sure all data fed to the AI is always

Privilege Account Attacks

An area that seems to be missed is related to privileged accounts that are stored and used in organizations. Many attacks work, because user accounts have more privilege access then logically needed. Someone that needs access to system A only, tends to have access to system A, B, Z etc… Companies need better methods to manage access, and because this is a big struggle for most organizations. Many attackers are taking advantage of it.

One other issue discussed was the protection of API keys.  There have been far too many compromises due to developers accidentally leaving credentials in code. And, some particular code could be made public via GitHub only to reveal a sensitive API key to the public. There needs to be better attention paid to where API keys are stored and how they are used.

Metrics on attack trends

There was an excellent discussion on attack trends that have been taking place over the last few years. The topic pin pointed the fact that we can no longer rely on signature based detection. Malware can easily be modified slightly so it has a new signature each time. Which defeats the purpose of signature based detection, as you simply would never be able to keep up with new signatures for the same variation type of malware. The new approach everyone should be looking into in this day in age is behavioral based detection.

Attackers know that IT teams are always constantly pressured by other departments to get servers/websites/application up quickly. Therefore, rushing these deployments out means there is a higher likelihood systems are not fully patched, or security tested thoroughly. Which gives the attacks an edge knowing these systems could be an easy target. Servers are the weak points in security, as majority of incident responders concentrate on just the endpoints. For, example EDR solutions tend to be used more on endpoints vs. servers.

Conclusion

All in all, the BCAware conference was exceptionally great! A big shout out to all of the organizers and people involved that made it happen. I was surprised with the turnout, as there were lots of people attending. And, it was nice seeing so many people engaged in security. This was one of the first larger security conferences I had attended, and it was very worthwhile and informative. I’m looking forward towards attending the 2021 BCAware conference!

This site uses Akismet to reduce spam. Learn how your comment data is processed.