Exhibiting at Black Hat Europe is quite different from doing so at Infosecurity, Europe’s largest information security event. Amidst a nation of tea drinkers, InfoSec is your skinny latte – and Black Hat your triple espresso.
From Marina Kaljurand’s keynote through to the plenary, the energy level was sustained, and the focus unrelenting. The business hall was packed almost immediately upon opening, and it was clear that delegates were wishing they could clone themselves to take it all in – between overlapping briefings, Arsenal pitches, vendor sessions, as well as getting in to the nitty gritty with exhibitors – as much as humanly possible.
Numerous exchanges involved participants establishing whether they were red team or blue team earlier than one might expect. With the event organisers making it easy for individuals to protect at least some minimal level of oft-desired privacy through omission of, for example, company details from name badges, the resulting shipboard phenomenon stimulated easier and more open conversations.
The Black Hat community is acutely aware of the details of data and personally identifiable information privacy and its safeguards so the use of pseudonyms was both expected and useful to progress to the meat (and potatoes) of the conversations. Participants could speak freely without fear of revealing the foibles of their sponsoring org. Badges swapped, masked, you get the picture.
With our team on this Black Hat ship then, armed with macchiato hip flasks (or occasional high tech trinkets from vendors) participants vied to share their observations and perceptions of trends, along with a plethora of illustrative breaches to reinforce their point. Mostly responsibly anonymized of course, or not – as judged appropriate.
I was struck by the frequency of Business Email Compromise (BEC) incidents described to me. “Yes, that happened to us too!” claimed one participant, while the stream of energetic and talented Arsenal presenters simultaneously showed their endless array of incident response or penetration testing tool sets. Up to seven presentations at a time, and in close quarters.
I was even more struck by the sophistication and effectiveness of BEC campaigns, along with their sharp rise and scope. Often netting six figure losses per transaction and with cyber insurance providers sometimes declining payouts against such losses, the rapid rise of BEC threats presents an uncomfortable reality for the widest range of enterprises and other organizations. Brookcourt Solutions, one of our regional partners, estimates that BEC is costing companies more than £9.5 billion over the last 5 years and BECs become even more unnerving in that they often demonstrate some considerable familiarity with company internal processes.
BEC was certainly the highlight of the many topics discussed with this refreshingly honest group of sophisticated practitioners. The monetary figures involved are a stark reminder that threat actors and adversaries continue their evolution – and effectiveness – with increased sharing of information, tactics, tools, and procedures.
In our day to day engagements, we are indeed seeing more collaboration between the national scale CERTs and other organisations protecting critical national infrastructure and the public. However, the imperative to increase the effectiveness of such collaboration is overriding, with a laser focus required both on technology and education throughout the organization.
I’m looking forward to the ongoing conversation at RSA and Infosecurity Europe. If you’re interested in learning more about Business Email Compromise, I would recommend our recent webcast Detecting Targeted Spearphishing Campaigns in the Preparation Phase.