In this episode of the Redefining CyberSecurity Podcast, as part of our Chats on the Road series to Black Hat USA 2023 in Las Vegas hosts Sean Martin and Marco Ciappelli chat with Allison Miller to discuss the parallels and differences between the fraud and cybersecurity teams, focusing particularly on how each measures success and handles challenges. Sean highlights the fraud team's clear metric of money, starting and ending their processes with it, and contrasts it to the security team's reliance on metrics like MTTx (Mean Time to Detect, Respond, etc.). He's curious about how the fraud team optimizes their processes and wonders if there are lessons that security teams can glean from them.

Allison appreciates the methodologies of fraud teams, especially their use of sampling to understand the magnitude of problems. She explains how fraud teams utilize backend data, machine learning, AI, and statistics to discern risk factors. Then, they test these models on forward-looking data, a methodology akin to red teaming in cybersecurity. She emphasizes the importance of continuous testing to ensure confidence in their detection capabilities. A point of difference she highlights is that fraud models have a high degree of confidence due to rigorous testing, while in cybersecurity, a lot of trust is placed on tool outputs without similar rigorous testing.

Marco emphasized the importance of building trust among teams. He stated that without trust, metrics could be misleading, and the overall effectiveness of processes might decline. He urged teams to ensure that they not only trust the data but also their colleagues, suggesting that this trust fosters better communication, understanding, and ultimately, results.

Sean expresses his wish for the cybersecurity world to be more integrated into applications, like the fraud teams are. Allison notes that fraud teams naturally fit into transaction processes because that's where money moves. For cybersecurity, the most natural integration point would be during authentication, but it's a risky move since blocking legitimate users would significantly impair their experience. Despite the challenges, Allison sees potential in fusion between fraud and security, especially in areas like API abuse. Both teams could benefit immensely from mutual collaboration in such areas.

Allison concludes that while direct involvement of security teams within applications may be a stretch, collaboration with fraud teams can still provide valuable insights. For example, in the realm of retail and payment, insights into API abuse can be a significant area for cooperative efforts between the two teams.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this episode of the Redefining CyberSecurity Podcast, as part of our Chats on the Road series to Black Hat USA 2023 in Las Vegas host Sean Martin and guest Eric Parizo discuss the upcoming Omdia Analyst Summit at Black Hat USA.

Eric, the Managing Principal Analyst for the Omdia Cybersecurity Research Team, shares insights into the summit's agenda and the exciting research they have been working on. The summit covers a range of topics, including economic challenges in cybersecurity, proactive security, SASE, IoT and OT security, data security, managed security services, and AI in cybersecurity.

They also touch on budget allocation and how organizations are shifting their resources and investing in external security capabilities. While security budgets are generally holding steady or increasing, the economic uncertainty may impact the second half of the year. The conversation highlights the importance of demonstrating ROI and value in existing security spend. The concept of proactive security takes center stage, as Eric explains that it involves finding and addressing threats before they impact an organization.

They discuss the three broad categories of security solutions: preventative, reactive, and proactive. Proactive security is seen as the missing piece in the cybersecurity puzzle, allowing organizations to get ahead of security problems and reduce overall risk. Eric teases the attendees of the summit with the promise of exploring specific proactive solutions and the potential for proactive security platforms that bring together various proactive capabilities.

Throughout the conversation, Sean and Eric provide a sneak peek into the summit's agenda, emphasizing the importance of the topics being discussed and the cutting-edge research being presented. The episode showcases the expertise and knowledge of Eric as a leading analyst in the cybersecurity field and offers valuable insights for security leaders and professionals.

Hosted by Sean Martin, the Redefining CyberSecurity Podcast provides listeners with thought-provoking discussions on cybersecurity topics.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency. The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.

The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do. The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.

The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.

About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Batman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.

Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.

First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.

Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.

To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.

Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

Welcome to a fascinating new episode where we delve deep into the confluence of cybersecurity, psychology, and philosophy in the realm of artificial intelligence. In anticipation of their insightful presentation at Black Hat Las Vegas 2023, our hosts Marco and Sean had an engaging conversation with Ben and Matthew, shedding light on the astonishingly rapid developments of AI and the accompanying cybersecurity implications.

Within the last few months, the GPT-4 and ChatGPT language models have captivated the world. There is a growing perception that the line between AI and sentience is becoming increasingly blurred, nudging us into uncharted territories. However, one must question if this is genuinely the case, or merely what we want or are predisposed to perceive.

Ben and Matthew's research outlines the fundamental "cognitive levers" available to manipulate human users, a threat vector that is more nuanced and insidious than we ever imagined.

In their upcoming Black Hat talk, they aim to reveal how AI can exploit our cognitive biases and vulnerabilities, reshaping our perceptions and potentially causing harm. From social engineering to perceptual limitations, our digital realities are at a risk we have never seen before.

Listen in as Marco and Sean explore a captivating debate around the nature of reality in the context of our interaction with AI. What we think is real, may not be real after all. How does that affect us as we continue to interact with increasingly sophisticated AI? In a world that often feels like a simulation, are we falling prey to AI's exploitation of our human cognitive operating rules?

Marco and Sean also introduce us to the masterminds behind this groundbreaking research, Ben Sawyer, with his background in Applied Experimental Psychology and Industrial Engineering, and Matthew Canham, whose work spans cognitive neuroscience and human interface design. Their combined expertise results in a comprehensive exploration of the intersection between humans and machines, particularly in the current digital age where AI's ability to emulate human-like interactions has advanced dramatically.

This thought-provoking episode is a must-listen for anyone interested in the philosophical, psychological, and cybersecurity implications of AI's evolution. The hosts challenge you to think about the consequences of human cognition manipulation by AI, encouraging you to contemplate this deep topic beyond the immediate conversation.

Don't miss out on this thrilling journey into the unexplored depths of human-AI interaction.

Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this Chats on the Road to Black Hat USA, hosts Sean and Marco are joined by John Swanson, the Director of Security Strategy at GitHub. The conversation revolves around the challenges and importance of implementing two-factor authentication (2FA) for developers on the GitHub platform.

John shares insights into the role of GitHub in protecting developers and the software ecosystem, emphasizing the need for collaboration and involving various perspectives in the project team. The discussion touches on the guiding principles that rallied the team and the importance of balancing security outcomes with usability. They explore the role of culture in driving effective security practices and creating a safe and healthy environment. John highlights the need to build and maintain a healthy culture around security, ensuring two-way trust between internal employees and customers.

The conversation also explores how to measure success through traditional metrics and indicators, as well as the importance of team engagement and positivity. The hosts express their excitement for John's upcoming presentation at the Black Hat conference, where he will discuss 2FA for 100 million developers on the GitHub platform. The conversation provides valuable insights into the challenges and successes of implementing security technologies while considering the human factor, offering a glimpse into the real-world implementation of 2FA and the efforts made by GitHub to improve security without compromising usability.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this Chats on the Road to Black Hat USA, hosts Sean and Marco are joined by guests Pedro and Marco to explore the vulnerabilities and challenges of web security. The conversation begins with an explanation of the Double Submit and Synchronized Token patterns used to protect against CSRF (cross site request forgery) attacks. They discuss the limitations of these patterns, particularly when it comes to the integrity of cookies.

The guests highlight the potential for attackers to modify cookies and the need for better solutions. The conversation then unpacks the complexities of web security, including the difficulties of maintaining backward compatibility and the challenges of multiple components and parties involved in web development, delivery, and operations. They address the importance of revising the security of subdomains and implementing security mechanisms like HSTS (HTTP strict transport security) with the inclusive domain directive.

The conversation also raises philosophical questions about the responsibility of companies and the development community in addressing web security, as well as the role of legislation in this space. The group emphasizes the need for better platforms and frameworks that prioritize security from the start.

The conversation concludes with a discussion on the importance of ongoing research, reporting vulnerabilities to developers, and finding solutions to improve the overall security of web applications. Listeners can expect to gain a deeper understanding of web security challenges and the ongoing efforts to address vulnerabilities and improve the security of the internet ahead of Pedro's and Marco's research presentation at Black Hat USA 2023.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this Chats on the Road to Black Hat USA, hosts Sean and Marco invite Johannes Willbold to discuss the security of low Earth orbit (LEO) satellites. Johannes shares his research on satellite vulnerabilities and the challenges in securing satellite systems. They discuss security by obscurity and the lack of standardized protocols in satellite technology.

Johannes emphasizes the importance of addressing security concerns in space technology and the need for organizations like NASA and the European Space Agency (ESA) to come together to address these challenges. They spend time looking into the difficulties of implementing security measures on satellites and the slow adoption of fixes due to the time-consuming nature of satellite testing and deployment.

The trio also touch on the lack of everyday defenses and mitigating controls for satellite security, as well as the challenges of monitoring and responding to threats while satellites are in orbit. Johannes highlights ongoing efforts by organizations like ESA to improve security in space and host workshops to encourage research in this area.

The hosts also cover some of the points from Johannes's upcoming talk at Black Hat USA, where he will share more details about his research.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

In this Chats on the Road to Black Hat USA, hosts Sean and Marco discuss the use of AI in hacking and cybersecurity with guest Frederick Heiding, specifically large language models, such as GPT-3 and GPT-4 (ChatGPT). They explore the concept of using AI to create realistic phishing emails that are difficult to detect, and how cybercriminals can exploit this technology to deceive individuals and organizations.

The episode also looks at the ease with which AI can generate content that appears real, making it a powerful tool in the hands of attackers. The trio discuss the potential dangers of AI-powered phishing emails and the need for more sophisticated spam filters that can accurately detect the intent of these emails, providing more granular information and recommended actions for users.

Throughout the episode, there is a recognition of AI as a tool that can be used for both good and bad purposes, emphasizing the importance of ethics and the ongoing race between cybercriminals and cybersecurity professionals. The conversation also touches on the positive applications of AI in detecting and preventing phishing attacks, showcasing the efforts of the "good guys" in the cybersecurity world. They discuss the potential for AI to help in blocking phishing emails and providing more granular information and recommended actions for users.

About the Session

AI programs, built using large language models, make it possible to automatically create realistic phishing emails based on a few data points about a user. They stand in contrast to "traditional" phishing emails that hackers design using a handful of general rules they have gleaned from experience.

The V-Triad is an inductive model that replicates these rules. In this study, we compare users' suspicion towards emails created automatically by GPT-4 and created using the V-triad. We also combine GPT-4 with the V-triad to assess their combined potential. A fourth group, exposed to generic phishing emails created without a specific method, was our control group. We utilized a factorial approach, targeting 200 randomly selected participants recruited for the study. First, we measured the behavioral and cognitive reasons for falling for the phish. Next, the study trained GPT-4 to detect the phishing emails created in the study after having trained it on the extensive cybercrime dataset hosted by Cambridge. We hypothesize that the emails created by GPT-4 will yield a similar click-through rate as those created using V-Triad. We further believe that the combined approach (using the V-triad to feed GPT-4) will significantly increase the success rate of GPT-4, while GPT-4 will be relatively skilled in detecting both our phishing emails and its own.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

Black Hat USA 2023 conference's keynote sessions promise engaging and insightful conversations. Steve Wylie, the General Manager, highlighted one of the key discussions that will occur during the event, a fireside chat between Jen Easterly, the director of Cybersecurity and Infrastructure Agency (CISA), and Viktor Zhora, who is responsible for defending Ukraine's digital infrastructure. Easterly, having been appointed in 2021, participated in a Black Hat keynote stage three weeks later, where she effectively discussed her vision for the collaboration of hackers, government, and the private sector. Now, after a couple of years in her role, she's expected to bring in more nuanced perspectives.

The discussion will focus on the pressing issues faced by the cybersecurity world, including the war in Ukraine and the country's efforts to defend its digital infrastructure. This fireside chat is set to foster insightful exchanges from two significant figures, each from different governments, giving attendees a unique view into real-world security operations.

The Thursday morning keynote will feature Kemba Walden, the Acting National Cyber Director for the Executive Office of the President. Her contributions to major cybersecurity initiatives, such as the implementation of Executive Order 14028, make her an exciting addition to the conference. This order, which aimed to improve the nation's cybersecurity, addressed significant issues like public-private cooperation, sharing of intelligence between agencies, and supply chain security.

As the conference unfolds, more technical discussions will also take place. Wylie mentioned the Black Hat briefings which are typically quite technical and provide insights into the current cybersecurity landscape. One notable briefing includes James Kettle's session, "Smashing the State Machine: The True Potential of Web Race Conditions," highlighting an unexpected flaw in web applications. Other sessions cover important topics such as the recent Viacom satellite attack in Ukraine and global DDoS trends, as observed by the FBI.

The Black Hat USA 2023 conference offers a diverse range of topics for attendees, from policy-related big-picture conversations to more technical, detail-oriented discussions, plus hands-on activities taking place in the Arsenal. There's also an entrepreneur track, where innovative solutions are pitched to judges and are on display in the business hall.

Black Hat USA 2023 aims to provide both overarching perspectives and in-depth analyses to ensure a comprehensive understanding of today's cybersecurity challenges.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa