scroll it

Notes from the Field: Top 3 Security Trends at Black Hat and DEF CON

Aug 2023
Jeremiah Roe
0% read

Jeremiah Roe is field CISO, North America for Synack.

Another year, another “hacker summer camp” in the Las Vegas desert. While the temperatures were sweltering outside, we kept it cool in the deep sea at Synack’s Black Hat booth. The most ferocious guests at the famed security conference were our two baby smooth-hound sharks, Shellshark and Heartbleed, who gave passersby a moment of serenity on the bustling Black Hat Business Hall show floor last week.

Visitors to our booth enjoyed demonstrations from Solutions Architect Tim Lawrence, who showed us the Synack Platform in action, and rounds of Name that Vulnerability, where I quizzed attendees about the latest in CVEs and vuln categories. We also brought the DEF CON vibe to Black Hat with expert Synack Red Team members who presented in-depth analyses of cloud security testing and examples of remote code executions. 

Attendees at Black Hat 2023 fill the Cave at the Synack booth to hear more about the Synack Platform in action.
Jeremiah Roe gives a personalized demo at the Synack booth.

Typically, Black Hat caters to the business side of the cybersecurity industry, while DEF CON is renowned for its onsite tactical research. This year was no different, with DEF CON featuring events like Hack the Future and Hack-a-Sat as well as sessions with open invitations from U.S. government officials to give feedback on policy and guidance. 

The two conferences combined – not to mention concurrent security events like BSides Las Vegas and the Diana Initiative – hosted tens of thousands of attendees and spanned practically every cyber topic imaginable and then some. From the cyber deluge, here are the top three trends from a very busy week:

1. Artificial Intelligence and Machine Learning

To say that artificial intelligence is a hot topic this year is to undersell just how popular the technology has become. Artificial intelligence, machine learning and large language models (AI, ML and LLM respectively) are quickly changing the way we interact with technology. Already, AI chatbots can introduce malware and phish victims for sensitive information. AI can also be used to write malicious code (or produce code vulnerable for exploitation) or be vulnerable to attack, as enumerated in a newly published OWASP Top 10 list for LLM. 

On the Black Hat floor, AI was the topic of much corporate messaging and attendees querying companies on their plans to tackle its security. (We’ll have more to share on Synack’s AI stance very soon, so stay tuned.) 

DEF CON invested heavily in the subject, hosting the AI Village, where government and policy-oriented groups held the largest-ever red team exercise on AI models. Security researchers also shared their tips on how to sniff out AI-related bugs in talks including one titled, “Unveiling the Secrets: Breaking into AI/ML Security Bug Bounty Hunting.”

The speed of AI can help generate new methods of creativity and innovation, but it can also introduce new vulnerabilities at a pace we haven’t seen before. Organizations will have to prepare for the unknown, which brings me to the next big trend: resilience. 

2. Cyber Resilience

There’s a new security paradigm replacing the old assumption that cyberattacks are rare. In today’s world, it’s more likely than not an organization will experience a data breach or cyberattack of some kind. Companies now need to expect cyber threats and plan for how their systems will bounce back, rather than fruitlessly try to fend them off altogether. This new idea of cyber resilience in organizations puts security at the forefront. It’s now just as important as business processes and innovative products, because without a secure networking environment or product, compliance fines, profit losses and a damaged reputation can put a company out of business. 

The U.S. government is pushing a resilience-first framework, as demonstrated by recent Securities and Exchange Commission rulings, White House mandates and Cybersecurity and Infrastructure Security Agency guidance on a secure-by-design approach. The mindset that you can push out a new application (or a new satellite) without integrating security principles won’t last. 

The Hack-a-Sat logo with a replica of the satellite teams hacked into at DEF CON 31.
An image of the DEF CON 31 lobby at the Caesar's Forum in Las Vegas.

3. The Next Frontier of Hacking 

One of the newsiest bits from DEF CON was the Hack-a-Sat competition, where five teams competed to hack into an actively orbiting satellite, with permission from the U.S. government of course. The winners? A team of Italian hackers aptly named, mHACKeroni. 

Though not as splashy as hacking a satellite, DEF CON hosted villages and capture the flags for cars, election machines, Internet of Things (IoT) devices, including health devices. Threading it all together, if a device is connected to the internet or is communicating data through a network, it’s potentially vulnerable to attack and should be designed to thwart it. 

One of the great things about the Black Hat/DEF CON combo is that you can see how new ideas bubbling up from hackers and security practitioners make their way into government policy, company messaging, products and more. It’s the conference series to get the pulse on what’s next in the industry and how we’ll tackle some of the greatest cybersecurity challenges of today.