Black Hat is renowned for being one of the biggest, most technical security conferences in the world operating in the USA, Europe and Asia. 2017 marks Europe’s first Black Hat Executive summit, a format well received for senior executives to be able to openly discuss cyber security concerns and share business issues arising from cybersecurity deficiencies.
The event included two days of discussion on incredible research covering technical exploitation techniques, reverse engineering, IoT security, social engineering and beyond. It’s easy to see why many in the C-Suite have seen Black Hat as an event their technical teams must attend.
Through some of my recently published insights on advanced attacker strategies to monetize security breaches, I was invited to share my thoughts and experiences alongside a panel including law enforcement and cybersecurity industry peers.
The recognition that cybersecurity issues must be known, understood and communicated clearly to the C-suite was evident in the room. Much of the feedback from the day was that our panel helped further answer the ‘so-what’ questions that are vital to engaging business decision-makers.
The Executive summit directly addressed that concern with a format including open discussion panels, a CISO’s ‘how to’ session on communication with the board as well as presentations on global trends and the expectations of CISO’s of the future. Much of the Black Hat research showed executives that when there is an advanced attack, they will need to know the impact of a breach and how to resolve, recover and avoid it in future while also getting visibility into possible new attack vectors and vulnerabilities.
Fundamental to achieving this is explaining cybersecurity in terms that the C-Suite can relate to. For example, monetisation was the theme for my panel and explored how guarding against cyber threats effectively requires thinking beyond the initial attack or initial entry point.
Many security managers think solely about security from a technical control perspective without consideration to the adversarial nature of the threats we all face. Little thought is given to what a criminal might do with the data they can steal, or how they could affect or disrupt the value chain of a business.
Monetising a cyber attack can be very blunt, with strategies similar to extortion E.g. “give me the money or else…” is used frequently.
However, much subtler approaches are often taken. Criminals are using data science techniques to quickly identify and target companies that have known business process subject to manipulation.
The criminal’s monetisation strategies usually involve tracking the entry and exit of money or goods from a business and seeking to manipulate the destination. A very common attack in business-to-business is to compromise the accounts-payable and accounts-receivable functions. By compromising users email accounts in these departments, the criminals can manipulate and re-issue invoices with different payment details so that the recipient of the invoice – the customer - ends up sending the money to the criminal.
The criminals can then take advantage of business payment terms (typically net 30 or net 60) to give themselves time to launder the money. This can be incredibly damaging for a business, especially if it is measured heavily by its available free cash flow. These kinds of attacks can, at best, be disruptive to investor relations and at worse could cause a business to become insolvent.
In some cases, these attacks can become very aggressive and target multiple parts of a supply chain, wherever there are credit relationships with the compromised business. This gives the criminals multiple attempts at stealing significant sums of money.
One of my fellow panelists, representing the UK’s National Crime Agency, highlighted that these attacks are frequently scaled down to small businesses and freelancers. The impact of missing an entire months’ invoice payments can be disastrous for a small business.
As emphasized by the monetisation panel I was part of, we were able to demonstrate how vulnerability can significantly impact the bottom line. Black Hat Europe’s Executive Summit accentuated just how important it is for cybersecurity to be on the boardroom agenda. I think the Executive summit will continue to be an important component of the Black Hat briefings and has a key role in pushing cybersecurity up the food chain in terms of business decision making.