One final curated post for the year of the insights and innovations we thought wold be of interest to our members and readership from the annual cybersecurity gatherings in Vegas.
National Cyber Director Harry Coker Jr., speaking at Def Con in Las Vegas, says federal assistance must be bolstered by more ownership among the community. The Department of Homeland Security plans to invest $11 million toward improving security in open-source software, a key area of focus under the Biden administration’s national cybersecurity strategy…the investment will back a program called the Open Source Software Prevalence Initiative, which will assess the prevalence of open source software used in operational technology settings by critical infrastructure providers.
The RFI summary report consolidates submissions received from the open-source software community and details twelve activities that members of the OS3I plan—or have completed—in 2024-2025. These activities include:
(1) Advance research and development;
(2) Secure package repositories;
(3) Partner with open-source communities;
(4) Promote further development and implementation of the use of Software Bill of Materials;
(5) Strengthen the software supply chain;
(6) Establish the first U.S Government Open-Source Program Office;
(7) Assign vulnerability severity metrics;
(8) Increase education and training tools;
(9) Expand International Collaboration;
(10) Enhance security and replace components of legacy software;
(11) Advance public-private partnerships; and
(12) Use formal methods.
Read the full National Cybersecurity Strategy here.
Read the full OS3I End of Year Report here.
Read the full 2023 National Cybersecurity Strategy Implementation Plan here.
Read the full 2024 National Cybersecurity Strategy Implementation Plan here.
Read the full Back to the Building Blocks Report here.
A sign that reads “Go Fake Yourself” outside of the AI Village at DEF CON in Las Vegas on Saturday, Aug. 10.
Image Source: Sam Sabin/Axios
Sam Sabin from Axios was able to create his own deep fake while reporting on the DARPA demo at DEF CON 32:
“Generating a plausible deepfake video that swapped my face for Meghan Markle’s took about 10 seconds and showed how easy it would be to pretend to be someone else in a live video.
Why it matters: The deepfake experiment on the sidelines of the DEF CON hacker conference also came with a silver lining: Technology is getting better at detecting deepfakes, too. Participants in the DEF CON hacker conference over the weekend had the opportunity to create a live video deepfake in a lab held by AI Village in partnership with the Defense Advanced Research Projects Agency (DARPA).
- The AI Village worked with Brandon Kovacs, a senior red team consultant at cybersecurity services provider Bishop Fox.
- The team used an open-source tool called DeepFaceLive to generate participants’ celebrity dupes in real-time.
- DARPA-backed Semantic Forensics (SemaFor) then ran its own deepfake detection tool — trained on years’ worth of research from DARPA and several academic research partners — to see if it could spot the fakes.
For more of Sabin’s reporting on the DARPA deepfake experiments presented at DEFCON, go to this link.
Presidential election interference, a once-in-a-generation pandemic, the SolarWinds Orion hack and Russia’s invasion of Ukraine are just a small sampling of what Gen. Paul Nakasone witnessed during his time leading the National Security Agency and U.S. Cyber Command. In taking the position in 2018, he set “wake-up conditions” for when an on-duty officer would call him during an emergency that would require attention from the president or secretary of defense. In his first year, he got 3 calls. In his final month on the job, he was phoned over 10 times. “It’s for you. It’s them. Good luck,” he recalled his wife telling him whenever a call came through. His description of what became a routine habit for the Nakasone family elicited laughs from an audience of hackers and security practitioners at the DEF CON hacking conference here.
“The scope, scale, sophistication and speed of what we’re facing is tremendously different” versus five years ago, he said. To Nakasone, it means that younger people need to have a seat at the national security table, he told reporters on the sidelines of DEF CON. “Gen Z will be the No. 1 sector within our workforce. Okay, that’s great. But it also requires that knowledge and skills and ability that have just left us — whether or not they’re baby boomers like myself or millennials — you’ve got to be able to pass that information on,” he said. He hopes to begin addressing the issue through a new Vanderbilt University national security research institute launching next month. “We’re talking 25 for 2025,” he said, as part of an effort to put 25 Vanderbilt interns into governmental national-security roles to help kickstart the effort.
This year, the software supply chain was a dominant theme [at Black Hat], reflecting the industry’s growing concern over vulnerabilities in both open-source and proprietary software. The shadow of recent high-profile disruptions, such as the CrowdStrike update issue that led to widespread outages, loomed large over many sessions. While this incident wasn’t a cyberattack, it highlighted just how fragile the software supply chain can be and the potential for catastrophic impacts if these systems are compromised. CrowdStrike’s prompt and effective resolution of the outage was met with praise, as they minimized the disruption and reinforced community trust in their capability to manage unexpected challenges.
A particularly insightful session was Danny Jenkins’ talk on “Understanding and Reducing Supply Chain and Software Vulnerability Risks.” Jenkins, the CEO of ThreatLocker, explored the intricate web of dependencies in modern software development and the myriad ways in which these can be exploited. He emphasized the urgent need for organizations to adopt more stringent security practices, such as continuous monitoring and supply chain audits, to mitigate the risks posed by third-party software components.
The Black Hat Business Hall was a hive of activity where vendors showcase their latest tools. Many vendors, such as CrowdStrike and Trend, had interactive kiosks where attendees could try their products for themselves. This year, the emphasis was on practical solutions to emerging threats, with many vendors highlighting tools designed to enhance AI-driven security operations and improve supply chain security. In startup alley, emerging companies and innovations such as VulnCheck had their own section of the business hall to promote their offerings.
The Innovators & Investors Summit was a new addition that drew significant attention. This summit provided a platform for startups to pitch their solutions to a panel of investors and industry leaders, with the aim of supporting innovation in the cybersecurity space. The Startup Spotlight Competition was particularly exciting, with emerging companies showcasing groundbreaking technologies that could shape the future of cybersecurity.
Convergence: AI-based Innovation and Business Models at Black Hat USA 2024
Hewlett Packard Enterprise (HPE) this week at the Black Hat USA 2024 conference extended its network detection and response (NDR) capabilities that make use of artificial intelligence (AI) models to enable behavioral analytics. In addition, HPE is also now providing the option to deploy its zero-trust network access (ZTNA) control plane in on-premises IT environments. HPE is leveraging a data lake it gained with the acquisition of Aruba Networks to train and deploy classification and predictive AI models that monitor and detect unusual activity. The same data lake provides the foundation for additional generative AI capabilities that HPE provides, noted Lunetta. Collectively, AI technologies combined with behavioral analytics will, over time, reduce the dependency cybersecurity teams have on signatures that vendors create and provide to identify specific types of attacks.
RAD Security this week at the Black Hat USA 2024 conference revealed it has added artificial intelligence (AI) capabilities to its cloud detection and response (CDR) platform as part of an ongoing effort to reduce dependencies on signatures that need to be developed before threats can be detected. Additionally, the company has added a Findings Center to track incidents and added support additional support for open source images and an ability to track version details to the RAD Open Source Catalog. Finally, the RAD Security platform is now available as an add-on to the Amazon Elastics Kubernetes Service (EKS).
Columbia–D3, the leader in smart security orchestration, automation, and response (SOAR), today announced the release of Ace AI, a collection of new capabilities for D3’s Smart SOAR platform that leverage the power of artificial intelligence to make security operations faster and more intuitive. In a security operations climate where excessive toil and a persistent skills gap are the norm, D3 Smart SOAR with Ace AI cuts through the hype and delivers meaningful AI capabilities from which security analysts, security engineers, and incident responders can immediately benefit.
AI-Generated Playbooks
This breakthrough advancement translates natural language prompts into automated Smart SOAR playbooks, which greatly accelerates the playbook-building process while reducing the tool’s learning curve and minimizing human error.
U.S. Election Security and Integrity
The security of the 2024 U.S. elections [was] one of the hottest topics on the floors of Black Hat and DEF CON this week. Why it matters: With less than three months until Election Day, government officials and election security experts are eager to grow confidence in state and local government’s ability to accurately and safely tally legitimate votes. Driving the news: The DEF CON Voting Village is running a simulated online election this week and asking hackers to try to break the system.
A hack that would disrupt the election is unlikely, but experts are worried that any vulnerabilities could provide fodder for those wishing to question the results. Some of the best hackers in the world gathered in Las Vegas…to try to break into voting machines that will be used in this year’s election — all with an eye to helping officials identify and fix vulnerabilities. The problem? Their findings will likely come too late to make any fixes before Nov. 5.
In one sense, it’s the normal course of events: Every August, hackers at the DEF CON conference find security gaps in voting equipment, and every year the long and complex process of fixing them means nothing is implemented until the next electoral cycle. But Election Day security is under particular scrutiny in 2024. That’s both because of increasing worries that foreign adversaries will figure out how to breach machines and because President Donald Trump’s unsubstantiated allegations of widespread fraud in 2020 undermined confidence in the vote among his supporters.
As a result, many in the election security community are bemoaning the fact that no system has been developed to roll out fixes faster and worrying that the security gaps that get identified this year will provide fodder for those who may want to question the results.
BLACK HAT USA 2024 Post-con
DEFCON 32 Post-Con
Additional OODA Loop Resources
https://oodaloop.com/archive/2024/08/30/information-warfare-social-engineering-and-ransomware-a-global-situational-awareness-and-threat-vector-survey/
Cyber Risks
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat
Recommendations for Action
Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes for more insights: Decision Intelligence.
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning
About the Author
Daniel Pereira
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Subscribe to OODA Daily Pulse
The OODA Daily Pulse Report provides a detailed summary of the top cybersecurity, technology, and global risk stories of the day.
