The 2022 conference schedule ramped up in the second half of the year, and as you might expect, TrustedSec both attended and spoke at many of them. Within our organization, we have many different perspectives and focused interests, so we sampled opinions from some of the people who attended. We were curious how our experiences and those within our sphere of connections compared.
Views from Organizational Defenders and Penetration Test Practitioners
For the purposes of the blog, we grouped perspectives into two primary personas—organizational defenders and penetration test practitioners. We started with organizational defenders as a catch-all name for folks whose focus is mainly on protecting their business or on the consultants assessing and advising on building and maturing their security programs. Some would call these Blue Teamers, but that didn’t quite capture the different types of people we were talking with. Penetration test practitioners are the folks who are interested in or perform penetration testing of some kind. They are more generally interested in new exploits, tools, or tactics, techniques, and procedures (TTPs) for breaking into an organization. Some of the conferences attended were different, but we were often at the same conferences, just attending different tracks.
It’s always fascinating when people speaking on the same subject—Information Security—can not only have different perspectives (which is almost always the case), but in some cases, be speaking almost entirely different languages from one another about the same broad topic. That makes for very distinct differences. However, there were a lot of similarities whereby people arrived at similar conclusions, even though the problems were approached from entirely unique starting points.
One of the purposes of this blog is to help balance out perspectives and build an understanding of a challenge from different angles. Both organizational defenders and penetration test practitioners have the same ultimate goal of making companies more secure—one does so by breaking in and telling the company tactically how they did it to plug the holes, and the other by building the people, processes, and tools into a coherent security strategy (and plugging those holes) in an efficient and effective manner. Of course, this is subjective and certainly not representative of everyone’s take. These notes are from our experience and from talking with others at the conferences and within TrustedSec.
The First Universal Observation: High Levels of Excitement
One of the great themes that seemed universal was the excitement exuded by the attendees! A two-year hiatus and isolation really got people jazzed up about going to conferences and interacting with others. People seemed to be in great moods and very engaged. There was a ton of mingling going on, not only among the attendees, but also with the vendors and people in the booths. There were many fresh faces who had never been to one of the larger conferences. It’s clear the security industry has grown as a whole.
Organizational Defender Themes
Again, themes traverse all of security, but upon seeing the conferences, this is what the organizational defenders seemed to discuss the most.
Zero Trust is everywhere. Many, many companies were focused on Zero Trust, an approach based on the principle of least-privilege access and that no user or application should inherently be trusted. Several provide Identity and Access Management in some fashion and are looking to use identity as the perimeter. It takes a lot to get through the marketing, but the ineffectiveness of current security architectures is pushing organizations toward building application access with Zero Trust principles. There is now a NIST architecture for Zero Trust as well that you can dive into.
Cloud Security continues to grow in interest. While hosting is primarily consolidated around AWS and Azure, there are various other aspects of protecting information in the cloud as companies continue to move to the cloud as part of their digital transformation strategy.
Automation and deciding what’s automatable were also topics built on the question of “How do we use what we have better?” Organizations are looking for automated remediation and alerting as the main features, but also automation of third-party risk assessments. Additionally, some highly repetitive tasks include creating new applications, documenting the environment, generating tickets, and overall creating and scheduling of workflows.
XDR (eXtended Detection and Response) includes endpoints, email, threat intel, network security management, config management, analytics, and a bunch of other stuff. Vendors are offering more and combining standalone products. There’s frustration with the traditional MSSP. These factors are impacting organizations’ decisions toward vendor consolidation.
Attack Surface Management is a catch-all term for asset inventory, vulnerability management, visibility, and control validation. New tools have sprung up to automate the concept of understanding and reducing an organization’s attack surface or expanded areas of risk, such as physical systems, location services, sensors and actuators, data ingestion and analytics platforms, integrated supply chains, and external developers, etc.
Software Supply Chain Security emerged in a few places due to attacks such as SolarWinds Orion and the Log4J vulnerability. The use of open-source libraries has grown due to the ability to release higher-quality code faster and use third-party innovation at scale. The software supply chain has been building in popularity alongside DevSecOps as that process becomes more prevalent.
Additional Defender Observations
- There was less focus on Ransomware as a standalone topic, but it was discussed as part of the other themes. Thus, it was the most-mentioned topic.
- There were more discussions (complaints) about requests for additional Evidence of Controls for transparency.
- There is product consolidation (i.e., DLP and CASB), and vendor consolidation is taking place, especially cloud tools.
- Machine Learning and Artificial Intelligence are still being discussed, but they are not seen as being as outlandish as what vendors said they could be when they first started getting hyped.
- There were a few studies cited that CISOs still feel like strategic planning and building relationships are their top two weaknesses in performing their jobs.
- Cyber-physical systems were also part of the talks.
- Security management did have discussions on business metrics, digital transformation, and board discussions.
Penetration Test Practitioner Themes
OSINT—Generally, from DEFCON, much focus was placed on the realm of OSINT. Gathering intelligence is crucial in successfully compromising a targeted network, and methods of information gathering ranged from finding targets to user enumeration. Several villages had talks and workshops centered around information gathering and the different benefits of each information type. Clearly, the industry has taken steps to utilize the digital footprint of both organizations and individuals to better understand targets and craft techniques.
Web application penetration testing was another point of interest, with many showing the tools and techniques needed to carry out such testing properly. As more organizations keep utilizing web applications for their own operations, the opportunity to exploit these applications has been growing. Using different web applications for end-users, network upkeep, and productivity has made many applications prime targets for penetration testers.
Penetration Testing Ethics—One topic of great interest presented was penetration testing and social engineering ethics. Many of the points made were centered around the targets of the engagement and how to approach various situations ethically. With social engineering specifically, being sure to properly uphold an ethical code and work towards viewing current awareness, detection, and mitigation has been a critical topic. Sending targets into a panic or using a scenario that has life-altering consequences is a major negative and affects employees and their work in a much deeper sense than merely catching who may have clicked a link or submitted credentials. These scenarios have played out with much public ire in the recent past, and the industry is working hard to ensure that such instances are far from normal. Being certain ethics are put first in an engagement is a topic that will be here to stay.
Bypassing modern defenses—Quite a few DEFCON villages and regional conferences had talks centered around bypassing modern defenses. These topics included malware development, obfuscation, and threat emulation. As the industry has matured, techniques have gotten more sophisticated, and so have the defenses. Bypassing the defenses is a priority for many penetration testers to show the impact of different vulnerabilities while the targeted organization still has its shields raised. This is important for two reasons. The first is that finding ways around modern defenses is what many current threat actors will aim to achieve. The second reason is that having a better understand of where a gap may be in the defense infrastructure of a network and helping to create new detection and alerting methods will help put a stop to malicious activity.
Education and Training—A significant area of introspection in the industry has been in the education and training area. At DEFCON, there were multiple hands-on learning scenarios available to attendees and a focus on bringing new people into the field. While the skills gap in infosec has been a topic of debate, steps are being taken by the industry to better understand the issue at hand and find ways to allow those outside the industry to create paths. Just like any growing industry, training and empowering the next generation to grow and learn is critical in keeping a healthy and diverse pool of future professionals. A push is being made to better understand the current shortcomings in training new candidates and how to build up those who are looking to grow into an exciting field.
Joint Themes: Bridging the Perspective Gap
Cloud—It was mentioned earlier, but we can’t say it enough—Cloud, Cloud, Cloud. No matter what angle you come from, everything security includes the cloud now. In some ways, it’s making it easier for penetration testers and in other ways has made it much harder. The typical network or on-prem attacks no longer work as effectively when the large providers take care of the core infrastructure security.
Threat detection and response also was shared in many of the conferences and different tracks as people still wrangle with more efficient ways of working through the processes involved. This includes discovery and inspection, analysis, policy evaluation and enforcing policies, and incident management and remediation. Companies also continue incorporating the MITRE ATT&CK framework to correlate detection and response techniques with common attack scenarios.
Web applications are still a significant focus, including the software supply chain, DevSecOps, and API management. There are now millions of open-source software projects in the world that pose security, operational, and legal risks. This is leading to additional information collection, processes that need to be changed, and automated tools designed to spot and help resolve issues.
IoT and Operations Technology security is still a hot topic with a lot of complexity because of different devices and vendors with entirely different setups. A new paradigm is taking root called Moving Target Defense, though it’s been a part of the NIST standards for around three years. It’s about the unique protections of something made or moved by a company, such as cars or the automation of various typically standalone physical products.
New People!—And without a doubt, there were many people with traditionally IT roles, like network engineering, etc., and compliance auditors who were trying to pivot into security. It’s still one of the hottest careers in technology—a great time to be in security!