By Tim Dudman

Held in London over four consecutive days, Black Hat Europe saw many industry-leading cyber security experts take to the stage to present talks on the very latest findings, alongside training sessions, live demonstrations, and more.

We were fortunate enough to attend Black Hat Europe this year, seizing the opportunity to further our understanding of critical industry trends and new cyber security techniques. With topics covering everything from Czech defence against Russian-funded cyber attacks to ML anomaly detection systems, we have created a roundup of some of the most interesting briefings that we attended.

New 0-day vulnerabilities

While they have already been patched, Black Hat Europe 2022 saw Or Yair, Haowen Mu, and Biao He take to the stage to discuss two new 0-day vulnerabilities discovered in leading software and explore an appropriate patch.

Turning EDRs to Malicious Wipers

One of the biggest questions that we get asked when we present our CyberAware capabilities is this: can CyberAware be exploited and used by attackers?

In his talk, Or Yair explored just this:

“We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable.”

If you want to cause an availability impact, admin permissions are often required. By abusing the admin permissions of antivirus software, it can be leveraged to delete files, disable PCs and more. This briefing highlighted the possibilities of innovative attacks, mimicking the Aikido mindset:

“We understood the importance of using the power of our opponents against them to defeat them. Thus, we aimed to use the deletion power of EDRs to our advantage, triggering it by faking a threat.”

If you’d like to learn more, you can view the full briefing and download the complete slideshow from Yair’s talk here.

New pathways to web frameworks

Another 0-day vulnerability covered at Black Hat Europe 2022 was entitled Spring4Shell. Here, Haowen Mu and Biao He leveraged DataBinding practices to remotely execute code. As they explain:

“DataBinding is a mechanism that allows request parameters to be bound to a domain object automatically. It makes development more efficient and code cleaner, and is widely implemented by the best web frameworks written in trending programming languages, including Java, JavaScript, Groovy, Python and Ruby […] However, the security of the DataBinding mechanism itself has been neglected for a long time.”

Haowen and Biao were able to leverage this neglected security to find two bugs that can remotely execute code to great effect. One of these ‘is the most critical vulnerability of Spring Framework in the past 10 years while the other is a remote code execution vulnerability of Grails – the most famous Groovy web framework.’

You can view the full briefing, and download their presentation slides to learn more, via the Black Hat Europe 2022 website.

Real-world ML applications to enhance cyber security

“Why can’t we, as security engineers, deep dive into artificial intelligence and machine learning so we can enhance our detection capacity by ourselves?”

This was the question that prompted Carole Boijaud and her team to apply current ML knowledge to create their own neural network-based anomaly detection system. By opting for this route, instead of choosing a contemporary cloud-based solution, they could circumnavigate the risk of uploading network data to the cloud. What’s more, Credit Agricole could continue to enhance its SoC detection and maintain its position as one of France’s largest international banks.

What we admired about Carole’s talk was that it provided an accurate and cohesive example of ML-based cyber security in the real world, rather than simply discussing the possibility of it. Read Carole’s full briefing.

Active defence

This year’s Black Hat also saw Ondrej Nekovar and Jan Pohl take to the podium to showcase active defence frameworks against persistent state-sponsored threats to the Czech Republic. These frameworks are much more interactive than other defence procedures, and are far more complex than attacking malevolent intruders. By adopting MITRE’s Engage Framework, Ondrej and Jan explained how they were able to coax attackers into performing specific actions to deploy more subtle active defence solutions.

Persistent state-sponsored cyber attacks against core Czech infrastructure have increased exponentially since the beginning of the Ukraine invasion. With valuable resources such as mobile networks and the internet at risk, it was essential that Czech teams fully understood their attackers and were able to predict their next move. Nevertheless, they needed to be able to rapidly mitigate risks before they evolved without wasting valuable time. MITRE’s Engage Framework has several steps aimed at actively defending architecture, all complete with a range of applications and techniques. These steps include:

1. Plan
2. Collect
3. Detect
4. Prevent
5. Direct
6. Disrupt
7. Reassure
8. Motivate
9. Analyse

Learn more about how active defence frameworks are evolving, and being put into action, by downloading their full presentation.

Other industry trends

We were also interested in exploring potential partners creating solutions compatible with our own while at Black Hat. Currently, a core industry trend lies in producing open APIs which allows systems to interact with external software.

Processing our own data and perform high-level analytics, we’re always looking to the future. We anticipate that the next steps of our solutions involve initial integrations with specific systems for some of our customers, we also expect to continue investigating developers of Open APIs to decide the most functional choice for our analytics to interact with.

Black Hat Europe and Riskaware: our thoughts

This year’s Black Hat Event was full of interesting talks, discussions, and demonstrations, and taking part in such a dynamic environment was inspiring for many reasons.

Our work within the defence research sector involves continuous evolution in order to enable our users to defend against the latest threats. Instead of active defence analysis, we are often required to predict attacks before they happen. Instead of deploying Machine Learning for enhancing detection, we’re involved in researching fully automatic ML defence capabilities.

Seeing many of the same techniques being presented live on stage, or discussed in various workshops and roundtables, confirms that our trajectory is the right one to be on. We’re already looking forward to next year’s conference and the many tech developments promised in 2023.

Want to read more? Discover our latest industry thoughts and research today.