Part 2 - Best Sessions from BSides SF 2024

BlogHeroImage

This is the second installment of the ‘Best Sessions from BSides SF 2024’ blog that was posted earlier <link to the first blog>. The conference provides access to cutting-edge insights, trends, and innovations in the field, essential for staying ahead in an ever-evolving landscape of cyber threats. The diverse range of sessions, workshops, and keynotes cover a broad spectrum of topics, ensuring attendees gain comprehensive knowledge and expertise.

For the first time the security conference introduced an integrated circuit electronic badge like DEFCON in which there is cipher, puzzle, game, or something to hack on the badge. The BSides badge had a four-line LED screen, joysticks and was powered by a battery or USB-C connector. The puzzle on the badge could be solved with clues and each badge had one pre-installed clue. Attendees were encouraged to connect their badges with other attendees to exchange clues to solve the puzzle. A smart idea to entertain and have people socialize with each other.

My impression and summary of the research sessions from Day 2 is below. I found the conference sessions most interesting as they were a mix of various topics like Privacy & Governance, AI, Security @ Scale, Detection & Response, Security leadership and others. The link to the slides and recording will be available on the BSides SF website soon so please checking here

Effective Detection in Kubernetes Clusters

Presenters: Shay Berkovich, Oren Ofer

Kubernetes is the most popular container orchestration platform used to automate the deployment, scaling, and management of containerized applications. It's the cornerstone of modern cloud-native infrastructure, enabling efficient resource utilization and seamless application scaling across diverse environments. The presenters detailed recent attacks on Kubernetes infrastructure and touched on cluster event sources, assess cluster-cloud interfaces, and suggested many useful rules for an efficient and high -coverage detection solution.

AiIAM: Transforming the Democratized AWS IAM Architecture with LLMs

Presenters: Anthony Scheller, Jorge Gomez

IAM policy maintenance is challenging due to complex, dynamic environments, and the need for granular access control, often leading to human error and compliance concerns. With more than 5000 individual permission that can be accessed to users, groups and roles in the cloud, security assessment becomes very tricky. This presentation proposes AI Identity Management (AiIAM) with a promise to simplify the principle of least privilege leveraging LLMs to automate AWS IAM policy generation. By empowering developers and following a democratized AWS IAM strategy this proposal aims to automate manual security reviews. 

Workshop: Injecting and Detecting Backdoors in Code Completion Models

Conductor: Tal Folkman, Guy Nachshon

I could not attend this workshop because it was full, but the topic was very timely. The conductors guided participants in creating a covert trojan within code completion models. It taught how to inject a backdoor discreetly and then explored detection techniques for the same. Workshops are hands-on and in this one, attends gained experience crafting and identifying hidden threats, unveiling the underbelly of trusted coding. 

Next-Gen Detection: Harnessing LLMs for Sigma Rule Automation

Presenter: Dave Johnson

This proposal explored LLM based threat detection engineering by using RAG, fine-tuning and prompt-chaining.  RAG is a model architecture that combines the capabilities of both retrieval-based and generative models. It integrates a retriever component to fetch relevant information from a large knowledge source and a generator component to produce a response based on the retrieved information. Fine-tuning refers to the process of taking a pre-trained machine learning model and further training it on a specific task or domain with new data. Prompt-chaining is a strategy used in language model-based approaches, where multiple prompts are sequentially chained together to generate a coherent piece of text.

Ransomware and Backups: A Multi-Layered Defense Strategy

Presenter: Amol Sarwate

This presentation proposes a multi-layered data backup defense with prevention, detection, analytics and ultimately threat hunting strategies for your backup data. Based on the MITRE ATT&CK, the presentation proposed a simplified four step ransomware lifecycle and explored strategies that data security departments can adopt in each ransomware attack phase. The four phases were pre-attack, dormant, detonation, and recovery. Techniques like backup honeypots, IOAs, IOCs, deduplication, entropy, and threat hunting were discussed. The big takeaway was the emphasis on using multiple techniques for each phase and not relying on just one technique.

Faux Data, Real Defenses: ML advancements in data synthesis

Presenter: Arjun Chakraborty

Access to realistic cybersecurity data is difficult to procure and expensive to simulate. Synthetic data generation has seen great advances with LLMs over the last year. This proposal explores if ML based detection methods can be used to generate realistic faux data. The presenter detailed methodologies and the results of his experiments in this area. 

Long Live Short Lived Credentials: Auto-rotating Secrets at Scale

Presenter: Dwayne McDaniel

Short-lived credentials are better than long-lived ones because they reduce security risks by limiting exposure, enabling easier revocation, and enhancing compliance adherence. But automatic rotation of secrets, such as passwords or API keys, poses a threat of potential service disruption if done incorrectly. This presentation embraces a future of proper secrets management and auto-rotating secrets in which the presenter proposed techniques for solving this issue.

After two days of intense research sessions and exchanging ideas with peers my insights and impressions from the conference are below:

  • Defender are using AI in creative ways and have a head start against attackers. It is being used for security design review, bug bounties, IAM permission review and many other ways that make security teams more efficient. Privacy concerns remain in areas of generative AI.
  • Ransomware, data security breaches, identity and compliance are top concerns on many CISO’s list
  • Researchers demonstrated attacks and backdoors breaking AI based coding. AI could be soon used by attackers and possibly nation states could be on the forefront.
  • Social engineering is still on top of attack vectors as compared to exploitation of complex 0-day vulnerabilities.
  • Secrets management and rotation is one of the top concerns for security practitioners.
  • Containerized workload management platforms like Kubernetes remain one of the top security concerns for security operations.

The most resonating call for action from the conference was to have a companywide AI strategy. This includes strategies to use AI-based security defenses and also strategies to protect from risks posed by AI. Introduction of new technology paradigm has always had a double-edged impact and a monumental shift like AI is bound to make waves in security.  
 
Want to learn more about how Veritas helps our customers be cyber resilient? Tune in to our virtual broadcast, where we share our latest advances in AI-Powered Cyber Resilience and what they mean for you. Or subscribe to the Veritas Cybersecurity Newsletter on LinkedIn for the latest on enterprise-grade cyber resilience.  

blogAuthorImage
Amol Sarwate
Cyber Resilience Leadership