perception of black hat 2018: a hundred schools of thought on threat intelligence

Posted by deaguero at 2020-03-12

Author: Wang Liejun, security expert of @ 360 enterprise security group, authorized to launch the internal security reference.

Blackhat 2018 is over, here are some records.  

A record number of participants

Jeff Moss's opening remarks, said that blackhat's attendance reached a new high, reaching 17000 people, listed the names of countries from a small number of sources, and joked about Greece in particular.


Jeff said that some big manufacturers have great influence on the basic security of the network, which leads to Google project zero, the owner of keynote, giving a speech at the head of P0 (last year's CSO of Facebook, resigned after the accident?).

As we all know, P0's leakage policy is quite tough, with only 90 days to repair, and the details will be disclosed immediately after expiration. P0 now gives the statistics that 98% of the omissions are made up within 90 days. If it is true, considering that the objects of P0 are basically big manufacturers with hard ideas, it is true that this achievement is not wrong, but at present, it seems to be a trend that the coverage is more and more tight in China. In addition, Google is quite ambitious to explain why it marks HTTP stations as unsafe in the browser, the difficulties and corresponding work. After listening to the keynote of the past year, almost all people will mention the effort of coordinating community no matter who says it. Similar trends are also seen in China.


Blackhat has nine topics at the same time, with a total number of more than 100 topics. It's impossible to listen to all of them. It can only choose those that are interested in and work-related. It's generally felt that the quality of this year's topics is higher than last year's, and the number of water topics is less. In terms of topic content, I pay more attention to the direction of malicious code confrontation. As machine learning is still a hot topic, the direction of blackhat naturally accounts for a considerable part. Here are some of the most impressive topics I've heard:

Meassuring the speed the Red Queen‘s Race: Adaption and Evasion of Malware 

This topic proposes that classifiers should not only judge, but also can be used to measure the evolution of malicious code, and further analyze the similarity between the existing classifiers and the known families.  

Protecting the Protector : Hardening Machine Learning Defenses Against Adversarial Attacks 

This topic comes from Microsoft's ATP team (Advanced threat protection), which introduces a mechanism to synthesize the classification results of multiple classifiers. It is said that there will be more accurate output, which is basically a concept of model fusion. At present, this approach is also relatively common.  

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever

This topic was selected by blackhat and Defcon at the same time. There were a lot of people listening to this topic. At that time, the conference hall was full of people, indicating that the destructive attack on industrial control system received great attention. This paper mainly introduces the hierarchical structure of industrial security system, and how to collect information, obtain software and hardware, build malicious code from the perspective of attackers, and demonstrate the possible consequences of attacks by video.

Stealth Mango and the Prevalence of Mobile Surveillanceware

Lookout company (providing analysis support for many targeted attacks involving politics and economy) disclosed the tracking analysis of an apt organization that is said to be from Pakistan, including the tools, tactics, stolen data and related personnel on the mobile platform used, which is detailed and complete.

Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator

This problem is also received by blackhat and Defcon at the same time. This paper introduces some implementation details of Windows Defender, a malicious code countermeasure tool of Microsoft, the analysis and debugging skills of its simulator and some problems found.  

IoT Malware: Comprehensive Survey Analysis Framework and Case Studies

Security researchers from Talos summarized the history of IOT related malicious code families, vulnerabilities used, threat level of vulnerabilities, average and median vulnerabilities, time from discovery to being infected by IOT malicious code and other statistical information on all aspects of IOT malicious code, as well as the lack of information and error problems caused by inadequate information collation by the security community found Data display and accent. I don't think this speech is too addictive.

Safety manufacturer in manufacturer's exhibition area

Blackhat's exhibition area is not large, and the number and type of exhibitors can't be compared with RSA naturally, and there is no significant increase compared with last year. The exhibition stands of anomali, threatconnect, darktrace and other manufacturers that I focus on have expanded a lot compared with last year.

The exhibition stand of anomali has moved to the first row, and is in parallel with the major front-line manufacturers (such as Palo Alto). The product change is that anomali enterprise, based on the threat intelligence platform, has launched a product that supports direct interaction with other control devices to generate response actions.

The main selling point of threat intelligence products of threatconnect is playbook, which is more complete in implementation. The built-in default scenario script has increased a lot, part of which is to perform the response function. Overall, the threat intelligence platform is strengthening in event response ability.

Darktrace's booth is much larger than last year's, but it only adds the explanation position, and the demonstration content is the same as last year's.  

Darktrace's stand area is at least double that of last year.  

After tenable financing, the exhibition stand also grew, and ranked first in the entrance row.  

Crowdstrike is still trying hard to export their apt organization cartoon portrait cultural shirt and engage in marketing hype, which I most admire among anti apt manufacturers.  

The marketing personnel of cylance are very enthusiastic. It's easy and rough to introduce the product advantages compared with other manufacturers, but it's very effective. That is to put a modified wannacry into a non cylance and cylance environment and try to execute it. The environment with cylance will be blocked.  

I don't think Palo Alto's booth is big enough to match its market position.  

Logrhythms felt more involved in blackhat.  

RSA's booth area is large, pushing their SOC products, but the highlights seem to be few.  


Some information collection and processing tools are very interesting and practical, and the speakers are also very enthusiastic. This year, there are my former colleagues, now ant server, sharing a virtual machine monitoring system.