It hardly feels like summer without the annual trip to Las Vegas for Black Hat USA. With this year’s event being totally cloud based, we won’t have the chance to catch up with security researchers, industry partners, and customers in person, an opportunity we look forward to every year. We’ll still be there though, and look forward to the great talks and chatting in the virtual conference platform.
“I miss the opportunity to meet face-to-face with industry partners in the MAPP program. This is a highlight of my year where I get to exchange ideas and build synergies with these critical security organizations. Virtual will work, but there is nothing like an in-person meeting.”Al B., MSRC-MAPP Team
“While I’m going to miss the opportunity to put a bet on the Kraken to bring the Stanley Cup once again to Seattle, I’m excited about all of the virtual networking and information sharing.”Mechele G. MSRC-Vulnerability Response & Resolution
Tuesday, August 4
Kicking off our Black Hat content for the week, on Tuesday morning we will release our Microsoft Bounty Program year in review on the MSRC blog. We will explore how our programs and security researcher partnerships have grown and adapted through a constantly evolving new reality to meet the ever-present needs of the security ecosystem.
“It means a lot to be able to meet and thank researchers in person for all their creative and hard work to help us secure customers. It will take a lot of video calls to equal one day at Black Hat or DEFCON.“Jarek S., MSRC–Bounty Team
Wednesday, August 5
Our Security Researcher community is incredibly important to us, and while we don’t get to see you in person, we’re super excited to reveal the MSRC Most Valuable Security Researchers for 2020. We’ll be revealing the full list here on our blog on Wednesday morning so make sure to stop by and see who made it!
“I’m bummed to not see everyone in person (though not having to shout over the sound of slot machines will be nice). I AM excited for the upcoming reveal of the MSRC MVR list – my personal favorite part of Black Hat!”Chloe B., MSRC-Community Programs
“I’ll miss hanging out with my #hackerfamily but once it’s safe, I look forward to holding court at Baccarat again with all of you!”Nate W. (@n0x08), vuln herder & security researcher, MSRC-Security PM
Thursday, August 6
We’ve got five talks scheduled through-out the day on Thursday, exploring topics which range from the security of virtualization stacks, exploitation in Excel, a “Swiss Army” tool for security investigations, finding the useful data in real-time feeds – without having to wait for storage. Finally, a moderated conversation of day two’s topics and what they indicate for the future of infosec strategy.
“As this is my first Black Hat USA, I am excited to see what will be presented and how it will operate as its first virtual event. I am looking forward to briefing on a few talks!”Britney T. MSRC-Security PM
“I’m excited for my first year at BlackHat! I know this year will be an unusual one, but I’m looking forward to learning from and networking with the InfoSec community.”Jonathan D., MSRC – Software Engineer
Breaking VSM by Attacking SecureKernel (10:00am-10:40am)
Saar Amar, Daniel King
Virtualization based security technologies (VBS) continue to increase the world’s dependency on the security of virtualization stacks. But like all software stacks, virtualization stacks are prone to vulnerabilities too.
In this talk, we will explain how we found and fixed two vulnerabilities in SecureKernel in Windows 10, which is a critical component of the core of the TCB (Trusted Computing Base) for Microsoft’s VBS model. The vulnerabilities could allow an attacker to gain arbitrary code execution in VTL1, compromising the entire VBS model. We will also walk through our process to exploit both vulnerabilities on the latest version of Windows (at the time of writing).
(Full abstract here)
The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take?
This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server. This talk will detail the research from scratch up to showing a demo of the exploit against Excel OnPrem.
MSTICpy: The Security Analysis Swiss Army Knife (1:00pm-2:00pm)
Pete Bryan, Ian Hellen, Ashwin Patil
MSTIC Jupyter and Python Security Tools (MSTICpy) is a Python library of security investigation tools developed by the Microsoft Threat Intelligence Center (MSTIC) to assist and support security analysts conducting security investigations and threat hunting.
The library provides features to collect data from a range of data sources, to enrich the data with Threat Intelligence and OSINT, to analyse the data using ML and data analysis techniques, and to visualize the output of this analysis for quick and easy comprehension.
Rather than a single tool MSTICpy is a Swiss Army knife for security investigations.
Experimenting with Real-Time Event Feeds (1:30pm-2:10pm)
Today, defenders in a typical security operation center rely on their SIEM to do forensics on past logs, and to define real-time detections. This assumes that the SIEM was configured ahead of time to collect the subset of logs that are useful. But how does one decide what is useful? Further, some data comes at such high-volume that storing it in raw form is prohibitively expensive. Such data must be prefiltered and summarized before storage for query.
We present tools and a method of comparing various options of filtering and pre-processing real-time feeds of data before storage. This can be done in isolated environments without SIEM coverage, such as labs/honeypots for researching Malware or Proof of Concept (POC) for exploits.
The learnings of the method can be applied to understanding novel threats and creating true-real-time detections that work directly on the stream of events (no storage involved).
Locknote: Conclusions and Key Takeaways from Day 2 (3:30pm-4:00pm)
Aanchal Gupta, Rodrigo Rubira Branco, Stefano Zanero, moderated by Kymberlee Price
At the end of day two of this year’s virtual conference, join Black Hat Review Board members Rodrigo Rubira Branco, Aanchal Gupta, and Stefano Zanero as they are moderated by Kymberlee Price for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways from day two and how these trends will impact future InfoSec strategies.
Keep watching this blog and follow the @msftsecresponse Twitter account for all the up-to-date news for this year’s event.
We’ll see you online next week, and hopefully in person next year!
Microsoft Security Response Center (MSRC)