Black Hat USA 2016 Briefings

We get a fair amount of requests from journalists and media organizations asking our opinion on a whole range of tech topics. And when Black Hat rolls around, the pace of those requests often picks up considerably. So, I spent some time last week reading through the Black Hat USA 2016 briefings.

That was a lot of reading.

BlackHat Logo

Source: blackhat.com

I won’t be going to Black Hat USA this year, but if I were, here are some of the talks I’d be most interested in seeing.


$hell on Earth: From Browser to System Compromise – Details on the eight winning browser to super user exploit chains from this year’s Pwn2Own contest? What’s not to like?

Account Jumping Post Infection Persistency & Lateral Movement in AWS – With more and more services moving to hosted cloud services such as AWS, it’s important to understand how attackers will approach these targets. This briefing not only talks about how to breach these systems, it goes on to explain how to gain persistence and move laterally within AWS.

Adaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate Android N-Day Root Exploits – Android systems often don’t get patched against new vulnerabilities. This is mostly due to the fact that hardware vendors only really have incentives to put out new devices, and to neglect those already in circulation. This talk is about a system being designed to live-patch Android kernels, regardless of which vendor manufactured the device.

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It – The Microsoft AntiMalware Scan Interface is a really interesting piece of technology. It allows third parties to plug into a framework designed to monitor script execution for malicious behavior. It works with Powershell, VBScript and JScript. Unfortunately, it’s only available on Windows 10. This talk includes a bunch of live demonstrations of AMSI.

An Insider’s Guide to Cyber-Insurance and Security Guarantees – Cyber-Insurance is a rapidly growing service sector. Getting to know more about how it works could be interesting.

Augmenting Static Analysis Using Pintool: Ablation – This looks like a powerful tool for reverse engineers. It will be made open source during the conference.

AVLeak: Fingerprinting Antivirus Emulators for Advanced Malware Evasion – Anti-emulation tricks are used by a lot of malware. By not functioning correctly in virtual environments, they can evade automated dynamic analysis techniques and create problems for researchers. This talk details a framework that allows executables to upstream data about the environments where they’re running in order to help authors improve their anti-emulation tricks.

Blunting the Phisher’s Spear: A Risk-Based Approach for Defining User Training and Awarding Administrative Privileges – As much as people have tried to fix PEBKAC and train users not to do things that will get them owned, the problem still exists. It’s one of the biggest reasons breaches happen so easily. These guys are detailing yet another approach for training users to be more security-aware.

Call Me: Gathering Threat Intelligence on Telephony Scams to Detect Fraud – These guys set up a telephony honeypot to gather threat intelligence on unwanted and scam phone calls. They used automation to fingerprint these calls and found that a majority of these bad calls came from just a few actors.

Captain Hook: Pirating AVs to Bypass Exploit Mitigations – Protection components that perform behavioral analysis rely on hooking. If you can find vulnerabilities in these hooking engines, you can bypass these mechanisms. This talk details some research done into just this.

Cyber War in Perspective: Analysis from the Crisis in Ukraine – Nation-state cyber war? Always an interesting topic.

Does Dropping USB Drives in Parking Lots and Other Places Really Work? – Remember Mr. Robot? This talk explains how effective dropping USB sticks actually is.

Dungeons Dragons and Security – How to teach people about security using Dungeons and Dragons.

Exploiting Curiosity and Context: How to Make People Click on a Dangerous Link Despite Their Security Awareness – Even more on the social engineering theme. This talk examines some research into how to craft messages that even the most security-savvy people would click on.

I Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache – A talk about decompression bombs (small compressed files that decompress into massive amounts of data).

Iran’s Soft-War for Internet Dominance – More nation state stuff.

Keystone Engine: Next Generation Assembler Framework – For the reverse engineering community, these guys have created a new assembler. Looks pretty cool, and it’s going to be open sourced at the show.

Next-Generation of Exploit Kit Detection by Building Simulated Obfuscators – These guys are looking at tackling exploit kit obfuscation by looking at the obfuscation techniques themselves. They’ve build an open source obfuscator for use by the community.

Pay No Attention to That Hacker Behind the Curtain: A Look Inside the Black Hat Network – A talk from the guys who run the network infrastructure at Black Hat. This talk probably includes a lot of fun stories.

Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools – New pen testers are being trained with widely available material. Attackers know this, and can actually hijack a penetration test being performed by a new guy.

Subverting Apple Graphics: Practical Approaches to Remotely Gaining Root – A talk about how to exploit Apple’s various graphical subsystems in OS X.

The Linux Kernel Hidden Inside Windows 10 – As of the Windows 10 Anniversary Update, Windows will include a Linux kernel in the core of the operating system. This has implications for both security and tooling.

Towards a Holistic Approach in Building Intelligence to Fight Crimeware – These guys are going after crimeware infrastructure in order to identify and stop attacks quicker, and even find the folks behind these campaigns.

Unleash the Infection Monkey: A Modern Alternative to Pen-Tests – Automated pen testing of organization network infrastructure using an Infection Monkey. It’s an open source testing tool that spins up infected virtual machines inside your network perimeter that can even perform non-malicious lateral movement.

Using EMET to Disable EMET – Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) is a utility that helps prevent vulnerabilities in software from being successfully exploited. This is a talk on how to bypass that.

Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter – Spear phishing on Twitter. Performed by a neural network.

When Governments Attack: State Sponsored Malware Attacks Against Activists Lawyers and Journalists – Probably a good place to learn some OPSEC.

When the Cops Come A-Knocking: Handling Technical Assistance Demands from Law Enforcement – A couple of well-versed lawyers will explain what to do when law enforcement turn up asking for technical assistance.


To be honest, there are a lot more talks that I’d like to see, but with nine separate simultaneous tracks going on, I doubt I’d even get to see all of the above. If you’re going to Black Hat this year, have fun!



Articles with similar Tags