Key Takeaways from SecTor 2023

SecTor 2023 was held on October 25th and 26th in Toronto, ON. I've attended SecTor virtually the last few years and interviewed several speakers for The Hacker Mind podcast. I was pleased that my first in-person event was very well attended, with maybe 2000 or so people. 

This provided a lot of great hallway conversations ("line con") and a lot of networking opportunities within a very robust business hall that ran from the moment of the first keynote through the very end of the conference itself. 

In addition to the main tracks and business hall, there was the “Bricks and Picks” area, with Lego blocks and lock-picking tools, along with various organizations holding their own meetings.

‍

‍Keynotes

The first day keynote was given by Michael Giest, from the University of Ottawa. It was mostly inside baseball regarding various Canadian attempts to regulate privacy online. He specifically cited regulations the government tried to impose on Netflix, for example. As a non-Canadian, this wasn't as interesting or universal as I'd hoped.

The second day keynote by Laura Payne, Chief Enablement Officer and VP Security Consulting at White Tuque, was much better. She offered predictions in tech for the next few years. She mentioned the usual subjects. For example, how AI is similar to the adoption of Cloud computing, only its happening much, much faster; how quantum encryption will be our next big "Y2K" event; and how the online skills of our children are getting better and better around security and privacy. 

She also talked a lot about how IT is the next battlefield. Nation-states are going after critical infrastructure for strategic purposes. The keynote speaker went so far as to predict that we might see recruitment and enlistment of IT (in Canada) for the next major war(s).

‍

Trust Nothing

One recurring theme in the main session talks was “trust nothing”. In other words, we often just accept that such and such is working as designed—but maybe it's not.

An example is that the Purdue model in ICS security is no longer as effective as it once was. Speaker Mohammed Waqas, of Armis, told me after his session, "There are no air gapped systems any more." He said the DMZ can be defeated. He said there were examples of an attack that compromised the enterprise business systems in Level 5 and then pivoted down to LEVEL 3 or below to the PLCs in the field. 

There, too, is change. The PLCs used to be unique among devices. That is going away as everyone moves towards embedded Linux. Waqas concluded, "if there's a link and if there's the DMZ kind of link going between IT assets and going down to the lower levels of Purdue, what I will say to this is attackers are very opportunistic, and they're very creative."
‍

EDR Attacks

Another speaker, Or Yair, VP Security Research at SafeBreach, told me that we can't just accept assurance that our security tools work; we have to test it. 

In two separate talks, he demonstrated how commercial Endpoint Detection and Response tools (EDRs) have built in features that can be defeated and how those defensive tools can be turned into offensive tools. This was a "living off the land" attack, where the antivirus and EDR tools were working as expected, but could be subverted nonetheless. 

His proof of concept, Aikido, showed how a ransomware package could be accepted as an accepted file. Additionally, he demonstrated how Microsoft's OneDrive could be attacked to delete and wipe all the files, something that could also be useful in a ransomware attack.

‍

‍

Medical Devices

Deral Heiland, Rapid7, told me that medical devices, especially those that are OT-based, are quiet threats to healthcare organizations. Thousands of devices operate today without proper security controls. These security controls were not designed in the beginning, and now it's difficult to get vendors to change the ones out in the field, given that they were designed to last for years and years...unprotected.

Conclusion

In general, I really liked SecTor for bringing the edginess to talks in security today. I always come away feeling smarter, even after nearly two decades in this space. 

I can't wait to see what SecTor 2024 brings.

‍