Beyond Basic Breaches, Black Hat Conference Highlights Cybersecurity Disrupters

Every day, headlines decry the perils of online cyber-attacks and describe the promise of new tools and technologies aimed to mitigate these breaches, which range from phishing emails and malware Trojans to distributed denial of service (DDoS) attacks.

However, according to industry experts at the recent Black Hat USA 2017 conference in Las Vegas, emerging security vulnerabilities and attack vectors like the ability to hack into implantable medical devices, and on the flip side, nascent technologies like machine learning, are presenting even greater potential peril and promise.

At the 20th anniversary of Black Hat, thousands of information security experts expounded on the growing risks in the healthcare field, especially related to implantable or wearable medical devices that use internet protocols or link to other connected systems. While medical device ‘hacking’ may sound like fodder for spy novels or a plot from Mr. Robot, the ability to breach or take over pacemakers, insulin pumps or other medical devices has been proven many times over the years by ethical hackers at Black Hat, DefCon and in related penetration testing research, going back nearly a decade.

The ability to hack or compromise medical devices gained public notice when the late prominent security researcher Barnaby Jack demonstrated how a malicious hacker could take over and execute a fatal attack on someone with a pacemaker or defibrillator at a security conference in 2012. The following year [2013], former Vice President Dick Cheney told a 60 Minutes interviewer that it was due to fear of assassination by a medical device hack that he had previously had the wireless capabilities shut off on his own pacemaker.

Information security vendor Rapid7 discovered that his Johnson & Johnson diabetes pump could allow potential attackers to “sniff” out a way to remotely pump more insulin, or withhold it, which could cause hypoglycemia in a diabetic patient. [The Rapid7 researcher notified the Johnson & Johnson company, Animas Corp., that makes the pump, and the vulnerability is reportedly patched.]

Hacking medical implanted devices remains a growing threat as malicious hackers, organized cyber-crime rings and adversarial nations become more sophisticated and well-funded, and the Internet of Things exponentially increases the connected nature of medical systems and devices. Case in point: the recent massive WannaCry infection, which locked down hospital medical records and hit radiology and MRI machines, could have spread to implantable devices as well, creating widespread device outages or possibly even deaths, according to information security researchers. According to a recent survey by Trend Micro, there are more than 36,000 medical devices in the United States alone that are discoverable on Shodan, a search engine for connected devices.

But, even in this arena, where attackers seem to continually outnumber and outman cybersecurity defenders, there is (as Star Wars fans might say) a new hope. Machine learning is getting a lot of attention in the digital information security space—to analyze data and find suspicious patterns more efficiently and much more quickly than a normal human analyst could.

At Black Hat, Hyrum Anderson, principal data scientist at Endgame, a cybersecurity technology provider, discussed how he created a game that uses artificial intelligence (AI) to compete against and beat detection tools as a means of testing how they might perform against real-world malware programs. Anderson and his team at Endgame worked with researchers at the University of Virginia, training their program by letting it compete thousands of times against popular malware detection software, so that it could “learn” new techniques and approaches to trick those programs—the way a real malicious hacker or botnet might do.

While this approach to besting malware detection as a means of finding vulnerabilities has tremendous potential, according to industry insiders, it is still in the nascent stages. Anderson admitted that there are several “blind spots” when it comes to pinpointing malicious software or breaches.

That said, machine learning is expected to have a profound impact on information security tools and protocols in the next several years, as big cybersecurity providers like Cylance, HP Enterprise, Darktrace, Tanium and Demisto up the ante with research and development here—using machine learning and AI technology to improve their predictive intelligence, behavioral analytics, anomaly detection, application security and connected device security.

According to Hillary Sanders, data scientist for Sophos speaking at Black Hat, rough or incomplete data also presents obstacles for training machine learning models. “First, any available data is necessarily old and potentially outdated in comparison to the environment the model will face on deployment,” Sanders writes in her paper Garbage In, Garbage Out: How Purportedly Great ML Models Can be Screwed Up by Bad Data. “Second, researchers may not even have access to relevant past data, often due to privacy concerns.”