[weglot_switcher]
4 Top Takeaways from Black Hat 2023

4 Top Takeaways from Black Hat 2023

Table of Contents

Check your exposure

4 Top Takeaways from Black Hat 2023

Whether you came to fill up a suitcase full of vendor swag, meet your service providers in person, or learn about new technologies to fuel your priorities, there was something for everyone at Black Hat this year. Our team was busy on the floor helping attendees check their darknet exposure and digging into the nitty gritty of Cybercrime Analytics. But we also had some time to attend sessions and talk industry with colleagues and friends – and here’s what we’re taking away from one of cybersecurity’s best events.

Evolving alongside AI is the next big challenge for SecOps

We’d be remiss if we didn’t acknowledge the elephant on the show floor, which was highlighted Wednesday in Maria Markstedter’s keynote, Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow. AI is here to stay, and with it comes a slew of new cybersecurity challenges. At the core of it all is a sharp double-edged sword: AI as a tool for both advancing the effectiveness of our existing security products and the root of more sophisticated threats. Everyone is keeping a strong pulse on both.

Session hijacking steps into the limelight

If you’re like us, you think – passwordless. Cool. We’ll use it since it’s more secure than passwords…but it’s not a silver bullet. Criminals are watching adoption of passkeys too – and instead of going for account credentials, they’re going after recovery methods. But even more scary is that they’re working around passkeys entirely with stolen cookies, perpetrating session hijacking.

Fortunately, we talked to SecOps attendees who are already thinking about it. We’re quickly seeing session cookies become one of the most prized forms of stolen data. In fact, we recaptured 1.87 billion malware cookie records from the darknet last year. That’s billion with a capital B. This is still a pretty fluid space and both criminals and defenders are working hard to operationalize stolen session information.

Cookies are most commonly stolen using infostealer malware. A valid, non-expired cookie allows a cybercriminal to become a legitimate user’s clone and bypass authentication. It basically allows them to take over a session where a user was already logged in. It behooves all of us to take this emerging threat seriously.

Automation is now table stakes

There are several things at play here – SOC teams are looking to scale their efforts to achieve better security outcomes and they’re looking for operational efficiencies to counteract an ongoing skills gap and they’re looking for ways to do more with less as businesses keep resources tight due to macroeconomic factors. It’s a lot, and that’s why there’s general agreement that automation is at least one answer to these problems.

For too long, threat intel providers have offered data as an end-all, be-all, but it requires hefty analyst intervention to make it actionable. Basically, this approach has meant more hands-on homework than actionable workflows and tangible outcomes. Instead of being handed more problems to look into and address, automation is the key that unlocks SOC teams’ ability to keep up with – and close the doors on – attackers.

At SpyCloud, that’s the thinking behind Cybercrime Analytics. We take raw exposure data from the criminal underground, correlate it to various identities, and make it actionable via automated remediation – with integrations into existing workflows within your SIEM or SOAR. Goodbye data overload, hello actionable protection.

It’s time to ditch traditional threat intel

We feel so strongly about this last point that SpyCloud’s James Shank gave a whole speaking session on it! In case you didn’t catch his hot takes live, here’s a quick recap.

As we touched on above, the threat intel industry has historically had a problem with delivering value; I should know, I’ve spent some time in it. The gap between threat intel and operational impact is just too wide. It’s useful for context, but less so for taking actual defensive action. And today’s threats move too quickly for IOCs – which reflect past knowledge – to keep up.

That’s why cybercrime is increasing. What really matters for the future of threat intelligence, and what impacts security posture most, is aligning security responses to cut off the things that actually fuel cybercrime. Next-gen response means defending with the same information that threat actors are going to use to exploit your systems. That’s acting on known points of compromise – everything from breach assets to malware logs – before they can be used by cybercriminals.

Wrapping it up

In case you missed us at our booth (not sure how, since we were rocking light-up sneakers), you can still use our online tool to check your exposure or reach out today to see how Cybercrime Analytics helps you act quickly on threats to your users and your business.

And see you next year at Black Hat!

Keep reading

Illustration of a research agent with network connections for cybersecurity.
Introducing Research Agent: Your Investigations Team Just Got An Unfair Advantage
SpyCloud’s Research Agent is an agentic investigation tool that plans pivots, correlates identities, and returns finished intelligence grounded in over one trillion recaptured criminal-source assets. Every finding cites a specific verifiable record.
SpyCloud logo with FortiBleed threat actor infrastructure background.
More Than a Leak: What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure
SpyCloud Labs analyzed the media-dubbed “FortiBleed” leak and found that initial reports left some key information out. See what we found after parsing and analyzing the data to understand the full impact.
Kali365 PhaaS kit overview for cybersecurity and threat detection.
Kali365: Anatomy of a Microsoft 365 Phishing-as-a-Service Kit – From Telegram Hype to FBI Takedown Theater
SpyCloud researchers dissect Kali365, a Telegram-sold phishing-as-a-service kit targeting Microsoft 365. Using device-code and adversary-in-the-middle phishing, it steals OAuth tokens and session cookies to bypass MFA – then staged a fake FBI "shutdown" while operations continued. Here's how the kit works, who it targets, and why password resets won't stop it.

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Research Agent is now available: Close cases in minutes with agentic investigations

X