Black Hat USA 2017: what’s on the agenda in Las Vegas

Security experts are preparing to swoop into Las Vegas for next week’s 20th annual Back Hat conference, and there will be much to discuss. Since the last conference, threats against Internet of Things (IoT) devices have become a top news item and outbreaks from the likes of WannaCry and NotPetya have the industry rethinking what they thought they knew about ransomware and threats to critical infrastructure.

Black Hat USA 2017 will take place July 22–27 at Mandalay Bay Convention Center. Among the talks:

  • Facebook CSO Alex Stamos will present a talk called “Stepping up our game: Re-focusing the security community on defense and making security work for everyone”
  • Briefings will focus on vulnerabilities in such areas as IoT, malware, smart grid and industrial security and AppSec.
  • Black Hat Arsenal (Wednesday and Thursday, July 26-27) where independent researchers and the open source community will give live demos of their latest tools.

The event will also include the Black Hat Business Hall (Wednesday and Thursday, July 26-27), featuring more than 270 security companies. There will also be a career zone, an innovation city and vendor sessions. Sophos will be in booth 947.

What’s happening in the Sophos booth?

Sophos researchers will be on hand at the booth throughout the event, including Dorka Palotay, who will discuss her new paper on the Philadelphia ransomware-as-a-service (RaaS) kit. Technical demos will include an Intercept X overview, with particular focus on how it defends customers from the likes of WannaCry. There will also be a shirt giveaway for those who stop by the booth and say “Sophos is next-gen security”.

Sophos data scientist Hillary Sanders will give a talk (July 26 from 5:05pm-5:30pm) called “Garbage in, Garbage Out: How Purportedly Great Machine Learning Models Can Be Screwed Up By Bad Data“.

As processing power and deep learning techniques have improved, Sanders says, deep learning has become a powerful tool to detect and classify increasingly complex and obfuscated malware at scale. A plethora of white papers exist touting impressive malware detection and false positive rates using machine learning, but virtually all of these are shown in the context of a single source of data the authors choose to train and test on. Hillary said in her talk description:

Accuracy statistics are generally the result of training on a portion of some dataset (like VirusTotal data), and testing on a different portion of the same dataset. But model effectiveness (specifically detection rates in the extremely low false-positive-rate region) may vary significantly when used on new, different datasets – specifically, when used in the wild on actual consumer data.

In this presentation, I will present sensitivity results from the same deep learning model designed to detect malicious URLs, trained and tested across 3 different sources of URL data. After reviewing the results, we’ll dive into what caused our results by looking into: 1) surface differences between the different sources of data, and 2) higher level feature activations that our neural net identified in certain data sets, but failed to identify in others.

WannaCry, NotPetya and Vault 7

Expect to hear a lot about May’s massive WannaCry outbreak and the NotPetya attack that came a month later. Both spread rapidly across the globe using NSA exploit tools leaked by the hacking group Shadow Brokers. WannaCry was unique in that it was ransomware spread by a worm instead of the usual phishing tactics. NotPetya was more traditional ransomware, but still spread further than most using the NSA tools.

Though both involved NSA tools leaked by Shadow Brokers, attendees can also expect to hear about WikiLeaks “Vault 7” dump of CIA cyberweapons and the risks they could pose to critical infrastructure.


IoT threats had been discussed for years at Black Hat, but in largely theoretical terms. This past year, the theoretical became reality when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit. SophosLabs noted in its 2017 malware forecast that attackers were expanding efforts to target IoT devices through vulnerabilities in Linux.

The complete Black Hat USA 2017 schedule is available here.

The event coincides with two other security events – DEF CON 25 and BSidesLV. We’ll let you know about those in the coming days – watch this space.