Black Hat: Let’s All Help Cyber-Immunize Each Other

We’re selfish if we’re only mitigating our own stuff, said Black Hat USA 2021 keynoter Jeff Moss. Let’s be like doctors battling COVID and work for herd immunity.

LAS VEGAS – The in-person Black Hat USA 2021 cybersecurity conference is back, after a pandemic-forced, year-long hiatus, with attendance notably down but spirts up among attendees eager to get back to networking, learning and returning to some normalcy.

Event founder Jeff Moss kicked off Wednesday’s keynote with a nod to those lost to COVID-19 and others such as Philippe Courtot and Dan Kaminsky, who have passed since Black Hat’s last 2019 in-person event. While noting the challenges COVID-19 presents to the medical community, he also drew comparisons to lessons to be learned within the cybersecurity community.

In his address, Moss asked the audience to consider how participants can work together to help address today’s most pressing cybersecurity problems in the same way that present-day doctors, healthcare policymakers and individuals can help mitigate COVID-19.

Cybersecurity Lessons Learned from Fighting COVID-19

Moss began by drawing an analogy between a cybersecurity firewall and vaccine.

“Is there a way to sort of confirm immunity on a network, if you take care of your own equipment?” Moss asked. “This is an analogy I like, because if you think about how doctors approach problems, nobody gets up in the morning and says, ‘I’m going to cure cancer.'”

Similarly, security researchers don’t “wake up in the morning and cure memory corruption,” he noted.

While it’s unrealistic to cure cancer, it’s more realistic to be part of a team.

“If you also think about some of the other medical analogies like ‘do no harm,’ they also work well in our world,” Moss said. He cited core principles of “don’t harm users” and “don’t give away their privacy.”

Black Hat USA 2021

Black Hat USA 2021

Real World and Cybersecurity Collide with ‘Modes of Immunity’

Moss described three modes of immunity within the fights of COVID-19 and cybersecurity.

“First, there is the mode where no one is immunized. There is disease running rampant in the community [unchecked],” Moss said. The networked world equivalent is “no systems are maintained, patched and updated. There’s nobody watching the logs. So, the malware spreads unchecked through the network.”

In the second mode of immunity, Moss said, some of population is immunized. “The contagious disease spreads through some of the population, and some networks, and some systems are not maintained. So malware is sometimes noticed and sometimes spreads through some of the population.”

Moss believes that similar to COVID mitigation, the cybersecurity community is “stuck” in this second mode.

The third modality, he said, is more optimistic. “This is [where] most of the population is immunized. The spread of contagious diseases is contained. That is what we’re working toward: 70 percent to 80 percent immunization.”

What that looks like in the digital world, Moss said, is when “most networks and systems are maintained, malware is noticed most of the time [and removed most of the time], and actions are taken to protect other systems besides your own system.”


Black Hat USA 2012 had a noticeably smaller attendance in the opening keynote compared with prior years.

It Takes a Cybersecurity Village

Understanding that cybersecurity is not a solitary effort but rather interdependent on others is key to addressing today’s biggest security risks – similar to the medical community’s collaboration to contain COVID-19 infections.

“In this third step, you are concerned about the networks around you, not just your own stuff. That’s the difference. You’re thinking about the others around you,” Moss said

He shared the analogy of a business that patches and updates its own systems and then calls it a day.

“You select good software. You filter spoofed inbound traffic, but you’re not filtering outbound traffic. You are validating [domain name system security extensions (DNSSEC) queries: a set of protocols that add a layer of security to the domain name system], but you’re not citing your own zones,” Moss said. “Now, nobody else can rely on your records because you’re not signing your mail servers. Maybe you check [Sender-Policy Framework, or SPF] records, but you don’t publish your own SPF records.”

In this common scenario, companies are getting the benefits of third-party cybersecurity intelligence, but not providing any benefits to anybody else.

If You Aren’t Part of the Solution…

“You’re only really helping yourself: pretty selfish. If we know anything, [we know] that the internet is so connected that our problems are connected,” he said.

The end state, Moss said, is full immunization. “This is where you’re actually confirming immunity to those around you.” It is also, likely, the most beneficial to all the users of the internet, Moss said. “It’s the best security stance you can take with the least liability – because you can show you’re taking these proactive steps.”

“I just want you to think about, What are you doing to try to confer an immunity to those around you? Are you part of the problem? Are you a user and just getting the benefit of those around you?”

Whether it be network or software security, the premise is the same.

“From a software supply chain standpoint, we all rely on the software supply chain. We are building tools and systems based on [trusting others]. We are hoping people we trust in the supply chain, are in that third state and they are doing things to help everybody else in the supply chain,” Moss said.

He warned, if those in the cybersecurity community don’t consider the interconnected nature of mitigating risk, “everything we do is potentially vulnerable.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles