Beyond Certainty: The Dawn of a Probabilistic Age – Highlights of Black Hat USA 2024

0

Black Hat USA 2024, Sat, 3 Aug 2024 – Thu, 8 Aug 2024. Mandalay Bay Convention Center, Las Vegas.

By Jane Lo, Singapore Correspondent

The digital landscape, once a predictable realm of binary ones and zeros, has been irrevocably transformed by rapid advances in AI and quantum computing.

Fueled by the power of probabilities, these technologies embrace uncertainty and a spectrum of possibilities, enabling the handling of complex data and the exploration of multiple potential outcomes.

At Black Hat USA 2024, the cybersecurity industry’s premier event, experts underscored how these groundbreaking capabilities are intertwined with a web of cybersecurity challenges.

AI: A Double-Edged Sword

AI, especially in the form of Large Language Models (LLMs), has become a cornerstone for businesses and individuals alike, revolutionizing industries with their ability to process vast amounts of data and generate human-like text.

However, as showcased at Black Hat USA 2024, these advanced pattern-recognition machines are a double-edged sword, usable by both cyber defenders and threat actors. From exposés on chatbot and popular machine learning platform vulnerabilities to LLMs’ potential to bolster cyber threat intelligence and cyber defense decision-making, the risks and the benefits are significant.

Richard Harang, Principal Security Architect (AI/ML) at NVIDIA, delved into potential threats, warning, “LLMs don’t reason; they make statistical predictions.”

This fundamental property of LLMs gives rise to the well-known issue of hallucination. Additional risks arise from “poisoning” the data during training or executing malicious code during inference.

“Anyone who can provide input to the LLM can influence its output,” Harang said, exploiting vulnerabilities in the “non-LLM” components, such as Retrieval-Augmented Generation (RAG) for data access or plugins for non-language tasks.

RAG vulnerabilities could lead to the classic “garbage in, garbage out” and leaking of “sensitive enterprise documents” scenarios. Plugins could be exploited via prompt injection to execute malicious code such as “to scan inside a network depending on where the plug is located”, he cautioned.

“The problems are the same”, he said and “the old ways to apply right application security” (e.g. least privilege) are still keys to mitigations. “But what’s different here is the attack surface.”

Expanding the system with tools like RAG and plugins “massively expands” the pool of potential attackers, including “anyone who can get their content into an LLM prompt”, he explained.

However, while LLMs pose significant risks, they also offer opportunities.

Bill Demirkapi, Security Engineer at Microsoft Security Response Center, showcased how LLMs can be leveraged to streamline security response workflows.

“Since 2016, we noticed that our case volume has increased by nearly a tenfold”, he said.

Can LLM be used to help ease the workload?

“LLMs reduce the barrier for deriving value from most data”, he said.

By applying LLMs to existing data sets (e.g., executive summaries, technical reports, and analysis notes), he demonstrated the automation of summarization and categorization tasks in two use cases: creating executive summaries and FAQs for security vulnerability reports, and predicting the impact and priority of vulnerability report.

Moreover, LLMs proved adept at tackling “hard technical problems”.

Here he showcased the automation of root cause analysis for software vulnerabilities based on crash dump data, a task that “usually take years for an individual engineer to learn how to do it properly”, he said.

Quantum Computing: A New Era of Uncertainty

Quantum computing promises to revolutionize fields from materials science to drug discovery, but the experts at the “Myths, Facts, and Realities” panel offered a sobering assessment.

Tommaso Gagliardoni (Principal Cryptographer and Global Lead in Quantum Security, Kudelski Security) pointed out that quantum computers are not “necessarily faster than classical computers for any kind of problem”.

However, they excel in solving specific problems that are believed to be intractable for classical computers. These problems are “the building blocks for securing most of the cryptographic schemes that we have deployed nowadays in our modern infrastructures”.

If we eventually get a large enough capable quantum computer, it could “in theory, break the foundations of most of the cryptography schemes that we use in the real world”. Since cryptography is pretty much the first line of defence and information security, “that’s where the risk comes”, he added.

When will we get such machines?

Quantum supremacy , a term often bandied about, is misleading according to Mark Carney (CTO & Co-Founder, Quantum Village). As he aptly pointed out, what we truly seek is “quantum advantage” – practical applications that deliver tangible benefits. The reality is that we’re still in the noisy, error-prone infancy of quantum computing, he said.

Nevertheless, the threat is real enough to spur efforts such as post-quantum cryptography (PQC).

Gagliardoni and others cautioned that while PQC solutions are promising, their robustness is still in its infancy. Quantum Key Distribution (QKD) offers an alternative approach, but it comes with additional infrastructure costs and vulnerabilities, as noted by Carney, who highlighted “a list of at least 15 hacking attacks on QKD protocols.”

Furthermore, quantum machines themselves are not immune to threats. Researchers like Andrian Colesa (Senior Security Researcher at Bitdefender) demonstrated how attackers could target the classical computing infrastructure used to access quantum computers, stealing authentication tokens or injecting malicious code into quantum programs.

As Colesa emphasized, traditional security practices like “enabling multifactor authentication,” “not storing API tokens in the code,” and avoiding downloads from untrusted sources are still crucial.

Implications & The Road Ahead

The key takeaway from these presentations is clear: organizations must navigate a rapidly evolving landscape with a multifaceted strategy. Combining time-tested security practices, such as robust trust boundaries, with emerging solutions like PQC is essential to managing the ever-expanding attack surface.

AI has already proven itself as a powerful ally in cybersecurity, but the role of quantum computing as a defensive tool is still emerging. In this dynamic interplay between probabilistic technologies and traditional systems, the most effective defense might still lie in a well-established risk-based approach—one that evaluates risks and impacts probabilistically to allocate resources.

The real challenge, however, lies in the relentless acceleration of AI and quantum technologies. This is more than just a passing trend; it’s a transformative force poised to disrupt the binary world as we know it, heralding a new era of cybersecurity challenges that demand constant vigilance and adaptability.

Share.