Guest Blog from Duke Cyber Club President Shristi Sharma

On the heels of two first place wins in the 2024 Atlantic Council’s Cyber 9-12 Strategy Challenge (Austin and Washington D.C.), Duke Cyber Club is kicking off its sixth academic year on a very high note.  In addition to monetary awards, eight team members received free tickets to Black Hat, one of the most respected cybersecurity international events. Student reflections are noteworthy as the challenges in cybersecurity continue to grow in scope and complexity for the world.

Duke Cyber Club is a student-led organization that began as a small team of very dedicated individuals. In six years, it has grown campus-wide to include undergraduate and graduate students from all disciplines and interests.  With support from Pratt’s Cybersecurity Master of Engineering Program and Engineering Alumni Council, Sanford’s School of Public Policy, American Grand Strategy, Duke’s CISO Office and others, Duke Cyber Club offers students opportunities to learn from each other, engage with cybersecurity practitioners in the government and private sector, hone their policy and technical skills in practice sessions and participate in competitions hosted by Duke as well as nationally recognized organizations.

August 2024 was the first time Duke Cyber members participated in the Las Vegas Black Hat Conference and their lessons-learned reflections are noteworthy:

  • Cutting-edge cyber exploitation techniques destroy our fundamental assumptions of security.  For example, presenters demonstrated how answering an innocuous video call on your phone can allow attackers to steal your data.  The mere latency of your internet connection can allow observers to discern what website you’re on.  It gets even more fundamental: the time it takes for variables to be called from your computer’s memory vs. cache can be exploited to infer the state of variables in compartmented processes.   
  • Companies like Microsoft and Intel proactively red team each other’s products before release, often revealing zero-days and giving dev teams time to patch before their product is ever put into production. This collaborative approach to product security was reassuring and underscored the importance of adversarial testing, like red-teaming.
  • AI is dramatically reshaping cybersecurity as a business, offering blue-teamers powerful tools for threat detection and automated response. However, it also introduces new risks, as attackers are increasingly using AI to create more sophisticated and elusive threats (particularly at the level of social engineering). The evolution of phishing techniques, from traditional wide-net phishing to highly targeted spear phishing now enhanced by AI, was both alarming and intriguing. The sophistication of these attacks, driven by AI’s ability to tailor messages to individuals and craft convincing narratives, highlighted the growing challenges in cybersecurity. One student watched a handful of talks about these new campaigns, and often left with an uneasy feeling, as many of the scenarios felt like ploys they would fall for, even as someone who’s keenly aware of phishing.
  • The rise of generative AI has introduced new attack vectors, and it was interesting to observe how different speakers had varying perspectives on how to secure against these emerging AI threats. Some speakers implored that we not fight AI with AI, as the issues present in the products we attempt to secure would also be present in the security solutions, while others took the perspective that AI security products are the only match for an adversary equipped with AI. The diversity of opinions emphasized the complexity and unchartedness of addressing AI-related security challenges.
  • Cybersecurity Startups are gaining lots of attention in cybersecurity innovation, particularly in areas like cloud security, threat intelligence, and zero-trust architectures. The conference emphasized that agility and niche problem-solving are key for new companies to succeed, but one student was still somewhat skeptical about how much value-added some startups are creating. It often seemed as though some created problems for themselves to solve rather than addressing real market needs.
  •  Zero-Day Exploits – Another student learned that zero-day vulnerabilities aren’t just for seasoned professionals to find — students with a strong technical foundation and curiosity can also discover them. By participating in bug bounty programs, seeking academic incentives, or staying active in cybersecurity communities, even newcomers can make meaningful contributions.

Learn more about Duke Cyber at https://duke.campusgroups.com/dukecyber/home/.