back caretBlog

BlackHat and Defcon: Highlights from a Week of Computer Security

For those of us in the computer security industry, the end of July in Las Vegas means the annual week of conferences, BlackHat and DefCon. It's always a great—albeit exhausting—week.

I've been asked several time about the differences between BlackHat and DefCon compared with the higher-profile RSA security conference. For starters, RSA is a convention with a huge floor full of booths and major keynotes each day. Vendors and presenters are displaying their recent works, but also looking forward to their next releases. Decision-makers are usually present and looking for solutions to tomorrow's problem.


BlackHat, on the other hand, is smaller in terms of floor space. Talks are given by security luminaries—often people who wrote the code or have done novel research. Vendors are still very much looking forward, but the audience leans heavily toward in-the-trenches security practitioners. In other words, there are far fewer suits and a lot more black t-shirts.


DefCon, similarly, is all about security practitioners. There is only a single small vendor area and the vendors are much more likely to be giving away stickers and t-shirts, rather than demo-ing software. Discussions in the hallway often revolve around the latest hack, or the weird peculiarity of the Intel instruction set, rather than what security tools we will need to do our jobs in the coming year.

Of all three conferences, I personally find DefCon to be the most interesting, with BlackHat a close second. The presentations are quite often groundbreaking and further our understanding of digital security. Here are a handful of my favorite takeaways from both.

Sarah Zatko: Cyber-ITL

Having been initially skeptical of Cyber-ITL, an independent testing laboratory for IoT devices, founder Sarah Zatko's presentation was one of my surprise highlights from this year's BlackHat. The goal of Cyber-ITL is to test IoT devices and evaluate them for safety—or, in their own words, "produce[s] an independent comparative measure of the risk of ownership of computer software and systems". I was initially skeptical about the project due to the large amount of work that is required to successfully grade an executable, but I believe they have made serious progress in the last year and are well on their way to building a legitimate scoring system.

Eric Capuano: Fortune 100 InfoSec on a State Government Budget

Another of my favorite DefCon presentations was from Eric Capuano who runs the Texas Department of Public Safety SOC. He runs regular exercises in his SOC. He works backwards. First he writes up the final report from the incident, then writes a "Red Team" playbook for everything that happens. His "Blue Team" is graded based on how many of the indicators of compromise they found and their remediation actions. He even described his test network in detail. He uses 2U of space to run 30-40 Linux machines and Chrome with the Chaff extension to simulate users. His Red team plays the part of users downloading malware with Curl that goes out to a simulated internet that he runs completely on the side. He takes care to use the same gear on the simulation network that he uses in his real SOC.

Alex Stamos of Facebook: Diversity in the Security Community

The BlackHat keynote by Alex Stamos, CSO of Facebook, got a lot of press because of his call for a more diverse security community. I agree with him that diversity is important. In a fast moving field, diverse opinions from different viewpoints help us all to understand and triangulate on solutions to our problems. Aside from the diversity topic, he also spoke about our security community. At one point, he said "we are no smarter than the people whose systems we break". This was a call to tear down communication walls and focus on solutions to the security problems that affect us. He criticized the community for pursuing the theoretical zero day or the big break rather than comprehensive defense. I have seen the phenomenon he mentions. Often attackers go after what gets them the most press coverage rather than a comprehensive defense.

Itzik Kotler:Adventures of AV and the Leaky Sandbox

Another interesting presentation was on exfiltrating data from cloud AV. This isn't necessarily a practical attack, but it is very clever. The author wanted to exfiltrate data from a machine, but was concerned about getting out of the corporate firewall. So he wrote a Rocket delivery executable. The Rocket would be injected (possibly via phishing, but any mechanism is sufficient) to a target machine. It would then gather up some amount of data and place it in an executable, the Satellite. The Satellite has some well-known malware strings that causes the AV system to immediately quarantine the Satellite and send it to the cloud for analysis. The Satellite has special code to notice when it is executed in the cloud. It immediately sends off the data that had been gathered by the Rocket. Pretty clever, indeed!

Hardware Hacking Village @ DefCon

DefCon is a great place for hardware hackers. There were multiple presentations on using small, cheap hardware to either create subversive machines or to duplicate functionality. Joe FitzPatrick had a very nice presentation where they created fake YubiKeys and converted RSA SecureID tokens so that they could broadcast their secret token over bluetooth. There were also some talks on using low power devices to scan 2.4GHz frequencies and listen to wireless mice and keyboards.

I took notes in all the presentations I attended and filled up a small notebook over the 5 days of the conferences. I'm looking forward to implementing some new ideas over the course of the next year.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed