Black Hat USA 2024
Here comes another obligatory article on Black Hat. Am I a corporate shill now? Oh, god...
In July, I learned I would receive a free pass to Black Hat USA in Las Vegas through the Veterans Scholarship program. My peyote-fueled journey to the desert is logged below. Enjoy!
Monday - Through the Hot Gates
My family only has one car, and the Las Vegas Strip during a heatwave is not my wife's idea of a good time. So, I had to load up my bags and toss a leg over my trusty steed, Cherry.
Usually, a road trip on my motorcycle is an exhilarating experience. The engine has a deep, guttural roar when I twist the throttle, and zipping along on the highway always brings a smile to my face. However, this road trip was not nearly as enjoyable as my usual rides. This ride felt like I was riding my motorcycle in front of a giant hair dryer—and the hair dryer was on fire.
Fortunately, the ride through Hade's butthole did not last very long, and I made it to Las Vegas with just a touch of charring.
Tuesday - Day Zero
My first Black Hat event began with the Day Zero Networking meetup. Nothing fancy here, just a handful of cybersecurity professionals jammed into a conference room with a few bar-height tables and a giant Jenga game to break the ice. Participants were encouraged to enter a raffle by filling out a blank name-tag sticker with three words that describe themselves. It's an interesting way to get people to talk to one another. My words were 'Batman,' 'Ducati,' and 'Tall.' Two were outright lies; my favorite comic book character is Superman, and I have never been described as tall except by a four-year-old. And 'Ducati,' so I have an excuse to explain how superior the Desmosedici engine is to other European engines. Desmosedici bragging is a classic coping strategy for Ducati owners to help overcome the trauma of paying twice as much for maintenance and repair parts. Questa è la mia vita ora.
Black Hat USA 2024
Swag mother f@#$er
Wednesday - Black Hat USA, Part 1
The networking event was but a taste of things to come. Today is the big show, and big doesn't even begin to describe it. The first thing that struck me was the sheer number of people attending Black Hat. I heard later that there were somewhere around 22,000 participants this year. The hallway from the Mandalay Bay Casino to the convention center was packed with people. We all marched on diligently to a breakfast buffet and the first major event: the Black Hat Deathmatch!
Okay, not really, but the vibe in the arena made it feel like we were about to witness two cybersecurity interns cage-fight for a job opening. Instead of an intro by Bruce Buffer, we got Jeff and his very shiny shoes. Jeff is a cool dude, but my expectations were amped up after that laser light show intro. After a panel discussion on the intersection of cybersecurity and democracy (Jen Easterly could not stress this enough: the 2020 election was legit, bro. No foul play involved.), it was time for a quick presentation on -checks notes- Clausewitz and IT. I've spent over 21 years in the Marine Corps; what can I say? I'm a sucker for Clausewitz. Painfully dull title, but the presenter did a great job demonstrating the intersection of Clausewitzian concepts and cybersecurity. I next jumped into a talk about the SOC of the Future (i.e., AI will make getting into cybersecurity much more challenging than I anticipated). Fun fact: Organizations could have stopped an estimated 2/3 of incidents by implementing basic security controls. Huh. Neat.
Due to capacity issues, I missed my next planned event, a talk on personal branding and breaking into cybersecurity. Considering my logo is a broken castle, I could have used a few pointers on branding. Oh, well. Instead, I showed up early for my next event: a game of Backdoors & Breaches hosted by Cisco Talos.
For those unfamiliar, Backdoors & Breaches is an incident response card game where the players work together to uncover the details of a breach. Think of it like D&D for security nerds. My team consisted of a pair of police officers from the Tokyo Police Department, an actual incident responder, a network administrator, some dude named Gary (I think...), and myself, a U.S. Marine combat engineer. What could possibly go wrong?
It turns out a lot. Our first attempts at uncovering the attacker’s methods led to immediate failure. Around Turn 6, we got an inject that doubled our problems: thank you, purple team. On our last turn, Gary (I think) was our only player; the rest of us were incapacitated by diarrhea. Fortunately, Gary rolled an 11, which meant our last procedure worked at uncovering the final phase of the attacks, and we were victorious.
After lunch and a thrilling card game, it was on to the following talk: Cyber Insurance! Of course, it was at this moment that I realized how I’ve become an old man. I willingly walked into a presentation on insurance, eager to learn about the intricacies of the subject (of which there are many). Fun fact: many cyber insurance organizations run massive honey nets to simulate their customers' environments, sometimes alerting customers to potential vulnerabilities before they’re publicly available.
Afterward, I caught a threat brief presented by the team at Cisco Talos. There were a lot of good points, but mainly, PLEASE, GOD, ENABLE MFA!! PLEASE!! WE CANNOT KEEP DOING THIS PEOPLE!!
Okay, so now on to the Business Hall.
Vendors of every size packed the Business Hall. Big-name companies like Palo Alto and Crowdstrike, as well as several start-ups, non-profit groups, and other software companies, were represented at the various booths. The big organizations ran hourly talks on their latest products and services (i.e., ”Now with more AI”), and everyone had something to give away with their logo stamped on it. A few companies were making t-shirts and ball caps on the spot. The Business Hall had sections dedicated to more hands-on activities (like Legos and lock-picking) or live demonstrations of various tools.
Thursday - Black Hat USA, Part 2 - Corporate Strikes Back
My first event for Day 2 was a veteran meet & greet. As mentioned, I received a scholarship to attend this year’s Black Hat USA. Had it not been for the scholarship, I’d have been home with my loving family instead of collecting swag like I was trying to be the best Pokemon trainer in the world. Over the years, individuals like Matt Devost and others have advocated for the veteran scholarship program, and I'm grateful for that. I had the opportunity to meet some great people in the veteran community, both established cybersecurity professionals and new entrants like myself.
Next up, the keynote for Day 2: a presentation by Moxie Marlinspike brought to you by -checks notes- connectivity issues!
After the keynote, I spent most of the morning on a booth crawl. I was mainly there to finish the passport sweepstakes, which required you to visit a list of specific vendors for stamps and a chance to win prizes. It's Vegas, so gambling is woven into the fabric of every event here.
Next up came a talk with Women In CyberSecurity (WiCyS). As a father, I hope that one day, my daughter will enter the workforce and seen as an equal to her male counterparts. I like to envision her coworkers seeing her and thinking, “She’s here because she’s one of the smartest in the field.” and not, “She’s here because she’s a diversity hire.” You can’t be an advocate for change if you don't take the opportunity to listen to women when they share their experiences. Not a fun fact: women are five times more likely to feel excluded from their coworkers, and many face a “glass ceiling” around 6-10 years within their careers, where their wages stagnate compared to those of their male coworkers. It’s more often the case that women aren’t given an opportunity for advancement, not that they’re any less capable of doing the job. That’s no bueno, folks.
Next came the main stage talks with Jen Easterly and Hary Coker, Jr. Good talks all around, but not nearly as memorable as Harish Sekar of ManageEngine (Harry for those who can’t or, worse, choose not to pronounce Harish correctly). Harish gave an excellent presentation sprinkled with just the right amount of dry humor—Chef’s Kiss.
The last presentation I attended was the Black Hat USA Network Operations Center (NOC) report. As an aspiring SOC analyst myself (yes, I’m aware that might not be obvious; I missed the personal branding class, damn it), I was looking forward to what insights were gleaned from the relatively robust NOC they built in a matter of days. The one thing that surprised me: people were watching a lot of porn. Jesus Christ, people, porn!? Seriously? Like, when are you watching this much porn at a public venue? I have to assume there is a porn series out there with such an engaging storyline that people are watching it like they missed an episode of Game of Thrones. Apparently, this happens EVERY FREAKING YEAR. So, yeah, I learned lots of good information here.
Friday - Back to Reality
And so my journey comes to a close. I awoke Friday morning to a balmy 90 degrees Fahrenheit and packed my motorcycle for the ride home. Fortunately, there wasn’t a heat wave this time, so the ride became less a fight for survival against the sun god Apollo and more a pleasant jaunt through the desert. Looking back on my time at Black Hat, I am grateful I had the opportunity to attend this year and look forward to reconnecting with the good folks I met, preferably at smaller venues.
Key Takeaways
- AI won't save us, and we need to do better. I didn't get around to all of the conversations at Black Hat, but a common theme was AI and how it's affecting cybersecurity. It's not the answer to every problem. Plenty of tools will now come equipped with AI; however, they will still require a human operator to understand context and make decisions. The introduction of AI will impact entry-level roles (thanks for that...), but the honest answer to most problems is simply applying the fundamentals. A startling trend is that many organizations still do not implement the most basic controls, like MFA or complex passwords. Threat actors don't need a fancy zero-day when the door to your environment is left wide open.
- Plan your day. Black Hat included tons of talks and demonstrations; there is literally no way you can see everything. A handful of the special events (like the Cisco Talos lunch event) require you to sign up in advance, and seats go quickly. The schedule includes about 10-15 minutes between talks, so you have time to walk or take a break between each one. Just think through how you will attack each day to maximize your time there.
- Don’t expect too many hands-on activities unless you paid for training. While there were a handful of options during the briefing days, most hands-on action occurred in the previous five training days. Since I only had a briefing pass, I attended the final two days of the conference. If you're about rolling up your sleeves and jamming on the command line, consider ponying up the money for a training session. Otherwise, check out DEFCON.
- Go with a buddy or group (if that’s your thing). If you can roll with a friend or coworker, I’d recommend doing that. Or link up with an acquaintance while you’re there. I mostly ran solo and occasionally linked up with the other veterans who received a scholarship. The networking events were delightful when you had at least one other person to chat with, and it's nice to have a conversation with someone who just sat through the same talk as you. Unless you prefer isolation, in which case do your thing, fam.
- You are not the focus (unless you have a budget and make decisions). The vendors pay attention to your title and company. They’re looking for individuals with special badges that signal they have money to spend on new products and services. Most speakers avoided directly selling a specific product during their talks; however, the Business Hall is all about business. A buddy recommended using a burner e-mail when signing up for Black Hat, and now I understand why. It's not necessarily a bad thing; just don't feel bad if it seems like the booth operator is not interested in what you have to say.