I've been asked several time about the differences between BlackHat and DefCon compared with the higher-profile RSA security conference. For starters, RSA is a convention with a huge floor full of booths and major keynotes each day. Vendors and presenters are displaying their recent works, but also looking forward to their next releases. Decision-makers are usually present and looking for solutions to tomorrow's problem.
BlackHat, on the other hand, is smaller in terms of floor space. Talks are given by security luminaries—often people who wrote the code or have done novel research. Vendors are still very much looking forward, but the audience leans heavily toward in-the-trenches security practitioners. In other words, there are far fewer suits and a lot more black t-shirts.
DefCon, similarly, is all about security practitioners. There is only a single small vendor area and the vendors are much more likely to be giving away stickers and t-shirts, rather than demo-ing software. Discussions in the hallway often revolve around the latest hack, or the weird peculiarity of the Intel instruction set, rather than what security tools we will need to do our jobs in the coming year.
Of all three conferences, I personally find DefCon to be the most interesting, with BlackHat a close second. The presentations are quite often groundbreaking and further our understanding of digital security. Here are a handful of my favorite takeaways from both.Sarah Zatko: Cyber-ITL
Having been initially skeptical of Cyber-ITL, an independent testing laboratory for IoT devices, founder Sarah Zatko's presentation was one of my surprise highlights from this year's BlackHat. The goal of Cyber-ITL is to test IoT devices and evaluate them for safety—or, in their own words, "produce[s] an independent comparative measure of the risk of ownership of computer software and systems". I was initially skeptical about the project due to the large amount of work that is required to successfully grade an executable, but I believe they have made serious progress in the last year and are well on their way to building a legitimate scoring system.Eric Capuano: Fortune 100 InfoSec on a State Government Budget
Another of my favorite DefCon presentations was from Eric Capuano who runs the Texas Department of Public Safety SOC. He runs regular exercises in his SOC. He works backwards. First he writes up the final report from the incident, then writes a "Red Team" playbook for everything that happens. His "Blue Team" is graded based on how many of the indicators of compromise they found and their remediation actions. He even described his test network in detail. He uses 2U of space to run 30-40 Linux machines and Chrome with the Chaff extension to simulate users. His Red team plays the part of users downloading malware with Curl that goes out to a simulated internet that he runs completely on the side. He takes care to use the same gear on the simulation network that he uses in his real SOC.
The BlackHat keynote by Alex Stamos, CSO of Facebook, got a lot of press because of his call for a more diverse security community. I agree with him that diversity is important. In a fast moving field, diverse opinions from different viewpoints help us all to understand and triangulate on solutions to our problems. Aside from the diversity topic, he also spoke about our security community. At one point, he said "we are no smarter than the people whose systems we break". This was a call to tear down communication walls and focus on solutions to the security problems that affect us. He criticized the community for pursuing the theoretical zero day or the big break rather than comprehensive defense. I have seen the phenomenon he mentions. Often attackers go after what gets them the most press coverage rather than a comprehensive defense.Itzik Kotler:Adventures of AV and the Leaky Sandbox
Another interesting presentation was on exfiltrating data from cloud AV. This isn't necessarily a practical attack, but it is very clever. The author wanted to exfiltrate data from a machine, but was concerned about getting out of the corporate firewall. So he wrote a Rocket delivery executable. The Rocket would be injected (possibly via phishing, but any mechanism is sufficient) to a target machine. It would then gather up some amount of data and place it in an executable, the Satellite. The Satellite has some well-known malware strings that causes the AV system to immediately quarantine the Satellite and send it to the cloud for analysis. The Satellite has special code to notice when it is executed in the cloud. It immediately sends off the data that had been gathered by the Rocket. Pretty clever, indeed!Hardware Hacking Village @ DefCon
DefCon is a great place for hardware hackers. There were multiple presentations on using small, cheap hardware to either create subversive machines or to duplicate functionality. Joe FitzPatrick had a very nice presentation where they created fake YubiKeys and converted RSA SecureID tokens so that they could broadcast their secret token over bluetooth. There were also some talks on using low power devices to scan 2.4GHz frequencies and listen to wireless mice and keyboards.
I took notes in all the presentations I attended and filled up a small notebook over the 5 days of the conferences. I'm looking forward to implementing some new ideas over the course of the next year.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/rsa-defcon-2017-highlights/