Hacker Summer Camp 2018

It never ceases to amaze me how quickly August comes round every year, the excitement and buzz of the week ahead with many InfoSec professionals making the pilgrimage to Las Vegas for Hacker Summer Camp. This week does not disappoint and with a variety of conferences running, it can be hard to know which ones to attend. BSides Las Vegas, Black hat, DefCon, Diana Initiative, QueerCon, the list of choices are endless. Its hard to know how to plan your time as the quality of talks, demos, presentations are outstanding.

Arriving Sunday afternoon, Las Vegas is the only place in the world where its airport has slot machines everywhere. I tried to adjust to the timezone quickly and the temperature change, from 5-10C to 43C / 105F was rather a shock to my system, but the Monday cabana helped in the transition. Thanks Kim 😀

BSides LV started on Tuesday. With badges difficult to get a hold off, I needed to find a way to attend Katie Nickels talk on the Mitre ATT&CK framework. Many of you know I started researching and using this framework last year when I was studying endpoint protection. Whilst many of the solutions on the market offer good protection / prevention for commodity malware, IMO, many still struggle with other forms of basic detection. In my research I was able to create some good requirements for testing, however the scope for other possible use cases continued to grow the more I learnt and the Mitre ATT&CK framework help paved the way for me.

Watching Katie and John present was such a highlight especially as its been a major influence in my research. Many of the concepts were known to me and yet others were game changers. I feel attribution tends to get too much air time (yes I know everyone hates it when I say that!), and it was interesting to hear Mitre's take on it especially as it related to their ATT&CK framework. They demonstrated some useful tools which I was personally wasn't aware off that will be used in the future to better focus on requirements building. I look forward to discussing the Mitre ATT&CK framework more as I work on completing my v2 of my EPP framework. Prevention is still number 1 in terms of my priority list, but for those who are mature in this space and are looking at detection, Mitre ATT&CK all the way!

Wednesday and Thursday are always big days as I thoroughly enjoy my time at Black hat USA. Being a previous speaker in 2017, I knew what these speakers were going through, the emotions, the joy, excitement and probably that “OMG I am gonna puke!!” feeling.

This years keynote was presented by Parisa Tabriz. What was not to be excited about this talk!!. She was graceful and sophisticated. She spoke about her experiences and triumphs at Google specifically Project Zero. The importance of team work, collaboration and celebrating the wins with your team. Whilst she hit on so many good points, the thing that stuck with me was asking all the Defenders to standup and be recognised for their work. Being a defender for the past 15 years of my career, I appreciated the sentiment as its so much harder to play defense than offense. Our scope is often wider, more challenging and not considered cool. Often blamed for 1 bad incident while all the other good things are over looked. Thankyou Parisa for calling out the work of Defenders.

After the keynote had ended, the most challenging part was deciding what to do next, who and what to attend. This years did not disappoint with a huge selection of 9 tracks. The vendor hall was buzzing with colour, sponsored sessions and workshops, arsenal was really impressive this year, a career hall for those wanting to seek out new opportunities, community workshops such as Kali linux and OWASP Top 10, Yoga for any wanting some downtime, childcare facilities, parties, networking events, I mean my dance card was full within minutes.

I’ve been spending a lot of time recently learning and up skilling in AWS, so the first talk Detecting Credential Compromise in AWS by William Bengtson from Netflix was the logical choice. I enjoyed his talk, the technical background and tools provided great scope to continue on with after his talk was over. Was a great start to the morning.

The next talk I attended was A Dive in to Hyper-V Architecture & Vulnerabilities. Having experimented with many different virtualisation platforms, I was curious why two gents from Microsoft wanted to discuss bug bounties on a platform they love and maintained. They described all the different components of the virtualisation platform, where attendees should focus their time and effects if they wanted to claim a bounty from Microsoft. I found their approach bold and unique but respected their motivation. For the past 12 months having tested a lot of endpoint solutions, vendors want to shut you down for calling out weakness in their software. Instead these two researcher from Microsoft were saying "Please Try! We want to know the bad news so we can provide good software to our users". Software isn’t perfect, but by reiterating, getting feedback, listening to others, that’s the only way software can improve.

Black hat introduced a new community track this year which was a bold move, I enjoyed seeing some of the issues that affect this community. Yes we all suffer from imposter syndrome, especially me, but the topics discussed were hard hitting. There were a few I wanted to see, but cloning yourself is not possible!.

I did get an opportunity to see one community talk, I wished I could have seen more - How can Communities Move Forward After Incidents of Sexual Harassment or Assault? by Makenzie Peterson. What surprised me the most was the diverse community of people who attended this talk. To be blunt, I expected just to see women attend these type of community talks. In the past I have attended women in infosec talk where the mass of the audience is women, the value add is low as you are on repeat. But this was highlight, not just due to the topic but to genuinely see the impact to the people equally made up of men and women. Makenzie presentation was thoughtful, insightful and respectful. You could see she touched and connected with so many people in her talk. I hope Black hat continue with this stream. Yes we love our tech, but we all have lives outside of tech and that reality is rarely spoken about.

One of the most popular talks on the Thursday was Applied Self-Driving Car Security. I don’t think there was a single seat left in the room. These two guys are hilarious, but know their vehicles. I loved the history of the automotive industry and also the technical deep dive into issues they have encountered along the way. They referred to self-driving cars as a data centre on four wheels but with complete segregation. After seeing how these cars were previously exploited, I can see why they would say this. Looking forward to seeing this talk again.

Other talks I really wanted to attend were:

I really felt spoiled for choice this year and certainly didn’t get to see nearly enough. I will be eagerly awaiting their release on video.

Diana Initiative was back bigger than ever this year hosting a two day event on the Thursday and Friday. Having two awesome tracks, it was hard to decide which talks to see as l every talk was in demand. Fortunately I got to see two talks but would have loved to have seen more. I know in the years to come this event will easily pull 500-1000 attendees. Well done to the organisers for everything they did this year and bring this event together. Once again I was honoured to speak at this wonderful event and felt that everyone, speakers, volunteers and all those who support Diana deserve the same praise.

DefCon was spent mostly walking round and enjoying what was on offer. First up I went to SkyTalks which gives presenters freedom to discuss their content without fear or backlash from anyone. Name and shame if you choose, no video, no photography, just be yourself. Solider of Fortran presented on Buffer Overflows on a RACF system. What impressed me so much about him, other than the technical facts, was the attention to detail in his slides to fit his talk theme and his bad 80’s sweater! Brought me back to my vulnerability scanning days of the mainframes at the ANZ. Phil, you're a legend!

I wondered round for the rest of the 2 days exploring all the villages, and just enjoying watching people in action. Just like when you go to the beach and watch the people go by, DefCon was the same. So many characters, passion, and enthusiasm.

While many think the travel to Las Vegas is a holiday, it is one of the busiest most exhausting weeks of the year. Learning by day, networking at night and doing our day job in between everything else. I felt truly blessed once again to attend this year as it’s a big commitment for my family and work. I met and networked with people I have admired for years, Daniel Cuthbert, Katie Moussouris, and Amanda Berlin, reunited with InfoSec friends who are like family from Canada, USA, EU literally all around planet earth. You know who you all are as I always give you "the big warm hug of death".

Until we meet again, keep learning.

Add a Comment

Your email address will not be published. Required fields are marked *