A Tale of Two Conventions: Black Hat and DEF CON 30

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair.” – Charles Dickens.

Charles Dickens certainly wasn’t thinking about security conventions when he wrote that famous paragraph, but it seems to fit 163 years later. I’m talking about the Black Hat USA and DEF CON 30 conventions in Las Vegas in August 2022. The two events are quite different in format and intent, but there is a large contingency of individuals who attend both, including me.

Beginning the Week with Black Hat

Black Hat is actually a side-product of DEF CON and was created after requests to host a more professional convention. Both celebrated key milestones this year, 30 years for DEF CON and 25 for Black Hat. Rather than doing specific commentary on any one vendor or track, I’ll make three general observations about the Black Hat conference (one expected, one negative, and one positive):

1. Expected: Zero Trust. Everyone found a way to work zero trust into their pitch. This isn’t really newsworthy, but sometimes consistency is worthwhile to document. While this was an entirely predictable result, there is certainly some fatigue with every product trying to align as the best solution for zero trust.
2. Negative: Exaggeration. There is a lot of hyperbole in security marketing these days, which was certainly on display at Black Hat. While most security practitioners know to take marketing declarations with a large dose of salt, I think the claims levied by many vendors are frustrating at best and harmful if taken literally. (No, [insert vendor name here], you are NOT the only technology any organization needs, and you cannot prevent 100% of all attacks.)
3. Positive: Data with Context. Anyone who knows me will likely be sick of my “so what” catchphrase. I use this frequently to drive home the importance of context. In the last five years, we’ve been inundated with more security data but with less insight into the data. Tables of data without context on what the data means or what actions should be taken simply compound the problem rather than provide solutions.

Let me use a real example that happened a while ago and a proposed outcome that would have been much more useful. I saw a report from a SOC team that indicated their Events Per Second (EPS) had increased from the prior month. No context, no analysis, just a statement that EPS had increased. While that was a factual statement, it was useless to the business. Now, imagine that same scenario, except with the following dialog:

• We noticed an increase in our EPS from last month (useless).
• We investigated and discovered the increase was due to failed logins from a brute-force attack, which triggered an event each time the login failed (better).
• We then dug in further and learned that a subset of the domain was not using MFA (multi-factor authentication), making the organization vulnerable to this type of attack (even better).
• We documented the specific groups/users at risk and have created the necessary changes required to ensure that MFA is deployed across the entire environment (the best: data, analysis, causation, and action).

One of the positive trends I observed at Black Hat was some vendors catching on to the context problem. They are trying to bring solutions to market that attempt to provide this context and turn walls of data into actionable intelligence. I didn’t see anyone that had perfected this yet, but the trend was encouraging after so many years of seeing more data with less insight.

On Friday, Everything Changes at DEF CON

The environment and format of the two events are markedly different. Sports coats and polos dominate Black Hat while DEF CON is nothing but t-shirts (most in the obligatory black color) with all manner of gadgets and trinkets in play.

My role at Nexum is strategy. You’ll never see me as part of a Red Team (and if you do, I suggest you ask for a refund). But there was still plenty to learn at DEF CON. Spending three days with some of the brightest minds in security was an incredible experience. I was relegated to an observer for most events (lacking the skills necessary to participate), but I walked away with more knowledge than I could possibly document.

This was my first (but not last) time attending DEF CON. Even though I’m clearly not the target demographic, I found the attendees and staff very friendly and accommodating. Basically, I get the sense that if you’re there to learn, you’ll be welcomed. The one mistake I made was going solo, and next year I’ll certainly make sure to bring a small group with me. If you’re curious about how things work, how adversaries exploit systems to gain access, or are interested in almost anything technical (not just security), I think you’d find DEF CON worthwhile.

I will give an unofficial award that might become an annual tradition. The award is my personal “Oh Heck No” award, and this year goes to the team selling RFID implants that they would inject into you for about $100. While the concept of unlocking doors, etc., with your hand might be more mainstream now that it was twenty years ago, I’m still going to take a hard pass on injectable technology. We’ll check back in again on that one in another twenty years.

Which Conference Is for You

I’ve also attended the RSA Conference in San Francisco in prior years. RSA is the largest of the three conferences (measured by attendees), though comparisons are becoming more difficult with the hybrid nature of most conferences. 

Since few people have the time and budget to attend all of these conferences, here are my thoughts on selecting the best event of these three for your needs.

• Attend RSA if you’re primarily focused on compliance, regulatory measures, and the business side of security. Additionally, RSA has the largest vendor area, so it would be my pick if you want to explore the various offerings.
• Attend Black Hat if you’re primarily focused on the technical side of security and want to learn more about new technologies.
• Attend DEF CON if you want hands-on experience and the chance to test your skills against some of the best in the business (it’s not called “hacker summer camp” for nothing).

In summary, I think these conferences can be valuable, but your best return on investment will come with a specific plan and objectives. All three events are large enough that it’s simply not possible to see and do everything. For me, my most significant return was seeing the new technologies and direction from the vendors at Black Hat and learning about the techniques our adversaries are using at DEF CON. 

I started this post with a Charles Dickens quote because, in one week, I got to see the best and the worst parts of the security landscape, the light and the darkness (along with some foolishness and wisdom). If you’ve enjoyed my Tale of Two Conventions, let’s connect on LinkedIn to discuss it further.