Since you are reading this post, you probably know what Black Hat and Def Con are. Below you can find my observations and thoughts about 2019 edition.
I will start by saying that it was for sure time well spent. Every single day was packed with briefings, presentations, trainings, sessions, labs, CTFs, parties, meetups, villages and contests. It is impossible to attend everything so every participant have to make tough choices on what to see, where to go etc. Due to my blue blood I did attend mostly defending scoped events. Do not judge me.
Security is now “Our problem” not “My problem” or “Your problem”
Black Hat Keynote “Every security team is a software team now” by Dino Dai Zovi from the start emphasised that organisations need to focus on culture with continuous collaboration between security and everyone else. That is a very good sign. Successful and effective security cannot be delivered in silo. Security need to understand business needs and business need to understand security. Collaboration and cooperation is crucial to achieve good results and avoid being pwned as was shown by Katie Nickels and Ryan Kovar in “MITRE ATT&CK: The Play at Home Edition”. Security must also evolve to be able to support business. Old ways of doing security will not be enough which was proven by Kelly Shortridge and Nicole Forsgren in “Controlled Chaos: The Inevitable Marriage of DevOps & Security”.
Security have a sense of humour but also tackle dead serious topics
What made me fall in love with security is its diversity. It was also visible this year. On one hand I was crying from laughter listening to “Adventures In Smart Buttplug Penetration (testing)” by smea or “I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON” by d4rkm4tter (Mike Spicer) but on the other hand I was really concerned listening to “The Tor Censorship Arms Race: The Next Chapter” by Roger Dingledine or “How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market” by Joseph Cox. Variety of topics is really great at Black Hat and Def Con, which make it interesting. No matter if you are a trifler hacker that do it for the lolz or a dead serious CISO working for a 3 letter agency, you will find something worth attending.
Learn about how to do your job
Technical talks/demos presented on Black Hat and Def Con are creme de la creme of security talks/demos that exist. Competition to become a speaker is immense. A lot of people submit their talks for years with no success. With that being said, you can imagine how much even a SME can learn. Listening to “PowerShell-RAT” by Viral Maniar, “Fantastic Red-Team Attacks and How to Find Them” by Casey Smith and Ross Wolf or “How to Detect that Your Domains are Being Abused for Phishing by Using DNS” by Arnold Hölzel and Karl Lovink for sure opened my eyes. Learning from the best and being able to go deeper on certain topics with the authors of the talks/demos after their talks/demos is priceless.
Socialise in the Villages, meet other people, make friends
In 2018 more than 19 000 attended Black Hat and Def Con. That is a lot of security people in one place. It is a lot of experience, knowledge, ideas and histories. If you are not utilising it, you are failing. Big thank you too all the members of Blue Team Village. You guys rock. More than 35 theme Villages on very specific subjects provide a superb opportunity to share experience and get different point of view. My knowledge of Bloodhound, Equifax breach, building A-Team SOC Teams etc. is for sure greater after visiting BTV.
It would be a shame to not mention CTFs while discussing Black Hat and Def Con. The truth is, I did not participate, so I have nothing to say about them. Sorry.
In terms of vendors. It is a good opportunity to do a bit of speed dating. Talking to vendors that you use is cool if you want to get a freebie, but having access to other products allow you to refresh what you know about them. Two “huh” moments I’ve had were: “Microsoft native security is MUCH better than a year or two ago” and “EDR market is very tight, the differences between the top vendors are really slim”.
Security Parties? What happened in Vegas, stay in Vegas. You will have to check it yourselve.