Attending both Black Hat and DEFCON, two of the most significant cybersecurity conferences in the world, was a transformative experience. These events attract some of the brightest minds in the field to gather and share knowledge, showcase new technologies, and discuss the latest trends in cybersecurity. This year’s conferences in Las Vegas were particularly eye-opening for me as this was my first time attending these events. The following text reflects my observations through my n00b eyes!
Arrival and the Atmosphere
The moment I arrived in Las Vegas, the excitement (and 45c/114F heat) was palpable! Everywhere I went in the city, I could recognise cybersecurity professionals by the company polos (shout out to Eric of Flare.io rocking his NorthSec shirt on the flight to Vegas). Black Hat, which took place at the Mandalay Bay Convention Center, had a more formal and corporate atmosphere. In contrast, DEFCON, moved to the Las Vegas Convention Center because of the whole privacy violation debacle at Resorts World and other hotel venues, was more informal, with a very eclectic and diverse crowd that included everyone from seasoned security experts to amateur hackers and hobbyists.
The contrast between the two conferences was evident from the start. Black Hat, with its polished presentations and professional demeanor, felt like the industry’s heartbeat. DEFCON, on the other hand, was the pulse of the underground, where creativity, curiosity, and sometimes chaos reigned (not to mention sprinkled with a healthy dose of F-bombs and adult language).
Black Hat: A Deep Dive into Professional Cybersecurity
Black Hat is known for its highly technical briefings and training sessions, and this year was no exception. The conference kicked off with a panel consisting of Hans de Vries and Felicity Oswald OBE delivering a keynote talk title “Democracy’s biggest year: The Fight for Secure Elections Around the World”. I’ll be honest; there were so many people that the line stretched so far into the casino, that I missed it. So much for my free breakfast! In my defense, the BlackHat people seemed very disorganized that first morning. They didn’t handle the lineup very well letting people in ahead of people waiting in line. Argh, I hate that! As far as I was concerned, the show was off to a bad start.
One of the things Black Hat and DefCon had in common was the diversity and large number of sessions. From deep dives into the latest vulnerabilities in critical infrastructure and artificial intelligence to hacking your Mazda with an iPod and taking over North Korea! I’ll let you guess which conference held which talks! Another commonality between confs: there is so much to do and see, that you barely have time to attend these talks! Thankfully, talks have been made available online to all Black Hat attendees (still waiting on DefCon to put stuff online).
The Business Hall
The main attraction for me was the business hall. It was filled with vendors and exhibitors (many of whom are Virtual Guardian partners) showcasing their latest products and solutions. From advanced threat detection systems to secure communication platforms, the hall was a treasure trove of cybersecurity innovations. It was also a great place to see many of our partners. Part of my job as Director of Cybersecurity Solutions is to try to have a clear landscape picture of what exists out there and the business hall was definitely a good place to help me get that. Met a lot of new people also with whom I had several fruitful conversations about all things cybersecurity.
A quick word on Covid and Swag. Although as I embarked on the plane for Vegas, Covid numbers were a bit on the rise in Canada (Montreal anyway), the business hall was jam packed nobody seemed too worried about the virus although several people were sporting a mask. I never attended before, but my sense is the attendance was pretty high.
Exhibitors brought their A-game to the show in terms of marketing. Every company was trying to stand out in a sea of flashing lights and LED screens. Some were extremely clever in their overall booth presentation. A shout out to WIZ who really outdid themselves with their cybersecurity grocery store concept. There was also a very generous amount of swag being distributed; attendees were walking around with full bags of all sorts of objects. A popular thing this year was the “on-demand” t-shirt press; people would line up for over an hour to pick a t-shirt color and a design that the exhibitor would “press” on. A shout out to Crowdstrike which probably handed out the most coveted swag on the show floor: a 6-inch tall Scattered Spider figurine. I had to murder 4 guys to get my hands on one!
DEFCON: A Celebration of Hacking Culture
After the structured environment of Black Hat, DEFCON was a welcome change of pace. DEFCON is less about corporate presentations and more about hands-on experience, community, and the exploration of the hacking culture. The conference is known for its various villages, each dedicated to a specific area of interest. These included the IoT Village, Car Hacking Village, and the Social Engineering Village, which is my personal favorite and where I spent most of my time.
It’s in this village that showcases the Social Engineering Capture the Flag (SECTF) competition. Watching participants use their skills to gather information from unsuspecting targets over the phone. I actually participated in this contest in Quebec City (shout out to the Hackfest crew!) and know exactly what these participants are going through. I must say, I was VERY impressed with the participants’ skills. Their pretexts (lies!) were flawless. A nice touch at this year’s competition: participants had heartbeat monitors on them! The audience could witness the spike in heartrate as they told lies to their victims on the other end of the line! The contest is a powerful reminder of the human element in cybersecurity and how easily social engineering tactics can be used to breach even the most secure systems.
A couple of other villages included:
- The IoT/ICS Village was another eye-opener. With the rapid proliferation of Internet of Things (IoT) devices, the security challenges they pose are immense. At the village, I saw live demonstrations of how easily these devices can be hacked. One particularly memorable demo involved hacking a smart home system, gaining control over everything from the lights to the door locks. It underscored the urgent need for better security standards in IoT devices.
- The car hacking village where if you hacked the Model 3 Tesla on the show floor, well, you could drive home in it as your prize!
- Also: Lockpick village, Physical security village, RFID village, and many more.
- DEFCON also has a strong community aspect, which was evident in the numerous talks, workshops, and meetups. The “hallway con” – informal discussions that take place in the hallways between sessions – was where some of the most interesting conversations happened. I met hackers, researchers, and enthusiasts who were all passionate about what they do, and these interactions were some of the most rewarding parts of the conference.
Another unique aspect of DEFCON was the focus on inclusivity. I noticed that the DefCon crowd was composed of people from all walks and the organizers went out of their way to make sure that everyone was welcome. Several signs addressed reporting any kind of action that made someone uncomfortable. As a Canadian boy myself, I thought that was a nice thing for them to do, eh?
Lessons Learned and Takeaways
The sheer amount of knowledge and insight gained from attending both Black Hat and DEFCON was overwhelming, but a few key takeaways stood out.
First, the importance of staying ahead of the curve cannot be overstated. Cybersecurity is a rapidly evolving field, and what was considered state-of-the-art a year ago can quickly become obsolete. The need for continuous learning and adaptation was a recurring theme throughout both conferences.
Second, the human element in cybersecurity is crucial. Whether it’s through social engineering attacks or insider threats, people are often the weakest link in security. This was particularly evident at DEFCON, where many of the hacks demonstrated relied on exploiting human behavior rather than technical vulnerabilities.
Third, I was annoyed that companies at Black Hat seemed to go out of their way to put the words “AI” in their booth somehow no matter what they were selling (“Have you see our new line of XYZ? Did you know that it’s powered by AI?” Ugh!). A woman working in research for the Federal Reserve I met at a networking function summed it up best for me: “Do these companies truly know the extent/usefulness of AI in their products?”.
Finally, the conferences reinforced the idea that cybersecurity is a collective effort. Collaboration between different sectors, industries, and even countries is essential to combat the growing cyber threats. The networking opportunities at both events highlighted the value of building relationships and sharing knowledge within the community.
Conclusion
Attending Black Hat and DEFCON was a great experience that left me with a deeper understanding of the challenges and opportunities in cybersecurity. The contrast between the two conferences provided a well-rounded perspective on the industry, from the corporate-driven advancements at Black Hat to the grassroots, community-focused innovation at DEFCON. The knowledge gained, the connections made, and the insights shared will undoubtedly shape my approach to cybersecurity in the future.