Every year, Black Hat and DEF CON draw massive crowds to Las Vegas, and this year was no different: in fact, 15,000 people attended Black Hat, which goes down as the highest rate in the event’s 19-year history. DEF CON attracted an even bigger crowd of 22,000 people.
Delta Risk was well-represented this year at both events. Stephanie Ewing-Ottmers, Senior Associate, and Constantine Pavlis, Cyber Intrusion Analyst, attended various sessions and briefings at Black Hat and DEF CON respectively, and offered some insights into what stood out for them.
Black Hat 2016: Rethinking Traditional Cyber Perceptions
In the words of Stephanie Ewing-Ottmers
There was no shortage of topics and activities to focus on at Black Hat 2016. and a number of the sessions were standing room only. Given the number of briefings and training sessions you could attend (over 100 briefings and training sessions all in all), if you didn’t have a pre-planned itinerary, you weren’t going to get much accomplished.
Incident Response Remains a Common Theme
The famous statement by former FBI Director Robert Mueller about two types of companies – those that have been hacked and those that will be – needs to be expanded a bit.
The new adage is to assume that everyone has been compromised and to plan accordingly. A crucial part of the planning process comes from organizing your teams, identifying their roles, and making sure everyone is crystal clear on what their roles are.
What Security Language Do You Use?
Attackers speak their own language, so we need to find a way to keep up. Depending on what terminology your organization currently uses, you need to be ready to change things up, consider different audiences, and turn into skilled interpreters. Ultimately, having a common taxonomy plays an important role in effective incident response.
DEF CON 2016: Evolution of the Cyber Attack
In the words of Constantine Pavlis
The most obvious issue at DEF CON 24 was the shortage of space to accommodate the attendees. I spoke with dozens of attendees who waited in line for specific presentations only to be left out. The good news here (if you were able to stay at either the Paris Hotel or Bally’s) was that all of the talks were streamed to guests’ rooms.
Many people I spoke with, especially the more seasoned attendees, expressed concerns that the conference has outgrown itself. With more than 20,000 attendees and what looked like 1,000 people in each talk, you lose the ability to interact directly with the speakers. Still, the conference offered valuable presentations that were worth the wait.
Rise of the Machines
Our societal overreliance on technology was the major theme of DEF CON 24. From relatively obscure protocols run on fitness trackers to the technologies that run air traffic control, cell phone towers, and even seismological networks, technology is embedded in our everyday lives. Presenters from around the world immediately asked themselves if and how these technologies could be broken, bypassed, manipulated, and potentially weaponized.
Based on the theme of certain technologies being potential targets for cyber-attacks, here were important points I noted from the talks I attended:
- Vendors of seismological devices have no sense of computer security, opening the door for remote attackers to exploit vulnerable seismographs and potentially compromise research data.
- Rogue cell towers can be used to collect content of messages, calls, and data, and all of that sensitive information can be shared while device owners are kept in the dark.
- The 9-1-1 emergency phone trust model hosted on IP networks can be exploited through new attack surfaces.
- There is a lack of preparedness against electromagnetic pulses (EMPs).
- There are critical flaws in navigational aids, secondary surveillance radar, and traffic collision avoidance System (TCAS).
Overall, despite the large crowds, we learned a lot at both conferences. As is traditionally the case with Black Hat and DEF CON, there were many thought-provoking innovations, demonstrations, and theories shared with the greater cyber security community, in addition to the incredible sights and sounds you won’t find anywhere else.