Select Page

Aug 24, 2022

DEFCON 30: Skytalks, Villages and Infosec Research


It was announced at the end of my last Defcon (Defcon 27) that future iterations of said event would be moved to a new venue in Caesar’s Forum. 3 years have passed since then, and we’re finally back in Vegas for the annual “hacker’s summer camp” in the newly built Caesar’s Forum. For the first time since the start of the pandemic, hackers and security professionals can come together in person at two of the most popular security conferences, Defcon and Black Hat.

For those who are not familiar with Defcon and Blackhat, they are two high-profile events that provide the very latest information to security professionals (Blackhat) and hackers (Defcon). Due to many overlaps between the two events, many Blackhat attendees take part in Defcon as well.

This year, the main conference was hosted at the Caesar’s Forum. In my opinion, it is the most spectacular location Defcon has ever been held in. The venue also encompassed three other hotels — LINQ, Harrah’s and Flaming — so be prepared for a lot of walking. The Caesar’s Forum is huge. It takes about 3 minutes to walk from one end to the other. Hopping between the main hub and villages in Flamingo can take about 10-15 minutes, depending on if you want to travel through a longer, air-conditioned hotel space, or a shorter, albeit hotter, summertime Las Vegas street.

Walk my steps in Blackhat and Defcon

This year is the 25th for Blackhat and 30th for Defcon. Both have delivered the latest information in infosec research and development. Here are some notable headlines that were scattered throughout the press, such as “The Cyberwarfare in Ukraine”, “A $25 homemade hack of StarLink”, or “Zoom installer flaw may enable root access on macOS”. Those reports can sound very impressive and exciting. But for some, these reports are concerning.

When comparing the two conferences, Defcon places a larger emphasis on contests and hacking demonstrations. Blackhat leans toward research reports by top cybersecurity players. Defcon doesn’t have a large commercial interest, and is therefore provides more of an engaging, relaxing, and easygoing experience. The conference is largely run by volunteers and is truly a con by the community, for the community.

One Defcon talk I never want to miss is the famous Skytalk.  Skytalk is an off-the-record series of presentations that discuss “technical deep dives, off-the-beaten path discussions, early-access talks, cool technology, and plenty of shenanigans”. Cameras and recordings are not allowed for the safety of the presenters, some of who have classification reasons to be speaking off the record. I had to wait in a long line for a long time in order to gain admission into this exclusive event.

Defcon is an outstanding opportunity for me to gain an unbiased insight into the rapidly changing cybersecurity landscape. This event is untainted, as vendors and their sales pitches are not present. My favorite part of Defcon is visiting the villages, chatting with other industry experts, and sharing candid opinions about products and current policies. It is a way to gain unbiased reviews from other experts of security tools. There’s a definite scarcity when it comes to real-world application of these security tools. Thankfully, the Defcon events help fill the gaps in knowledge.

Whereas the official talks are recorded, the conversations in the villages are candid, genuine, and unique. As such, it is another reason why I believe my time spent in the villages is the most valuable use of my bandwidth. My favorite villages are the AI village and Blue Team village. AI and ML are fast growing technology areas in cybersecurity. At Hillstone, I’ve leveraged it widely in unknown malware detection (detection by malware family), and abnormal behavior detection (baseline deviation). In the AI village, there were walkthroughs showing how to build machine learning models capable of detecting phishing emails. I enjoyed listening to a presentation on using ML to improve threat alert prioritization, which allows for streamlined identification of possible threats in real-time.  Additionally, the AI village also hosted a panel discussion that had me thinking deeper about how AI can improve or potentially harm our lives.

As an engineer focused on developing threat intelligence and digital forensic technologies at Hillstone, I found the blue team village to be the best place where I could interact with other professionals. Here I could learn firsthand experience from large-enterprise SOC leaders. For example, how do they manage the burnout of security team? How and when do they outsource workloads to MSSPs? And what are their honest opinions about XDR products? Is it truly a magic bullet, or just another hyped-up vaporware?

2022 is blue team village’s 5th year at Defcon. The most impressive project is Project Obsidian.  It is an “immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH)”

The project’s primary goal is to remove the barrier to entry for cybersecurity training. A lack of skilled analysts is one of the key challenges that every enterprise security team faces. Project Obsidian provides a deep dive into technical topics through workshops and exercises that imparts practical hands-on experience.

The project has generated three series of kill chain data, which is enough for creating many different types of training materials. All of the data will be publicly available, along with infrastructure data in Ansible and Terraforms[1]. It will be very valuable for us to train the young generation of cybersecurity professionals, and help them develop the skills necessary to succeed in the changing field of cybersecurity. I look forward to building some hands-on trainings based on Project Obsidian that can benefit young engineers at Hillstone.

[1] Terraform allows you to define and create the infrastructure of your system, as well as the hardware that your applications will run on. Ansible configures and deploys software by creating and executing custom playbooks that can run complec IT actions without much human involvement. Running Ansible on the infrastructure and hardware created by Terraform can help line you up with the proper resources for the task at hand more quickly.