What It Was Like to Attend Black Hat USA 2021 and DEF CON 29 in Person

I attended Black Hat USA 2021 and DEF CON 29 from August 4 to August 8. This year was the fifth time that I made this annual pilgrimage to Las Vegas for cybersecurity professionals.

This pair of conferences was quite different this year, primarily due to the hybrid live-virtual nature of these events and other pandemic-related factors, such as the mask requirements and DEF CON 29’s COVID-19 vaccination requirement. Equally important, if not more so, was the difference in content this year, reflecting the massive changes in the cyber threat landscape and the attack surface over the past year and a half.

Hybrid Live-Virtual Events

As an in-person attendee, the most obvious and significant difference to me was the lower turnout of both vendors and individual attendees. There was a great deal of unused space in the Black Hat Business Hall, as many vendors evidently chose not to represent themselves in person this year. Rapid7, which recently acquired IntSights, was nonetheless a virtual sponsor of Black Hat. Rapid7 also had a booth at DEF CON’s IoT Village, where security researchers conducted exercises in techniques for gaining root access to embedded IoT devices. These devices are often a vulnerable feature of an organization’s attack surface because they frequently receive less security support or go without security updates.

Rapid7 in the DEF CON 29 IOT Village


The lower in-person turnout was nonetheless advantageous for individual attendees if only because it reduced the size of the crowds. Smaller crowds made it easier to gain access to popular presentations, booths, and other events, and also to engage presenters and other attendees privately.

The smaller crowds were particularly advantageous at DEF CON. Those who have attended DEF CON in the past know how overwhelming its historically massive crowds can be, and the degree to which they can often impede access to popular presentations and other offerings. This year might have been the first DEF CON in which I was actually able to attend every presentation that I wanted to see and hear.

Jeff Moss, the founder of both conferences, asked for feedback on this hybrid live-virtual model and raised the possibility that Black Hat will use it again in the future. Also of note for future reference was the enforcement of DEF CON’s COVID-19 vaccination requirement. Attendees had to present their vaccination cards for visual inspection when receiving their badges. Attendees also received a waterproof wristband to keep on their person for the duration of the conference to show that they had complied with the proof of vaccination requirement. DEF CON’s famous red-shirted “goons” often instructed attendees to display their wristbands, in addition to their badges, upon entering conference spaces. The wristband was evidently a form of “two-factor authentication,” so to speak, aiming to prevent someone from acquiring a badge by “other means” (this is DEF CON, after all) and entering conference spaces without having proven their personal vaccination status at registration. The badge is easily removable, but the wristband would be harder to put on after removal from its original recipient.

I also saw vaccination cards that owners had dropped. Losing one’s vaccination card is bad enough, but DEF CON is probably one of the worst places to lose a sensitive document that I can imagine. The reliance on paper records is of course problematic due to the potential for loss or damage, but the use of digital vaccination records poses its own information security risks as well.

Discussion Topics

The U.S. Government’s Role in Cybersecurity

As I predicted in my pre-event blog, the massive changes in the threat landscape and the attack surface over the past year and a half, and the implications thereof, were recurring themes in the presentations and other offerings. One of these themes was the role of the US Government in cybersecurity, which has become a more salient issue in the wake of last year’s SolarWinds supply chain compromise campaign and this year’s ransomware attack on Colonial Pipeline. One of the most notable (virtual) presenters was Keynote Speaker Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA) in the US Department of Homeland Security. She announced the formation of the Joint Cyber Defense Collaborative (JCDC), a partnership between the public sector and several security vendors and other technology companies that aims to improve national cyber defense.

Other presenters at both conferences covered more specific aspects of the US Government’s role in cybersecurity. For example, another Black Hat presentation covered the President’s Cup Cyber Competition, another CISA initiative that aims to identify the best cybersecurity talent in the US federal workforce. A policy panel at DEF CON discussed the political and diplomatic implications of cyberattacks, particularly state-sponsored attacks such as the SolarWinds campaign. Panelists discussed the possibility of establishing international cyber “norms,” such as those in warfare and diplomacy.

Critical Infrastructure

Critical infrastructure was another recurring theme at both conferences, and the defense of critical infrastructure was one key facet of the above-mentioned discussion of the US Government’s role in cybersecurity. As I suggested in my pre-event blog, the COVID-19 pandemic has underscored the importance and highlighted the frequent vulnerability of healthcare critical infrastructure in particular. The broadest and most extensive discussion of this issue was at a DEF CON policy panel on the unique cybersecurity challenges to the healthcare sector. I attended previous versions of this dedicated healthcare panel at earlier DEF CONs and found this year’s version particularly enlightening.

Other presentations covered more specific examples of the cybersecurity challenges to the healthcare sector. For example, one Black Hat presentation highlighted vulnerabilities in the pneumatic tube systems (PTS) that many hospitals use to transport clinical items around their facilities. Attackers could exploit these vulnerabilities in a ransomware attack or otherwise disrupt clinical work processes.

Ransomware

Ransomware was probably the single most-frequently discussed threat at both conferences. It was not only the topic of many presentations but also surfaced frequently in discussions of other topics. A recurring theme was the increasing severity of ransomware attacks in the past year and a half, including both the skyrocketing dollar value of ransom demands and the increasingly disruptive impact of ransomware attacks, as in the Colonial Pipeline incident. Ransomware has escalated from a garden-variety criminal problem to a strategic-level threat, hence the title of a very edifying DEF CON policy panel discussion on the subject: “Ransomware’s Big Year - From Nuisance to ‘Scourge’.”

The increasing costs of ransomware attacks are very measurable. Some vendor presentations on ransomware in the Black Hat Business Hall featured statistics and visualizations that underscored this point, which in turn highlighted the importance of investing more in security measures that aim to prevent ransomware attacks.

Supply Chain Attacks

Ransomware operators, along with state-sponsored cyber espionage groups, have increasingly adopted supply chain compromises as an attack vector. Recent examples of this phenomenon include the large-scale REvil ransomware attack via Kaseya managed service provider (MSP) software and the state-sponsored SolarWinds campaign. Accordingly, supply chain threats were the topic of one of Black Hat’s keynote presentations: “Supply Chain Infections and the Future of Contactless Deliveries.” The presenter predicted that large-scale supply chain attacks will increasingly become part of “the new normal.” He further claimed that the attacks we have seen recently represent only a fraction of the potential damage that could result from supply chain compromises and are just the tip of the iceberg.

Conclusion

I was glad to have the opportunity to attend these conferences in person again. Losing that opportunity last year left me with a greater appreciation of the value of face-to-face interaction with other security professionals beyond my own team. I think that the cybersecurity community needed and benefited from the opportunity to discuss in person the massive changes that most of us have been tackling remotely for the past year and a half. If nothing else, it was good for morale. More importantly, this large-scale “huddle” can help the cybersecurity community regroup and respond more effectively to the unprecedented challenges of the past year and half and the threats that we face in “the new normal.”


Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.