If you ever been or get to Vegas, the strip has a lot to offer: amazing shops, incredible games, good food, amazing people, beautiful surrounding nature. It has this relaxing vibe for people who completely want to chill out… NOT!
Vegas is one big rollercoaster casino lightshow – literally we had a rollercoaster in our hotel – that never turns off except at 7:30 in the morning. All this bling bling and casino overload was luckily not the reason why we were there.
We had the great opportunity to experience BlackHat 2024 and Defcon32 this year, and we’re there to share our cybersecurity experiences with you.
Since we had four days of non-stop talks, briefings, demo’s, key notes, conversations, … it is too much to capture in one article. That is why we will release a series of five articles in the coming weeks.
AI
Of course, what better way to start with AI, or in this case Copilot, while we saw different cool topics this will have the most impact since almost every company is playing around with these types of tools. The quote that ended the presentation of Michael Bargury (he did 2 presentations because one was just not enough) says it all: “Treat AI apps like experimental drugs”.
The risk exposing data to the wrong public has never been this high (maybe to move cloud buckets without authentication comes close). Not only data exposure, but also Copilot opens an entire new attack vector. Remote code execution is possible, because he showed it.
Endpoint Security
Endpoint security is still researched and attacked intensively. Last cybersecurity events we’ve attended, always showed some new attack techniques against endpoint systems – mostly Windows to be fair – and this time at BlackHat and Defcon, it was no different.
The first talk we attended directly matched our expectations: a downgrade attack using windows update to vulnerable software versions. To the point, smart and effective.
Most of the other talks we’ve seen continue to build on previous research on the inner workings of Microsoft Windows, exploring techniques on evading EDR solutions like API unhooking, Hell’s Gate, Halo’s Gate and HookChain.
It was interesting to see how the community works together with all big EDR players to get their findings patched and detected. Although not all vendors responded well, but the ones who take cybersecurity seriously enough did, and that is a big thumbs up.
OT Security
OT security is the next big thing. This is a mantra we hear every year and it is actually becoming a reality. We covered different talks not only about why and how we need to secure OT environments, but also that the transformation of industry 4.0 will connect millions of devices to the internet for the first time. The worldwide demand in power is increasing exponential (thank you ChatGPT) so the need of a well-balanced grid connected grid isn’t optional. Our critical infrastructure will be under attack …
Cloud Provider Attack Paths
There is no good hacking conference without some talks about cloud provider attack paths. There was surprisingly not much focus on Microsoft’s Midnight Blizzard ‘issue’ earlier this year. But Microsoft was getting its fair share of attention, with again nice research done on elevating privileges in Entra ID, this time through Microsoft applications.
AWS got also it’s part of the story, and if you start your talk with the saying: “Traditional methods to gain access to AWS environments are real, but remarkably boring”, then the audience knows something cool is about to be delivered. We saw techniques to achieve initial access to AWS by exploiting some AWS services which was indeed a neat find.
Secure Web Gateways
SASE is a rising architecture, and so attacks follow inevitably. The security research team at SquareX presented their “Last Mile Reassembly Attacks”, research that revealed attacks to completely evade Secure Web Gateways (SWG). This research has had a huge impact on all SWG vendors and enterprises relying on them to secure their employees.
To be honest, not all talks were on the same level. We looked at the title, the brief description and the speaker, his track history, etc. But sometimes we just walked in, seeing what it brings, and yes, it can be surprising at times.
There were three talks that approached security in a different way. We will discuss two of them since they surprised us in a good way.
Thinking out of the box
How immutable are immutable backups. That triggered us because by design hackers can’t compromise that data. Yet the researchers were able to keep the sysadmin from restoring. They really went out of the box (or appliance) for this one. The second talk was using big data to find exploitable environments. Instead of doing a pentest to see a specific target was vulnerable he turned it around. Get massive amount of data (including forgotten DNS entries) and see what is vulnerable. The results were mind blowing…