Dispatches From the Desert: DEF CON Day Three

Welcome to day five of Dispatches from the Desert! This week, Immersive’s Container 7 team is in the desert city of Las Vegas, sharing daily highlights from two of the world's largest security events: Black Hat and DEF CON. 

Catch up with the previous blogs here:

• Dispatches from the Desert: Black Hat day one
• Dispatches from the Desert: Black Hat day two
• Dispatches from the Desert: DEF CON day one
• Dispatches from the Desert: DEF CON day two

Kev Breen: Senior Director, Cyber Threat Research

Today marks the last day of DEF CON. It’s been a long but interesting week in a hot desert. While the buildings are all fully air-conditioned to the point you consider wearing long trousers and a hoodie, it’s 42°C outside (108°F), and there’s a lot of walking. My fitness tracker shows I’m averaging around 20,000 steps per day!

The event started to wind down today, with only a handful of talks in the morning and the closing ceremonies at 15:00. Despite considerably fewer people than yesterday, the halls were still packed, and there was still plenty of buzz and excitement around the last day. 

We spent the morning wrapping up as many CTF challenges as we could before they shut down the servers, and switched from the defensive CTF to the offensive CTF. 

External C2 and a defensive perspective

The main talk for me today was “Planting C4: Cross-Compatible External C2 for All Your Implants”, given by Scott Taylor of Sony’s red team. 

This was a talk for offensive teams on enabling some of the open source command-and-control (C2) frameworks to use External C2, like GitHub, AWS, and Slack, to hide their control channel in legitimate-looking traffic. However, I was there from a defensive standpoint. 

The role of the red team is to emulate the threat actor, remain stealthy, and avoid the blue team. You can then show the blue team where their blind spots are so they can rectify them. Where possible, I like to stay ahead of the red team. When I see a new technique, I want to try and figure out how to write detections or at least enable IR teams to recognize and have the tools to analyze them. 

This one was especially interesting since it uses Web Assembly Modules (WASM), which are still underrepresented in reverse engineering tools and knowledge. 

The good, the bad, and the ugly

As we get ready to fly home after seven days in Vegas, I wanted to reflect on the last five days at Black Hat and DEF CON.

To start with the good: the talks, activities, and villages at DEF CON were all highlights. It was a real chance to expand my knowledge, meet like-minded people, broaden my skill sets, and see talks and sessions that aren’t related to my day-to-day work.

That’s not to say that Black Hat didn't have value, but it’s more commercial value in interactions with vendors. The Black Hat talks were more biased towards vendors and organizations, so there was less opportunity to learn new techniques and, dare I say it, grab a badge or three to expand my #badgelife collection. 

Looking to the bad and the ugly: being in the desert in Vegas at the height of summer is expensive and uncomfortably hot. DEF CON and Black Hat are on opposite ends of the strip, so no matter which hotel you pick, at least half of the week is going to be spent paying for taxis or ride shares!

Rob Reeves: Principal Cyber Security Engineer

I took time this morning to watch a talk given by Lieutenant Kenny Miltenberger and Lieutenant Commander Nicholas Fredericksen, who are both members of the US Coast Guard. Their respective units perform vulnerability threat research and defensive cyber activities on behalf of the US government.  

The talk focused on the use of Chinese-made, ship-to-shore (STS) cranes, which are in shipping ports all over the US. Given their ubiquitous nature in US ports, the potential economic impact of a cyberattack against critical national infrastructure (CNI), and the perceived risk of supply chain attacks due to Chinese-manufactured equipment, the Coast Guard cyber protection teams analyzed these cranes to assess the risks involved.

Their findings generally correspond with any pen test or vulnerability assessment involving operational technology (OT). Most systems rely on legacy operating systems, which can’t be patched and have known vulnerabilities. Network segregation and security are afterthoughts, and most protocols are unencrypted. 

They also noted that equipment design specifications can differ from the paperwork that’s provided with them (such as having undeclared 4G modems!).

This talk highlighted the complexity and interconnectivity of tech and equipment worldwide. The US needs shipping cranes and can only get them at the scale required to maintain trade by buying them from China, but there’s a certain amount of risk associated with that transaction.

At the moment, Kev, Ben, and I are sitting in a casino, writing up our notes and getting ready for the flight home. It’s been an enlightening week, with excellent talks, demos, and tools on display. It was a chance to catch up with professionals I haven’t seen in years, as well as meet some personal heroes of mine – Jayson E. Street even gave me a hug.

I’m now looking forward to getting back to my sleepy part of Lincolnshire, where the street lights turn off at midnight!

Gaz Lockwood: Principal Cyber Security Engineer

Looking back at Black Hat and DEF CON, I can honestly say I enjoyed DEF CON more. Black Hat was useful, especially on the commercial and vendor side, but DEF CON felt more hands-on and community-focused. It’s the sort of place where you can roll up your sleeves, try things out, and really test your skills.

On the last day, I skipped the talks and spent my time on the red team CTF. With only a few hours left, I focused on the reverse engineering challenges. 

They were a good mix – some needed slow, methodical analysis, while others were about finding creative ways to pull flags from running processes or decoding strings hidden in the binary. It was a satisfying balance of problem-solving and technical digging, with just enough time pressure to make it exciting.

By the afternoon, I’d packed up my gear, caught up with people I’d met earlier in the week, and taken one last walk through the halls to soak in the atmosphere. 

My first DEF CON was a great experience: busy, challenging, and full of opportunities to learn and meet new people. I’m heading home tired but happy, and already looking forward to coming back.

Ben Hopkins: Cyber Threat Intelligence Researcher

With DEF CON at an end, it’s time to reflect on the last few days. First off, I think Vegas is far too warm for my Welsh blood – I was designed for cooler climates! That said, I can’t help but admire Vegas for its creativity, modern art, and consistently themed architecture.

In the early days, the US attracted a wide range of international workers to help it grow. Vegas reflects this from its buildings to its people. I met people from around the world, all of whom had different perspectives on the US, the soft power wielded by different nations, and how this tug of war between countries triggers various changes in the geopolitical landscape.

As for the culture here, Americans have an excitable optimism that juxtaposes the stereotypical British sense of cautious realism. I took plenty of cyber skills away from my experience here in Las Vegas, but a certain amount of cultural appreciation, too!

For my final day at DEF CON, I was able to do some sneaky ELF reverse engineering, which was pretty fun. I managed to capture two flags in the hour or so that we had. 

I analyzed one sample by writing custom C inline hooks to hook functions in the malware and grab flags from the running process, which took a little while to figure out. The other sample I looked at was much more straightforward; it was simply hex strings scattered throughout the binary that needed decoding, which only took two or three minutes.

At this point, many of the badges were sadly sold out, though I did manage to get hold of a nice Submarine badge with lots of games on it, which should keep me entertained for the 10+ hours it’ll take to get back to the UK.

‍

That wraps up our fifth and final day! If you’re an Immersive customer and weren’t able to make it out to Black Hat or DEF CON, keep an eye out. When we return, we’ll take some of the more interesting and novel tools and techniques we’ve seen here and turn them into practical labs.  

‍