Post

Tales from DEFCON 27 - Retrospective

Posted Updated
By Michael Giordano 6 min read

Introduction

If there’s one thing I look forward to every year, it’s attending DEFCON.

I am lucky enough through my employer to have expenses covered to attend, albeit buying swag which I’m more than happy to cover! I also attend Black Hat each year as well, preceded by DEFCON. Black Hat 2019 helped me understand that after a second time attending, while there are wicked smart people and pretty awesome talks, it’s not something I think I’ll attend in the future - not my style. I feel much more “at home” at DEFCON. Hell, I spend the better part of the 2nd day of Black Hat briefings prepping for DC on top of reviewing all the stuff I’ve noted and followed on Twitter in the weeks and months leading to DC.

If you’re new to DEFCON, I suggest getting on Twitter and following DC and the various villages months in advanced so you get an idea of what’ll be there so you can hit the ground running. This is something I learned after wandering around my first time at DEFCON.

Hack for Satan

First, one of the highlights of my DEFCON trip this year.

My legs hurt… ouch. I finally managed to snag a badge on their second-to-last drop after running marathons along the strip. Making it to the prior drops, only to get there seeing everyone donning their plague badges being told they just left. It was one of the fun parts of DEFCON #badgelife for me - and got my exercise in for the rest of the year.

It’s part of the fun, watching @hackforsatan Twitter diligently, waiting for an obscure picture of some random place on the strip to figure out where they are and race to get there in time.

Again, thrilled I was able to make it to one of their drops in time and get me one of those badges! It goes well with the Hack for Satan shirt I bought back in February/March of this year… although it doesn’t quite fit at the moment and couldn’t wear it to DEFCON - always next year… and a diet.

Appreciated the folks who walked up to me and demanded I engage in a seance with other badges and infect.

My advice for finding a drop next year: if you know the general area of where they are during a drop, keep an eye out for folks running and follow (keep up) with them. It worked!

DC Sticker Swap

My wife was happy that some folks took to the sticker she designed, made small talk with people she was handing it out to, and seeing pictures of some folks sticker hauls container her Bender sticker.

bender To Burner, or not to Burner…

I talked about how when it was coming close to DEFCON time, some folks on the infosec Twitter had discussed whether or not bringing a “burner” device (phone, laptop) to DEFCON was necessary. One of the biggest reasons not to being “who’s going to burn a 0-day on you” - touche. I think general awareness, good hygiene, and common sense will help in preventing from getting pwned. I brought a “burner” to my first DEFCON because I was more concerned with my expensive laptop getting lost, stolen, or damaged otherwise. This year, I said “meh, whatever.” Swap out drives, use a persistent USB with a Linux distro of choice, and I think you’ll be OK.

Her being a big fan of Futurama and the lovable rascal, Bender, she made the above sticker to help out with the to burner or not to burner debacle.

She’s looking forward to designing more stickers for next year and was happy to hear Dark Tangent mentioned the possibility of a more “official” sticker swap!

Blue Team Village

That BTV badge, though! I didn’t get the chance to sync with other Blue Teamers or Red Teamers to test out the honeypot capabilities, but did manage to play with it in my down time back at the hotel. The badge got me a few high fives while walking down the strip to between Paris and Flamingo from other fellow Blue Teamers. Missed connection to the dude with a BTV badge that wanted to give me a high five… and I didn’t catch it in time. I left you hanging… sorry, bro.

The amount of engineering and thought that went into the BTV badge is crazy! Take a look here for more in-depth information about the badge. It’s the badge that keeps on giving.

Participating in the OpenSOC CTF was fun and what made it all the better was being able to participate via VPN - so if I couldn’t dedicate my entire time to the BTV, I was able to play back at the room or in #linecon for another talk. I completed 1 of the 4 sections, I lost time in the mix of everything else, so I didn’t complete all the sections. I plan on sitting the entire CTF as long as I can if the BTV folks organize one next year!

Awesome talks from @ch33r10 with “The Cyber Threat Intelligence Mindset” on threat hunting and hypothesis crafting and @gkapoglis with “Serverless Log Analysis” - lots of amazing takeaways that make you want to rethink approaches and assumptions.

Packet Hacking Village

Complete Packet Detective, get t-shirt, sweet. I love dropping in the PHV for the lack of lights and house music while being eyeballs deep in PCAP’s.

Last year, I wanted to get the full experience and go through Packet Inspector and move on to Packet Detective. I finished Packet Inspector, but there was a line for Packet Detective that wasn’t moving. I came back on Sunday for Packet Detective, but they were already packing up, so I made it a point to complete Packet Detective this year, and I did! Hoping to try Capture the Packet next year now!

Challenges were awesome and made me want to pull my hair out on the last two challenges. I never really thought about looking to pull DKIM pubkeys out of PCAP’s but, hey, learned something new!

A talk that Jay DiMartino from Fidelis gave on “The Art of Detection” made my eyes bleed with the intensity and extensive use of YARA rules, but it inspired me to lean more on the use of YARA. Also learned the importance of tailoring alerts and fine tuning rules in SIEM’s - documentation for the next person, and avoiding REGEX hell to cover any and all potential usecases!

Other Things?

  • Donated to TOR project for an Onion badge/SAO (fitted to my BTV badge)
  • Donated to EFF via Rapid7 for a t-shirt… because I love Tenable
  • Currently playing with the Packet Squirrel picked up at Hak5’s booth

Conclusion

Conclusion

High-level of lessons learned and what to do next year.

  • Situational awareness of the strip for an “easier” Hack for Satan badge hunt
  • Participate in PHV’s Capture the Packet next year
  • Sit an entire CTF at BTV (if there is one next year)
  • Actually talk to people
  • Need more stickers
  • Missed Skytalks this year :(
  • Bring something to the table?
Other, DEFCON
defcon defcon27
This post is licensed under CC BY 4.0 by the author.