DEF CON 32 Recap: Insights and Experiences from The NetSPI Agents
DEF CON 32 brought together thousands of hackers and security enthusiasts from all over the globe for another unforgettable year. Going along with this year’s theme, we sent some of our NetSPI Agents to “engage” with the hacker community by reconnecting with friends in the industry and building new relationships, and the opportunity for professional development – to not only learn about their specific field but broaden their security horizon by exposing them to new learning opportunities through sessions, workshops, and trainings.
In this blog post, we’ll dive into their experiences – what they learned, new perspectives, and how proactive security is always present, even at DEF CON 32.
Luke Langefels, Security Consultant
One of the talks that I went to while at DefCon was Matt Burch’s presentation on defeating ATM disk encryption. The talk focused on his research with ATMs and how he discovered 6 zero-day vulnerabilities in Vynamic Security Suite, which is one of the largest ATM software vendors. I attended this talk because I wanted to learn more about ATM security and hearing that 6 zero-days were discovered in the last couple of years really piqued my interest.
One of the things that stood out to me was that most of these zero-days were essentially a game of cat and mouse with the Linux filesystem. Burch would defeat the boot integrity checks by modifying the Linux file system to gain access to a file or directory, which would result in him getting code execution. Vynamic would then reactively patch the vulnerability, only for Burch to find a workaround, and the process would repeat. Instead of reacting to each vulnerability as it was discovered, the proactive approach would have been to tackle attack vector at its source: the unencrypted file system. Switching to full-disk encryption would have effectively remediated the 6 findings. This was the approach Burch ultimately recommended to Vynamic.
Patrick Gabriel, Principal Security Consultant
At Defcon, I attended the talk titled “Spies and Bytes: Victory in the Digital Age” by General Paul Nakasone, former director of the NSA and US Cyber Command. While largely policy focused, I was drawn to this talk due to interest in how government agencies are adapting to the increasing sophistication of online adversaries and other nation states.
One key takeaway was that the U.S. government’s approach has historically been reactive, highlighted by the 2008 Russian hack against the Department of Defense using simple USB drives, which led to the creation of US Cyber Command. More recent attacks, including SolarWinds and Colonial Pipeline, further underscored the need for a shift to more proactive security measures. Another key takeaway was that in the opinion of Nakasone and the government writ large, collaboration between government agencies and the private sector must be further developed, as companies like Microsoft and Google are the only ones who possess unfettered visibility into their own networks.
This talk underscored the importance of agility in cybersecurity, which is no easy task for monoliths in the national security space, a sentiment captured by one of Nakasone’s closing remarks: “It’s not the big that eat the small, it’s the fast that eat the slow.” The talk emphasized that proactive security is no longer just a strategy, but a necessity.
Tim Kirby, Security Consultant II
I attended the talk: Threat Emulation 101 by Trey Bilbrey. Trey discussed the fundamentals of threat emulation (red teaming) from a business risk standpoint. I attended this talk because I am passionate about adversary emulation and am fascinated by what the smartest minds in our field have done to put together nation state actors into groups. These groups can reasonably be approximated by their attack methods linked to MITRE T codes.
To have a successful threat emulation program the business needs to fully understand its worst-case scenario by being realistic about itself, by determining the risks the region it operates in, business type, and if it has been attacked before (by ransomware or otherwise). A business also needs to determine probable threats by determining what hostile intent, opportunities, and capabilities would be.
A few takeaways from the talk include that it is impossible to stay current in real time due to the speed of information of attacks getting released and that threat emulation needs to be as simplistic as possible in order to be a trusted (emulated) threat. Having this trust allows the defensive teams to do a much better job.
This talk was relative to proactive security because at NetSPI we already help companies build detections from real threats by mimicking them. This dramatically increases detection time and can reduce a company’s outage/downtime.
Russell Glober, Security Consultant II
The SEC Vishing Competition was amazing. Teams and individuals go toe to toe, placing live phone calls… showcasing the duality of ease and complexity of the craft against the various levels of preparedness and defenses by actual companies.
I wanted to see how preparation and pretexts would fare against the individual (and often unpredictable) reactions of the real-life call targets, especially given the pressure of the time-boxed competition.
Key takeaways:
- Prepping and practicing the pretext so it flows as naturally as possible
- The power of establishing rapport with, and empathy from, the call target (including the use of praise and creating a shared purpose with the target when the pitch is that the caller is enlisting the help of the target to improve their company’s security posture)
- The need to stay nimble, adjusting one’s pitch rather than pushing harder on a failing tactic
From a tester’s perspective, the competition provided a fun showcase of different personal styles and general attack principles and techniques. From a defender’s perspective, I think there were lessons for training employees to identify potential vishers.
Learn more about the competition
Seth France, Security Consultant II
I attended SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level.
The session focused on the evolving landscape of SQL injection (SQLi) vulnerabilities. While traditional SQLi has been mitigated with improvements in programming languages and database management systems, the speaker highlighted that the threat is far from over. Instead of exploiting the query syntax, it may be possible to target the lower-level database wire protocols with query smuggling to bypass existing security measures.
SQL injection has always been my favorite vulnerability to explore, due to its blend of technical complexity and potential impact. Given the constant evolution of security measures, I was eager to learn about new attack vectors and techniques that could be used in this area.
Key Takeaways:
- Integer Overflows in Memory-Safe Languages: The speaker demonstrated that integer overflows remain a relevant issue, even in languages designed to be memory-safe. This is a critical insight, as it suggests that security practitioners should not become complacent when using such languages.
- Feasibility of Sending Large Data Payloads: One of the most striking points was the feasibility of sending large amounts of data (up to 4 GB) through database wire protocols. By using techniques like nop sleds and compression, attackers can smuggle malicious payloads without the threat of DoSing the server.
- Multi-Angle Vulnerability Exploration: The session emphasized the importance of examining vulnerabilities from multiple angles. Simply focusing on query syntax is no longer sufficient; attackers must consider every aspect of the communication process between applications and databases.
This talk is a prime example of how proactive security practices can stay ahead of emerging threats. By understanding and anticipating new attack vectors, like protocol-level SQLi smuggling, security professionals can inform clients and implement mitigations before these techniques become mainstream. Proactive measures not only protect systems more effectively but also reduce the need for reactive responses when vulnerabilities are inevitably discovered and exploited.
Stefan Nelson, Senior Security Consultant
At DEF CON, I spent a significant amount of time at the Red Alert ICS CTF, a Capture the Flag competition focused on Industrial Control Systems. Before attending, I was not familiar with the event. In fact, I just wanted a more proactive activity and a chance to sit down for a while. The event was a blast! I teamed up with an attendee from Paris, and together we tied a few other teams for 3rd place.
While I’ve read research and CISA reports on the vulnerability of industrial control systems, I had never gotten hands-on before. This CTF highlighted the vulnerability of systems ranging from large ship and crane control systems to real in-the-wild CVEs on well-known networking hardware. Altogether, this broad set of technology supports an incredible amount of our day-to-day livelihood and appears to have a grim threat profile. However, it opens up amazing opportunities to proactive security practices to discover, mitigate, and patch these crucial systems.
Ethan Hobart, Senior Security Consultant
While at DEF CON, I attended Social Engineering AI Like You’re Piccard by Jayson E. Street. The talk was about how to better use AI tools such as ChatGPT, CoPilot, Gemini and others to enhance your social engineering engagements.
I love seeing the creative and interesting new ways that people are using AI to assist/design attacks and other security related tasks.
Key Takeaways:
AI services have rules built into them that prohibit them from being used for any malicious activities such as designing social engineering attacks and other bad things. To bypass these restrictions, you have to literally social engineer the AI bot to convince it that the malicious thing you’re asking it to assist with, is not truly malicious at all. This involves feeding the AI a made-up pretext or story, identically as you would a human, explaining why what you’re asking is reasonable and benign. These social engineering bypasses are effective, and the AI happily complies with your ask.
Using AI to assist with social engineering attacks makes our engagements more clever, subtle, and believable, which in turn helps keep our clients ahead of the curve because we can find problems before the bad guys do.
Alex Poorman, Principal Security Consultant
For too long, there hasn’t been a solid pentesting tool for Google Cloud pentesting. That all changed when NetSPI Senior Security Consultant Scott Weston created GCPwn. I had the pleasure of hearing Scott talk about GCPwn in the Cloud Village during DEF CON 32.
GCPwn is a Google Cloud (GCP) pentesting toolkit that operates in a similar manner as Pacu and Metasploit. Different functions are broken up into enumeration modules and exploits, allowing the user to enumerate the attack surface and exploit misconfigurations in one easy-to-use framework. GCPwn’s ease of use cannot be understated: it’s perfect for both someone new to cloud security and pentesting but also powerful enough to help even seasoned cloud pentesters quickly conduct high-value penetration tests.
Scott has changed the GCP pentesting game with GCPwn. This powerful tool will help both blue and red teamers secure their Google Cloud environments quickly using a proactive security approach. Check out the tool on NetSPI’s GitHub and see why GCPwn is now the standard for GCP pentests.
Reid Sedlak, Principal Security Consultant
While at Def Con, I attended SQL Injection Isn’t Dead. The talk covered novel attack surfaces for database wire protocols. The research showed new methods of SQL Injection by manipulating binary protocol delimiters and length fields.
Many clients I work for have battle tested software some of which has been running on the internet for 20+ years, as a result it is increasingly important to find untested surface areas within their application before threat actors do, making this talk invaluable.
Some key takeaways included:
- If at first, you don’t succeed, test a lower network layer, aka try harder.
- Don’t be afraid of sending large (4gig +) payloads for clear/white/open box testing.
- Rust/Go may be the cool new languages but there is a reason that developers often choose more mature languages and frameworks for mission critical software.
Infosec is a constant cat and mouse game, it is important to keep on top of new research and newly discovered attack surface area in order to test and detect the security flaws before the threat actors do.
Kyle Rozendaal, Senior Security Consultant
I went to this talk because Josh is awesome, and it sounded really interesting: Signature-Based Detection using Network Timing.
Josh Pyorre observed an issue when attempting to identify common malware in large computer networks: modern detection strategies utilize code signatures, processes running on endpoints, and traffic to known malware distributors to create alerts for the SOC to take action upon. Since modern ransomware runs so quickly, there is often little time to react when ransomware is executed in the network.
In an attempt to create a more rapid and automated response to these types of security incidents, Josh presented his research on the timing of common ransomware traffic as it detonates within a computer system. By measuring the time between network traffic and applying common statistical analysis methodologies as the executable reaches out to the malware distribution site and initiates a command-and-control process, he was able to successfully generate a network-flow signature based on timing to identify and differentiate between certain types of common malware and ransomware execution within several different computer networks. This signature could then be used to identify ransomware execution based on network flow rather than relying on process execution on the endpoints.
By focusing detection on a lower level of the OSI Model (Layer 3: Networking), rather than at the highest level (Layer 7: Application Layer), companies can utilize technology they already have in place by analyzing network traffic and logs rather than relying on additional vendors and executables to generate alerts when malicious programs are executed within their environments: thereby leading to faster detections and response times.
Tristan Gomez, Security Consultant
I attended a talk by Jonghyuk Song, Seunghee Han, and Soohwan Oh.
Han talked about vulnerabilities that were discovered while performing black-box testing on ECUs.
During testing, abnormal behavior was discovered in the ECU Reset and the Communication Control. Upon identifying these abnormalities, the researchers were able to perform more targeted testing. They discovered means to completely disable vehicles, cause sudden stops, or even cause sudden acceleration.
Vehicle hacking fascinates me due to its potential impacts. It’s an area of security where my knowledge is currently limited, so I naturally gravitated towards attending this presentation.
It’s vital that these services should not be allowed to operate while the vehicle is in drive, and all of these services should require SecurityAccess Authorization. Disabling vehicles would cause many economic costs, as well as the more severe examples of attacks demonstrated in the talk could result in injuries or worse.
In today’s growing threat landscape, you need to be proactive in your security. Security testing via fuzzing, penetration tests, etc. are vital in identifying these potential vulnerabilities before they can be exploited in the wild.
Marissa Allen, Senior Security Consultant
I attended the DEF CON talk ‘GCPwn: A Pentester’s GCP Tool,’ which introduced a Python-based tool developed for penetration testing on Google Cloud Platform (GCP). I picked this talk because of my growing interest in cloud security and to understand specific vulnerabilities within GCP. Although GCP is smaller than AWS and Azure, it is extensively used across various industries.
Scott Weston highlighted the tool’s capabilities, including enumeration modules for GCP core services like Cloud Storage, Cloud Functions, Cloud Compute, and IAM. These modules leverage exploits from Rhino Security’s public GCP exploit repository. This collaboration helps ensure the tool is continuously updated with the latest exploits and techniques, enhancing its reliability for security researchers. The tool is designed to be user-friendly and encourage anyone new to GCP or coding to develop and integrate their own modules.
This talk also covered the importance of comprehensive toolsets that evolve with cloud platforms to address new security challenges, the enhancement of security tools through community-driven open-source contributions, and reduces the barriers for newcomers to engage in cloud security practices. GCPwn demonstrated the importance of specialized tools that evolve alongside cloud platforms, enabling security professionals to proactively identify and mitigate vulnerabilities in cloud environments before they can be exploited. These proactive measures are essential in maintaining the integrity and security of cloud-based resources
Steven Carter, Managing Security Consultant
Threat Emulation 101
The talk delved into Threat Emulation, a sophisticated cybersecurity technique used to rigorously test and enhance an organization’s defenses. This practice involves creating intelligence-driven scenarios that replicate the tactics of malicious actors. By simulating these threats, organizations can evaluate and fortify their defenses, preparing them to face the unseen dangers lurking in the digital shadows.
I attended this session to gain a deeper understanding of Threat Emulation, specifically to learn how it integrates into broader security strategies and to grasp the technical and strategic aspects of crafting and executing these simulations. My goal was to understand not only the mechanics but also the practical benefits and applications of Threat Emulation in enhancing organizational security.
Key takeaways included the ability to craft highly specific scenarios that mirror the tactics of specific threat actors, uncovering vulnerabilities that could be exploited in real attacks, and improving incident response by rehearsing against realistic threats. This approach is integral to proactive security, as it anticipates and mitigates potential attacks, significantly strengthening an organization’s defensive posture against emerging threats.
Matt Lashner, Senior Security Consultant
I attended Matt Burch’s talk: “Where’s the Money: Defeating ATM Disk Encryption”. This talk was a view into the research Matt conducted against one of the most popular ATM security solutions in the market, which resulted in 6 zero days. I attended Matt’s talk because I love diving into interesting and novel techniques to bypass established controls, especially as they relate to embedded systems.
I took away a number of interesting points relating to Integrity Measurement Architecture (IMA) bypasses, such as utilizing broken symlinks and empty directories. I think the biggest takeaway, however, was the overall mindset of “what’s next?”. Throughout his talk, Matt addressed many vendor patches. A vulnerability was identified then patched. Many times, when vendors issue a fix and the security researcher validates remediation, that’s the end.
To approach proactive security, we can’t take a patch at face-value but must keep pushing. In continuing to try novel approaches to each patch attempt, Matt greatly improved the security posture of this critical system which runs on most ATMs. This is an amazing example of how thorough testing and due diligence, even in the face of established controls can lead to positive outcomes.
Leauminna DeSantes, Security Consultant II
At DEF CON, I attended the Fireside Chat with DNSA Anne Neuberger (and Jeff “The Dark Tangent” Moss).
This talk was an open discussion between one of the hackers that founded DEF CON and the United States Deputy National Security Advisor for Cyber and Emerging Technology. Not terribly long ago, being a ‘hacker’ was considered subversive and a friendly discourse between this community and the government would have been unlikely at best.
One of my main takeaways from this session was that this type of collaboration is not only welcome but necessary. We’re in uncharted waters right now in some regards, and one thing that gave me food for thought was a point that Anne raised regarding the boundaries (or lack thereof) between public and private sectors, as well as nation states, in cyberwarfare. How do we approach a situation where, for example, Russia utilizes cyber-attacks on Microsoft Azure to attack Ukraine? Anne and Jeff also discussed the difficulty and time sensitive nature of triaging issues like the CrowdStrike outage, which initially presented very similar to what we might see during a large-scale nation state attack.
Overall, it was clear from this session that the need for proactive security will only become stronger moving forward. As individuals, we must decide what matters to us and then take the initiative to come together and defend it.
Learn more about the fireside chat
Dan Norte, Senior Security Consultant
Another Def Con in the books. It’s already great to spend a weekend with like-minded individuals who share a passion for hacking and radio technology.
This year I volunteered and worked as staff at the Ham Radio Village (https://hamvillage.org/). The experience was extremely rewarding since the village is filled with enthusiastic individuals eager to learn about the hobby. It was great being on the other side of the table for the first time and getting to share my knowledge. I enjoyed it so much I ended up working 5 to 6 hours more than I was scheduled.
Last year the Ham Radio Village set the record for the largest amateur radio exam session with 375 applicants tested. This year I’m hoping we broke the record again. One of the most important roles I played at Def Con both last year and this year was encouraging people to get their license since this hobby does require one. The most rewarding part of the weekend was when people I met last year at the village saw me working there this year and came up and thanked me for encouraging them to get their license at the previous Def Con. I wouldn’t have run into these individuals if I hadn’t volunteered.
Another rewarding experience from working at the Ham Radio Village is helping children participate in the Social Engineering Community (SEC) Youth challenge. The next generation of professionals had challenges to complete for their contest and at the Ham Radio Village they could complete either passing their exam, sending a Slow Scan Television (SSTV) image, or participating in the Ham Radio Village’s own contest the Foxhunt. You could see the amazement in their eyes when they learned how to send cat memes over a handheld radio that could then be decoded by someone with a radio and a smartphone app.
And a personal highlight, while at Hacker Jeopardy I was called on in the audience to respond to a clue the participants couldn’t. And while I failed because my response wasn’t in the form of a question, I was still given credit because my answer was too correct. I was awarded a special badge that allows me to skip the line at Hacker Jeopardy and there’s no greater award than spending less time in line at Def Con.
Conclusion
As Security Consultants, we know that the cybersecurity landscape is constantly evolving. Threats evolve, vulnerabilities emerge, and attacks are becoming more sophisticated by the day. Taking a proactive security approach isn’t just a strategy – it’s a necessity.
DEF CON is more than just a conference – it’s a gathering of minds where the global hacker community can come together to exchange ideas, build lasting relationships that go beyond the Las Vegas Convention Center and collaborate. Proactive security requires continuous learning and curiosity, and DEF CON allows our team to strengthen our collective knowledge base and learn from each other.
Explore more blog posts
Exploiting Second Order SQL Injection with Stored Procedures
Learn how to detect and exploit second-order SQL injection vulnerabilities using Out-of-Band (OOB) techniques, including leveraging DNS requests for data extraction.
CTEM Defined: The Fundamentals of Continuous Threat Exposure Management
Learn how continuous threat exposure management (CTEM) boosts cybersecurity with proactive strategies to assess, manage, and reduce risks.
Balancing Security and Usability of Large Language Models: An LLM Benchmarking Framework
Explore the integration of Large Language Models (LLMs) in critical systems and the balance between security and usability with a new LLM benchmarking framework.