Blackhat USA is a global security convention and possibly the largest in the world. Since its inception in 1997, the convention runs in several countries, with this USA hacker convention right here in Las Vegas being the largest and most popular globally. The weekend event was held at the Mandalay bay resort and casino. It saw around 19,000 security professionals from all over the world in attendance. Let’s check out how is it like attending and surviving Blackhat USA convention.
Trainings, briefings and conferences
Furthermore, if you enjoy talks, Blackhat USA offers a great variety of talks for both the offensive and defensive minded individual. The convention offers a packed briefing schedule comprising of a number of concurrent tracks happening at any time. Here are some notable main topics of discussion:
Topics of interest
Moreover, hot topics this year includes Devops and Cloud security, such as accessing the host of AWS instances, and containers, namely those by docker and kubernetes. Also, there is a growing focus on emerging technologies such as autonomous and connected vehicles, blockchain, deepfakes (with emphasis on adversarial networks), up and coming 5G, among many others.
Mass exploitation of vulnerabilities
Furthermore, past hot vulnerabilities such as BlueKeep and WannaCry quickly taught the world about eliminating legacy operating systems and defunct protocols. This should be a foremost priority. Other topics also include securing Internet connected devices valuable targets for eavesdropping or stealing confidential information.
More efficient DevOps
Moreover, Blackhat this year emphasized on concepts of DevSecOps. Also, automating DevOps security was shared as ways to meet both ever-increasing security and operational goals. It allows teams to keep pace with accelerated development schedules
Additionally, DevSecOps breaks from traditional software development agile methods. It is as opposed to traditional separate quality assurance software teams decoupled from the coding teams. Also, by injecting ops and security responsibilities right into the development teams itself, this has benefits with more developer code-ownership, buy-in and let developers take their code more seriously. Henceforth, it reduces need for project handover, simplifies maintenance given how short software development cycles.
Network DevOps center
Also Blackhat is one of the few events where you can see rare opportunities for developers and enterprise work in tandem in addressing breaches before it happens. We see this live in the event Network Operations Center (NOC).
Here, companies and devs work with ops as they run the event network possibly in one of the most hostile wireless networks in the world, during in the heart of the Blackhat event. They can detect any type of attacks immediately and dispatch staff to investigate. During the convention, you can visit the NOC and see the traffic maps and attacks happening right front of you.
Attacks by Nation states
Notably, cyber battlefront is always changing. While concepts of commercial malware and hacker tools on the commercial dark web aren’t new, a new worrying trend is nation-states employing them to mask their activities in commercial noise. This allows nation-states to be repeatedly to conduct operations against their targets, rather than creating unique custom (and identifiable) software. This makes it harder to trace the origins to nation-states.
Moreover, notable in the InfoSec scene is the presence of generous on Bounties to discover vulnerabilities in software. This promotes an open culture of ops, funded companies tech giants such as Apple and Microsoft. Also, Microsoft had also added prize money of $300,000 to its Azure bug bounty initiative. It is made open to researchers to encourage open exposure of any vulnerabilities of most prominent cloud computing platforms, in the spirit of sharing here at Blackhat USA.
Trainings usually start a week before the actual Blackhat event start date. It is tad like a “soft opening”. Having said that, each Blackhat USA instance begins with up to 4 days of technical trainings. Typical sessions cover a whole wealth of topics including Pentesting, cryptography, forensics, Internet of Things, malware, and industrial control systems (ICS). Also, trainings are usually conducted by commercial trainers who make a point to teach at Blackhat every year given the lucrative course fees. Trainings appeal to InfoSec, blue and red team hackers from beginner to advanced skill levels.
Furthermore, trainings at Blackhat are conducted in the convention center ball rooms for large classes or in a classroom environment for smaller practical groups requiring more hands-on. Notably, topics covering hands-on penetration testing and hacking classes demanding participants to bring their own computers and/or connect to training networks and/or VPNs to mass lecture style talks in large halls with hundreds of participants. Notably these training courses are rather expensive too. Courses range and are taught by a range of InfoSec companies or invited guests or speakers.
No worries about food
Food is never an issue at Blackhat USA. On training days, breakfast and lunch are provided, together with twice daily tea breaks held in the conference floors. On briefing days, only ticketed daily lunch is served. Though the food halls do open in mornings serving classic continental breakfast too.
Moreover, this is served buffet-style where you use a ticket to enter the huge dining ground floor convention halls. I reckon this justifies the $2500 USD per attendee ticket. The halls serve fruits and bottled fruit juices during breakfast. I recommend grabbing a bottle to bring up to your training which you can drink in the afternoons if breakfast is too filling for you.
Buffet food quality is generally decent of what you expect of hotel catered food. However, if you want something more premium or a beer, you will have to grab it at the hotel bars yourself. Still, you will never run out of outside food options here in Vegas. Fancy a Shack Shack or a Ramsay restaurant? you are covered too.
Having said that, there is always an eatery not more than a block away, let be the large range of restaurants, bars and cafes within the Mandalay Bay Hotel, Casino and shops itself. At times, certain trade show companies will book out entire bars and restaurants for parties and networking events. Amazingly, some even offer free flow of Starbucks for an hour. Just be there before the queue does!
Blackhat Opening Ceremony
Moreover, the convention spans over an entire week. It starts proper on the 5th day of Blackhat, after the 4 training days. The opening ceremonies were huge, held at the Mandalay and casino convention center sports arena. This is where you get to realize the size of the event.
Also, here, you get the event keynote and welcome address delivered person by the Blackhat founder and executive Committee, Mr Jeff Moss. Notablt, Jeff He has spent the last 17 years as founder and director of Black Hat and DefCon
Notably keynote topic speaks of the decentralisation of cyber security experts in software development teams. Where the concept of a centralised cyber department moving into members of individual software dev teams. The keynote also marks the day where Blackhat briefings and trade show convention starts. This is when the talks, briefings and companies come to life at the convention trade floor.
The six-day event can get rather hectic with several tracks running at any one time. Moreover, if you wish to make the most out of your Blackhat trip, it pays to come prepared knowing what topics and briefings you wish to attend.
Hence, it is recommended to make a convention plan. You can do this running through the briefing schedule and plotting and prioritizing your desired talks to attend. Also, do keep in touch with the online schedule as opposed to the print version in the convention schedule as panels may get shifted or canceled at last minute (e.g. speakers held up at airport, etc.).
Also, it is good to know you are pretty well taken care off as an attendee at Blackhat USA. Though most of the trainings and briefings are held on the upper 3 convention floors, certain panels and rest and relaxation rooms are located in the basement floors. You might want to keep a physical or digital handy floor plan to help you find the shortest distance between two places.
Attendee Discounted Accommodations
Notably, most hotels in the vicinity of the Mandalay Bay hotel runs discounted room rates. Mandalay and casino convention center is located on the south end of the Las Vegas strip in Nevada, USA.
Here, several hotels similarly under the MGM hotels group such as Excalibur, Newyork Newyork and the Luxor offers discounted accommodation as a Blackhat attendee. Nightly rates can go at $70 a night without breakfast included. Notably, this is about half the average Las Vegas Hotel nightly room pricing. Do note the discounts also applies to days after the convention dates if you plan to stay in Vegas after the convention, or attend Blackhat too.
Additionally, the breakfast exclusion is not an issue as each of the hotels offers a food court selling really affordable food and opens early. Also, Blackhat itself offers meals within the convention hall anyway. Moreover, on getting there, the Mandalay Bay is walkable from Excalibur and the Luxor itself. Alternatively, you can also take the free courtesy monorail, just be sure you get on the right direction!
Dress light with comfortable shoes and a Jacket
Also, due to the size of the event spanning multiple halls, you will find yourself putting in a lot of steps daily. You can equip yourself with a step tracker for the Lols. Having said that, there are plenty of miles to cover between halls, conference rooms, bars, restaurants as you make your way through your schedule.
Moreover, when you’re not walking, you’re going to be spending a lot of time standing. There is just so much to see at anytime. Hence, do wear good walking shoes, such as trainers or soft-soled walking shoes. Comfort is key here and not fashion. There are no formal dress codes here and you are fine even in Berms, shorts and trainers. It is after all, sunny Vegas!
Also, it gets freezing in the desert. Well, meaning, the convention halls can be very chilly. The hotels usually run the air-conditioning at full blast during the convention. It can get rather chilly indoors, especially in the training rooms. So yes, as ridiculous as it sounds, do bring a light jacket to your trip in the desert.
So many briefings to attend
Notably, with at least 4-5 panel tracks on at anytime, you can’t be at all briefings. Hence, you have to decide and pick the ones you need to attend which clashes on similar timeslots. However, in the event if you wish to attend 2 sessions at once, a tactic I would recommend is to split the session between the two.
Sit at the back of the hall on your first half makes a mid-point exit to your next venue easier and less disruptive to attendees. Unlike DEFCON briefings, Blackhat talks and panels seldom end early and usually stretch out for the entire hour they are given, so you are usually good for new content on the second half. Alternatively, you can shell out some cash for blackhat’s pre-recordings to watch all panels at your own time.
Moreover, Blackhat USA trade show has a very vendor‐neutral community. The professional trade show portion of the convention is brought together leading professionals from the InfoSec community. This includes those from public and private sector, academia, and research. The event is huge, spanning over 3 convention center halls in the Mandalay Bay itself.
Here, you see big-name companies such as f5, crowdstrike, Malwarebtyes, Rapid, and IBM Security present at their briefings as well as their booths in the trade halls. Even Facebook Security were around looking for hires into their internal security teams.
Also, it is not uncommon to see large groups of patrons gathering at booths. Some of these booths can rather extensive, with huge seating and demo areas. Here, staff can do 1-1 intros share the most critical, actionable security research and insights through cutting‐edge conferences and educational programs.
What a free T-shirt?
Furthermore, it appears that the software and cyber security conventions spare no expense on booth budgets, particular on the gifts they give out to entice visitors to find out more or promote their products.
Hence, it is not uncommon to find booths generously dishing out company-branded electronics and T-shirts as gifts. Some booth even provides gift tokens after sitting through their presentation sessions, such as custom printed T-shirts. I had a friend who won a Nintendo NES gaming system just from spinning a wheel at a booth.
Also, interestingly, Blackhat runs a Passport treasure hunt thing. It encourages you to visit them, where you can collect stamps from participating companies where you can swap a completed stamped entry for prizes.
Some company booths even better others by providing custom pressed shirts made on-the-spot. Other notable tangibles includes gifts such as toy swords, and signed books on topics of InfoSec, Penetration testing where you can meet the authors themselves. Of course, there is no obligation to take any of them.
Hands-on Arsenal Section
Besides talks, the tradeshow area is also home to the Arsenal Lab. Blackhat Arsenal is where you can view and try out live demos and exploits in a science fair setting. Moreover, this activity area had been around for 10 years. We see a new layout allowing more hands-on for attendees to play with hardware, ICS gear, and IoT devices in a controlled environment.
Also, the Arsenal provides a unique opportunity to mingle with Arsenal veterans, Blackhat USA Trainers, researchers and enthusiasts from the open-source community running these small panel sessions. Topics includes demonstration of their developed open-source tools and findings over the past year. You can typically find easily over 100 tools being showcased during the event.
Additionally, you can approach various hacking tools through a class room style cohesive environment or actually getting your hands dirty with tools.
On my visit, I got to meet receipts of the Pwnie awards. The award resembles a gold My Little Pony toy. The Pwnie Awards recognize both excellence and incompetence in the field of information security.
Official Blackhat Swag everyone can’t get enough
Moreover, if you can’t get enough of swag at the convention area, you can check out the official Blackhat gift shop, operated by Moxie merchandising. The shop sells official convention goods.
Additionally, I found the items on sale tad overpriced. But they still sit in the realm of affordability. However, despite this, it is not uncommon to see long queues in store. A walk around sees the usual merchandise of apparel, bags, mugs, stickers and pins. A hoodie and bag costs at least $50 USD a pop, premium bags and briefcases can cost upwards of $200 USD. It is not uncommon to see attendees with purchases in the range of hundreds of dollars.
Notably, it signals the degree of disposal income these InfoSec attendees have. I guess when you are willing to take home a mark of the world’s most prominent hacker convention, people spare no expense on it.
Interestingly, the merchandise store sells out by pretty much by end of the convention. In addition, the convention also runs a book store on the training halls, where you can find several InfoSec books, as well as buy video recordings of the various on-going talks.
In conclusion, I hope you find my experience and tips at Blackhat USA useful. It is a fanastic event, with lots to do at every corner. From trainings, briefings and the massive tradeshows, you name it. It is one big multinational potpourri of people coming into possibly one of the best InfoSec conventions in the world to date. After all, what happens in Vegas stays in Vegas right?