Observations from Black Hat USA 2024, BSidesLV, and DEF CON 32

I recently spent six days in Las Vegas attending DEF CON, BsidesLV, and Black Hat USA 2024, where I had the opportunity to engage with and learn from some of the top security experts in the world.

A major theme across all three conferences was the current state of AI. Many sessions focused on how AI is transforming our industry, with speakers addressing both its strengths and limitations, and exploring various ways it is being utilized.

While AI is undoubtedly transforming security practices, it’s clear that it’s not set to replace human roles just yet. Instead, discussions have shifted to how AI can enhance our work rather than take it over. For example, at DEF CON, Stephen Sims, curriculum lead for SANS Offensive Operations, discussed how he developed specialized AI agents or LLM agents for narrowly defined tasks, finding that the more specific the task, the more effective AI performed. He highlighted how AI saved him time in vulnerability discovery and exploitation but affirmed that it would not replace his job.

At Black Hat, I particularly enjoyed the Fireside Chat with Moxie Marlinspike, the founder of Signal, and Jeff Moss, the founder of Black Hat. They explored the complex trade-offs between security and privacy, offering examples and insights into these decisions.

They stressed the importance of prioritizing personal information protection and discussed the role of cyber leaders in this effort. Additionally, Moxie addressed software development practices, highlighting the fragmentation caused by agile methodologies and advocating for developers to possess deep knowledge in their field to drive innovation. He stressed the need for leaders who are creating the vision of a software company to collaborate and overlap with engineering goals.

Supply chain attacks and software bill of materials (SBOMs) were also key topics, at Black Hat featuring several talks on securing the software development lifecycle, addressing dependencies, and exploring new security solutions.

One of the more encouraging discussions at the conferences was centered on the progress Microsoft Windows has made in becoming increasingly difficult to exploit. This is a significant achievement, reflecting years of dedicated work by Microsoft’s security teams to harden the operating system against a wide range of attacks. Features like improved memory protections raised the bar, making it much more challenging for attackers to find and exploit vulnerabilities in Windows.

However, this positive development was tempered by the ongoing presence of basic security flaws in other areas, particularly in IoT devices. One talk that stood out revealed a simple web command injection vulnerability in an IoT camera, which allowed for a complete takeover of the device. This vulnerability is a reminder that while significant progress has been made in securing more complex systems, fundamental security lapses persist in many of the most ubiquitous and seemingly simple technologies that are extremely widely used.

In my conversations with industry professionals, a recurring theme was the challenge of resource allocation, particularly when it comes to advanced testing techniques like fuzzing and comprehensive product security evaluations. These methods are critical for uncovering hidden vulnerabilities and ensuring the robustness of security measures, yet they are often underutilized – especially in more challenging economic times.

Many companies recognize the potential value these activities bring, but they face tough decisions in a landscape where resources—both financial and human—are limited. As a result, organizations tend to prioritize investments that align directly with their immediate business needs, often at the expense of more extensive security testing. This trade-off can leave certain vulnerabilities unaddressed, potentially exposing companies to greater risks down the line.

The feedback highlighted a broader industry trend where the push for innovation and speed sometimes overshadows the need for thorough security vetting, a balance that companies continue to struggle with.

Overall, the conferences reinforced the idea that while technology evolves, the fundamental cat-and-mouse dynamic between attackers and defenders remains constant. Attackers continue to exploit financial opportunities and push the boundaries of defenses, which in turn drives the development of new security measures.

While security measures continue to get more advanced and improve, as an industry, we are still largely suffering from the same human errors that have plagued us for decades. While AI will continue to help improve our workflows, data analytics and speed, it is not going to replace the human soon – ironically, this human element is often what leads to threat actors being able to breach our companies.