Guide to the week before Def Con

This guide is intended for anyone who is interested in joining the cyber security profession. People who might not be familiar with all the conferences that take place before Def Con or are looking to use these combined events to “dip their toes” into the many different areas of the profession.

Brand new backpack

The Diana Initiative Annual Conference

August 5th (Monday) Westin Las Vegas Hotel and Spa (100$ Early-Bird, 50$ Student, Free Tickets Available) https://www.eventbrite.com/e/the-diana-initiative-2024-tickets-773825511937

This is a conference focused on helping introduce underrepresented people to the world of cyber security. A new conference, its small but services an excellent entry point for people that might have anxiety about jumping into a profession where they are a minority.

TDI offers something for everyone, but most importantly it offers outreach from people and organizations that are trying to bring people into the industry and not sell you some new technology or service. The atmosphere is much quieter, and everything is less hectic, you have an opportunity to talk to someone instead of shouting. You won’t find influencers streaming, people selling pictures of monkeys or a leprechaun shilling a corporate browser.

Value : 7/10

Vegas BSides

August 6-7 (Tuesday and Wednesday) Tuscany Hotel and Casino Bsideslv.org ($100 Early Bird Donation, $500: Donor + 1)

This is what Black Hat used to be before Cyber Insurance was a thing. Buy your ticket early for the best deal or you will have to pay the donor price. If you are already part of the IT industry, chances are you will find something to interest you.

The venue is old, and the carpets have that sticky quality that brings back memories of Def Con at the Riviera. There is ample parking close to the casino entrance. The corridors and stairs here are a little tight and there are not many places to set up a quick LAN. Unless you plan a lot of hands-on participation, I don’t recommend bringing your ThinkPad. Wear comfortable clothing and be ready to maneuver yourself in and out chairs.

I can’t stress how much good planning helps the experience. Talks are broken down into “Grounds” and are published well in advance. Create a detailed itinerary in your app of choice. Having a plan of just walking around hoping for something to do will lead to disappointment.

The talks here are the highlight and every year has a chance for amazing moments. Don’t try to record or take extensive notes, all the talks are recorded and are available online later. Maybe take a quick photo containing the title and contact information of the presenter and maybe a particularly interesting slide but in general taking photos is discourages and if you happened to attend the Underground talks, prohibited.

Not all the presenters are experienced, not all of them speak with a sexy Australian accent but nearly all will provide current and actionable insight into what’s going on in this side of the industry. If you are working with Google, AWS, or Azure (Especially Azure) you are going to learn something Google, Amazon and Microsoft don’t really want the public to know, and it will make you better at your job. Don’t make too much noise, clap with enthusiasm at the end and as much as it hurts me to say this, don’t be a troll (save it for Black Hat Briefings). A lot of the time these presenters come from across the world, spending months preparing for this because they believe what they must share is truly important, and at conferences like these they are usually right.

If the talk was particularly interesting or valuable to you, make a note and about 2 weeks after the conference contact the presenter to let them know you enjoyed the presentation. This not only lets the presenter know that all the work they put in was worth it, but it lets you expand your professional circle as these presenters are usually part of a group, one that likely has a unique channel of communication (anything from discord to carrier pigeon).

Not every time slot will have a talk directly related to your current field, when this happens, and the option is available I highly recommend you attend talks focused on policy. Policy is a keystone category in this profession and is an investment that will pay off over time. These types of talks will be part of the “Common Ground” track of talks.

There is a Career Village on both days and the major industry organizations like ISC2, ISACA and CSA will be out there on both days in booths, but you will also find people doing outreach throughout the conference. This is a really great opportunity to talk about things like pay and the type of benefits being offered, don’t be afraid to ask questions as this is a very open environment. You can come up to a recruiter and ask, “What do I need to learn in the next 6 months?” and “What kind of pay is that going to get me?” and walk away understand if the effort will be worth it. It helps going into this at least somewhat prepared, your time is limited, and you want to be concise.

If you are going to attend Black Hat Briefings on the 7th and 8th you will typically only have one day dedicated to BSides but depending on the events it might be worth it split time especially if you plan to visit the Career Village on the 2nd day.

The overall atmosphere is very welcoming, the presenters are more genuine and my first time at a BSides Con (there are many throughout the year across the world) reminded me of my first 2600 meeting. My advice for having a great time is to smile the entire time you are there and don’t feel pressured to participate beyond clapping for presenters. Socializing here is, in my opinion, much easier here. Striking up a conversation, especially after an interesting session, is much simpler and everyone is much more easy going.

Value : 9/10

The quality of briefings and the variety of activities for $100 is hard to beat. Compare that with the 3k you will pay for Black Hat. The experience is nowhere near as polished and the environment not as comfortable, but the atmosphere and quality of the talks make this an amazing value.

Black Hat

August (7-8) Briefings and Business Hall

Mandalay Bay Convention Center Las Vegas

(745$ for Business Pass, 3000$ Briefings)

This is the premier Cyber Security conference this offers different types of entry packages. Buy early to get a discount or convince your work to pay (as they should).

Don’t bother driving here, take a Lyft or an Uber directly to the convention center so that you don’t have to slog through the heat. Don’t forget to grab your Black Hat backpack! Just like IP addresses we could run out at any moment. Be nice to the grandma handing them out.

Business Hall Pass

Business Hall pass is the cheapest and most accessible and has the benefit of buying Def Con tickets as part of the package. The orderly experience of picking up your Def Con with people who just took a shower is worth the cost of the Business Hall pass. (Hint, do this as early as possible).

Before going into the Business Hall take a moment to go up the first flight of stairs, carefully avoiding the Black Hat merchandise shop, and stop by Starch Press Books. This is your chance to get a huge discount and stock up on books that catch your interest. Starch Press books are great because they are not filled with fluff scraped from stackoverflow after watching YouTube videos. Most everything you find here is great for hands-on learning and was already affordable even before the Black Hat discount. Oh-oh! Looks like your backpack already has a small rip in it, be careful putting in your purchases.

Walking into the Business Hall for the first time can be a little overwhelming. Steer for the quieter section that looks to be configured like office cubicles. But to get there you will have to pass the CISA booth. If you are early in your IT career CISA training and resources are invaluable and more importantly align very closely to some of the tricker questions you will be asked on your CISSP exam. No one is trying to sell you anything, instead you can learn about the different ways you can access the resources CISA has made available. I think the strap just broke on your backpack. Grab your CISA stickers and pamphlets and head further in.

In the quieter part of the Business Hall is a place for smaller companies but also houses all the organizations doing outreach at the event. ISC2, ISACA, CSA all will have a presence at the conference, but this is also a great place to find community organizations that help ease you into the industry. Blacks In Cyber Security, Women in Cyber Security, Latinos, Gays and Queers are all here. If you wear the right hat and make the right sign the Furries will come find you. Finding a community you feel connected with is like hitting the Jackpot, you now have a plan for Def Con and your chances of having an amazing time have exponentially increased. For the 600$ entry fee this could be the most valuable part of the Black Hat experience.

Besides communities and foundations, the rest of the booths will be made up of smaller vendors. If you see something that interests you don’t hesitate to engage with the people at the booth, this is why they are here and for a lot of the booths in this section this is the only conference they will attend. Don’t feel bad about asking for a demonstration with no intention of buying, showing interest is incredibly valuable at these conferences, everyone is usually very engaging.

There will be product briefings held in the center of the hall throughout the day, all of them trying to sell you something and unless the subject matter directly affects your job should be ignored altogether.

Finally, you are ready for arguably the most important purpose of the Business Hall, collecting your free swag. Do I need a rolled-up hat? Do I even know what a Kenji is? Who cares, it’s free! Stay away from the Green colored water and be careful filling your rapidly disintegrating backpack. Don’t for a moment feel uncomfortable grabbing free stuff from vendors you will never do business with. Think of all the free advertising they get when all this is filling the back of your closet.

There are always companies hiring. Firing too and you never know when you need to find a new job. It is perfectly acceptable to use the Business Hall to scout potential employers. It is also perfectly acceptable to send out your resume after the event especially if you tailor it correctly to focus on what would make you useful to that specific company. You can spend a few minutes hanging around a booth and get a pretty good idea of the company culture and it is absolutely ok to ask “Are you guys hiring?”. There are various levels of executives at the event, every major player will have someone handling recruiting duties and you will often see recruiters walking around. Don’t worry about handing out your resume, grab a card and let them scan your badge, wait 2 weeks or so after the event and start to reach out.

Take the time to learn the major players and at least a general sense of their products. Taking notes is difficult when you are walking around a crowded convention floor with a bunch of swag and a ripped backpack but do your best, grab business cards. If you are very new to the industry a one time Business Hall ticket can end up providing quite a bit of value if you approach it with the right attitude and some planning.

Value 3/10

$600, if out of your own pocket, is hard to recommend. There is certainly value to be had but unless you have never been to Black Hat and simply want pre-purchase Def Con badge the cost is prohibitive. If this is your first time and you believe you will be back next year for the Briefings AND you are looking for a community to join or doing some serious job-hunting the value rises, but only as a one-time experience.

Briefings Pass

This is the more expensive ticket and hopefully your employer paid for it. The quality and in some cases the necessity of Black Hat briefings have been debated for some time but if you are prepared there is value to be had.

Don’t worry about talks being packed, the facilities are roomy with excellent air conditioning. Learn where the talks are, there are 3 floors and while it’s only a 5-minute walk at most, the halls are filled with people, and it can get a little chaotic on the main stairwell. The event app will become active the week before, use this to plan your itinerary and schedule the talks. The app allows you to review the presentation and I can’t stress how important that is for the presenters. If you enjoyed the briefing, please add positive feedback and review in the application, it matters.

Planning is key as you want to minimize the amount of walking you must do between sessions while collecting the maximum amount of Continual Professional Education units possible. You will have to choose from a selection of briefings in roughly 1 windows with each briefing lasting about 40 minutes. Sometimes the briefings that interest you will be on opposite sides of the venue. Avoid FOMO! All the briefings will be available online after the conference, including all the slides – you don’t have to worry about two briefings overlapping.

Try to avoid the obvious sales pitches but be careful to dismiss a briefing by title alone. If you had to deal with privacy and compliance “Hot Topics in Cyber and Privacy Regulation” was very insightful and valuable.

Try to attend briefings that are related to your current job activities, including those that might be categorized as Policy. More specifically, look for talks given by CISA as these will be targeted at a broader audience.

There will typically be a couple of briefings labeled as Community & Career, if these are of interest, they will always have an opportunity to engage with the presenters at the end, but you will have much better luck finding career opportunities in the Business Hall.

There are going to be talks where 15 minutes in you are either going to realize it’s a disguised sales pitch, or you are being briefed on something so outdated as to be completely useless. Rarely, but occurring alarmingly more often at Black Hat, are talks that are just straight bullshit coughcryptographic agilitycough. It’s perfectly ok to get up and leave if you don’t feel like the briefing is useful to you.

Just like with BSides I don’t recommend you record or try to take extensive notes. Do engage with the presenters, especially if you have a legitimate question or concern. Wear light clothing and comfortable shoes, bring a water bottle if you can squeeze it into your Black Hat backpack without ripping it in half or you will have to use little paper cups. Eating depends on your tolerance for bad fast food and medical requirements. The food court is very close by but will be packed throughout the event and I recommend bringing a snack and waiting until after the conference to eat. There is plenty of room to relax and pull out the old ThinkPad but carrying around that extra 10lb really starts to get tiresome and is usually unnecessary.

Socializing during briefings is tough. A lot of people are already in groups, and everyone has a set schedule and somewhere to be. Instead, this is a time to connect with presenters and projects. Large industry players will have a very strong presence and you get to talk to guys like Adam Stuart from Microsoft who is responsible for a ton of the information coming from Microsoft Learn efforts. Google, Amazon and just about everyone else will be there.

If the presenters are not trying to sell you something (however overtly), they are likely trying to get you involved with something. Projects that made it so far as to be presented at Black Hat have room for just about any type of contributor and even highly technical projects need plenty of peripheral support.

Value 7/10

There are still excellent briefings happening at Black Hat and you can quickly get caught up on all the topics that you can’t focus on throughout the year. There has also an alarming drop in quality, and this dates to well before COVID. There have been talks where the information was straight up nonsense, on niche topics where the presenter either didn’t expect an expert to be listening or didn’t care. There were talks where conclusions were tenuous or more likely useless and not actionable.

CISO Summit

This is an approved-only event that costs an extra 1k to attend and supplements the Briefings with an additional day of talks. I have never paid for this out of pocket and have never heard of anyone who has, it is always sponsored or paid for by your employer. Just like the Briefings the value you get out of the Summit depends greatly on your preparation and attitude. If you are an independent contractor, MSP or a decision-maker of a company selling cybersecurity products or services you can pick up some incredibly valuable insight. You also have direct access to individuals that are is not possible through a zoom call for a product demo. You can ask questions that would not get answered in another forum. Often policy decisions that could affect the entire industry are discussed by presenters with first-hand knowledge and influence. On the other hand, some years the entire day is spent listening to nonsense where you truly understand the meaning of someone “Pissing in your pocket”. The value of attending varies, but I will say that in all cases the Summit is better when attended with a friend. Think of it as a “Moving the Couch” type of thing, a hell of a lot easier with two.

Training Sessions

August (5-7) Black Hat August 6-8 for Def Con

Around 4-5k for Black Hat, 2-3k for Def Con

https://www.blackhat.com/us-24/training/schedule/

Trainings are specialized sessions that take place over the course of two or three days prior to the actual conference. They cost an additional fee, usually several thousand dollars and focus on one specific area of practice.

These sessions are led by expert professionals who guide you through a carefully prepared “boot camp” style experience that focuses practical, hands-on learning. Some training sessions have been going on for years and have a tightly tuned process to first present and later re-enforce the processes and methods taught. The best once will have a strong support system in place before, during and after the session. I can’t stress how important the “before” part is, look for sessions that verify minimum knowledge level required as well those with detailed descriptions of the course and the environment.

If your employer is covering the cost, these are a no brainer. Pick a session that most benefits your current work process. Look for skills that will benefit your team and advance your career. A lot of training sessions will focus on a specific attack or defense vector, I recommend starting with sessions that focus on generalized defense. “Defending the Enterprise” is a yearly session that gives you current and, more importantly, actionable insights that you can implement in nearly any scenario.

Be prepared. Time is very limited and if you have not completed the pre-requisites or don’t have a handle on the subject matter things get out of hand quickly. Every training offer will have a detailed description of the pre-requisite skills you must have to participate. You may also have to prepare your own operating environment for the session, like setting up and configuring a Cloud Subscription on Amazon or Azure. Be ready to interact via CLI only use whatever shell the instructor expects you to use. You can, and should, ask questions but you are expected to meet the minimum knowledge requirements.

Learn to take notes. You are going to have to take notes quickly and in different environments, sometimes you are saving snippets of code, sometimes a link. Sometimes you are just writing a reminder to yourself about some interesting technique. Depending on the session, expect to spend your evening organizing notes and trying to train muscle memory to log in and authenticate faster. It helps to have a system to organize your notes, Obsidian is one of many options, but the most important thing is to take notes and not rely on your memory or the provided documentation. I mention Obsidian because you can quickly create links to information you haven’t collected yet, giving you a good idea of things that you will have to research on your own time. Regardless of the quality of the training sessions, every single one needs to be reinforced by practice.

Since everyone has the same interests, socializing is easy and natural, but also optional and some people prefer to focus on training and keep to themselves. Sessions that require teams or cooperation will state so in the description. A lot of the sessions last 2-3 days and even then are very condensed, being in Vegas make it supper easy to get together after the session to review and practice.

Value : Some 10/10 some 3/10, mostly 7/10.

There are a couple of training sessions that cover the keystones of a topic so well that you leave with both competence and confidence to continue without handholding. These sessions will leave you with a clear sense of direction and enough “homework” to re-enforce what you learned. They will have a community you can join and will continue to offer support. These are what I consider 10/10.

Most training sessions have been returning for many years and most will be very good if not 10/10. Being absolutely clear about the requirements is key, the most common cause of disappointment is not being able to keep up with the session because you don’t have the pre-requisite knowledge or worst didn’t to the required steps to setup the required environment.

There have been a few, rare, training sessions that left me disappointed. If the presenter is excited about the latest techniques that will make your blue team oh so excited and pulls out Windows Server 2000 you are free to ask for a refund.

Def Con

August 8-11

Las Vegas Convention Center

$1K When?

I know this guide is about the conferences before Def Con, but I want to say a few words about the unique opportunities offered by attending. The cost of attending has been going up and everything you buy at the con is now so expensive that it borders on prohibitive however some things Def Con does that others simple can’t complete with.

In recent years the US Government has had a very strong presence at Def Con and short of sliding into CISA Jens DMs (Dangerous) is the best way to get close to the policy makers and get involved with many amazing programs currently open to the public. The last few years it really felt like government agencies had a stronger hiring presence at Def Con than Blackhat.

Villages have mostly worked out kinks at scale and because Def Con has grown it became easier to join in. If you are a network administrator and you show up at Packet Hacking Village you have an opportunity to get hands on experience in an organized and in some ways “optimized’ experience. Talks can all be watched online later, but the hands-on experience of a well-executed Village can’t be replicated.

Outreach and finding a mentor.

There are a number of organizations doing outreach at these conferences. I however only shill for 2 and 1/2 of them.

ISC2 represents CISSPs, experts in subject matter across the entire cyber security industry. The CISSP exam covers a very wide range of domains.

ISACA focuses more on Risk, Governance and Assurance. ISACA accredits Auditors and Data Privacy experts. Their logo looks exactly like the tab of acid I did in high school.

CSA focuses on Cloud Security. Cloud Security Alliance is responsible for the STAR registry, a repository of publicly available security practices implemented by cloud service providers.

All these types of organizations survive on dues and training courses, all have their internal politics and infighting but at least with ISC2 and ISACA my confidence in the difficulty and breadth of testing is sufficient to provide reasonable assurance. CSA is new, but they filled the gap that needed filling when the other two were looking elsewhere, they offer a lower barrier to entry into a field with a wide talent gap.

All will have an entry level program to get you accepted as a member (someone now paying dues every year). You want to take advantage of this as soon as possible to get registered and get your “number”. And please pay attention because I am giving you a million-dollar tip here. I am a random guy on the internet but ask a friend or relative who is a plumber, electrician, or any tradesman “Does it matter that your license number is lower than the other guy?” and the answer will always be “Yes!”.

Both ISC2 and ISACA have a mentor program, but the implementation is so shitty that using either is not recommended. Instead use the isc2 forums or join an ISACA Chapter to advertise your interest. If you pay attention, you will see people throughout all the conferences doing extended outreach. Someone wearing a silver CISSP pin is likely open to discussing the profession and offering some guidance and in general anyone you meet at these events that is openly advertising their affiliation is looking for more people to join.

Before finding a mentor, consider what you want your mentor to provide for you. Not everyone can provide things like “Motivation” or an “Ida Pro Subscription”. The right mentor should be able to help you achieve an objective. Becoming a CISSP, finding a Job entering and wining a CTF are all achievable, but you and your mentor must be on the same page.