j1ndoSH's Journal

Blackhat Europe 2024

6 min read

Mosaic Created by Conference Attendees

As an end of the year highlight I was able to attend the Blackhat Europe 2024 conference and trainings in London from the 9th till 12th of December.

To properly put my experiences in order and actually publish other content than just HTB on my little page, I wanted to summarize the event in writing1.

Trainings

For the first two day, before the main conference, I had the privilege to attend the Advanced Cloud Incident Response in Azure and Microsoft 365 training hosted by Invictus Incident Response B.V.

In there I learned exactly about the topics as they were advertised in the curriculum on the Blackhat website. It was a very informativ and hands-on experience with lots of bits of knowledge that one could immediately make use of in there own cloud environment.

Since I am not sure about how in-depth I can go about the course content I err on the side of caution and wont mention anything that goes beyond the publicly available information. Which is actually a lot since Invictus is also offering the course in a on-demand setting. Here you can see in a lot more detail what this course is all about.

After collecting my badge (and needlessly walking the entire length of the ExCeL centre twice) I headed up to the third floor where all the trainings (and later that week all the talks would happen).

In the training room I found a paper copy of the course material as well as credentials for the cloud training environment. A bit later I also received the digital version of the slides. So this all felt very familiar to your usual SANS course.

Across those two days I greatly appreciated the strict focus on the Azure cloud and M365. When trying to compare this course to something like SANS SEC541 I felt the singular focus allowed it to go way more into detail about attacks and what log artefacts you can expect to find. SEC541, as is the case with most SANS courses, tought you a lot of “advanced surface-level” information about almost every security monitoring feature of AWS and Azure. Alongside the information from the slides, plenty of real world examples from cloud incident help make this whole topic more tangible. All in all I learned a lot about how attacks happen in the cloud, how some of them differ when compared to on-premise and most importantly how one can prevent or at the very least detect them. When you have taken this course you will also forever remember the two most important words in Azure DIAGNOSTIC SETTINGS (well.. until Microsoft decides to rename this feature anyways).

On the second day there was also a combined CTF event which featured both Azure and M365 log data. I approached this event completely as a CTF-player with the intention to win, since I knew my fellow students were also very capable of winning. So this meant my documentation of used KQL queries was “very rough” aka “hitting CTRL+Z a bunch” and I was more focused on answering the questions than taking in all the information the logs had to offer.

And after basically 90 minutes of pure flow-state and some more time for solving the remaining labs I was able to achieve a perfect score across all the labs/CTF tasks. It very much helped that some rather ambiguous questions did result in penalty points if answered incorrectly.

Image of CTF coin in front of Course Material cover

Conference

Talks

Since the conference is yam packed with talks and as far as I know you cannot publish your talk before hand in shape or form you can expect cutting-edge topics to be presented. It helps to have a rough idea of what talks you want to attend beforehand, so that you don’t spend most of your breaks figuring out where to go next. The Blackhat app made planning quite convenient, since it also notified you about overlaps, which are easy to avoid when looking only at talks, but can be an annoyance when also including the Arsenal and other business hall events.

Business Hall

Yeah, I had no idea what to except for this part, even after reading the description on the Blackhat website. Turns out it just a large venue with lots of vendor stalls and other smaller events (which will be addressed soon). I’d recommend to not have any purchasing-power. I don’t know if the amount of sales talks would have increased or just went on for longer, but without any the vendor talks were okay. But in any case your conference badge will be scanned by the vendors, which contains your provided contact info. This means in the days after the conference you will get quite an amount of marketing mails. I even got mails from vendors that I did not visit… they must sniped a picture of the QR code even when just walking past the stalls (maybe).

Bricks & Picks

If you have some time to kill, this area can be quite fun. Basically you will can compete in LEGO and lock-picking competitions. There was also community event, where you are given instructions on how to fill out 10x10 plate with LEGOs for the large Blackhat mosaic. For each completed plate you earned one ticket for a raffle to win a LEGO Blackhat NOC set. There is no limit on the amount of tickets you can earn. So if you really want that ticket you can no-live this event and get dozens of entries for the raffle to increase your chances.

Arsenal

In this section of the business hall members of the infosec community showcase their open-source developed tools and answers your questions. While I had written down several tools before the conference in the end the only one that I still use regularly is Penelope. A simple yet powerful reverse shell handler, written in Python that comes in a single files and works with the standard Python libraries.

(Personal) Conlusions

Be social, since I am already in the field I did have to network as a means to gain a foothold. Nonetheless about 107 countries were present so there is lots of potential to gain new insight/views about basically anything. Then again this is a “hacker conference” so you might want to keep OPSEC in mind and not readily overshare.

Experiment with talks, descriptions and titles are only part of the story. When in doubt just go with your gut feeling. Even if the talks were “only” good not excellent, you still listened to a good talk and got new insights into different topics from it.

Taking the pulse of infosec, when looking at the entire conference you will get a big picture about the current trends and developments in the field. You also wont find topics here that could be described as “it could have been a blog post”.

Footnotes

  1. Yes, I know that this event happend a few months ago… I might have been busy with other stuff and could not finish this post

Previously on...