Early Guide to Black Hat 2018

How to Find and Remediate Open Infrastructure Ports

Read BlogRead

Black Hat USA offers information security professionals an opportunity to keep up with the latest developments, research, and trends. Now in its 21st year, Black Hat has earned a reputation for being one of the must-attend annual security conferences for today’s information security professionals, providing attendees with a variety of options, including several tracks, to learn from the industry’s most forward-thinking thought leaders and world-renowned experts, not to mention networking opportunities with industry peers. Training sessions and briefings offer chances to learn more about software hacks, advanced cloud security strategies, penetration testing, network security, whiteboard hacking, machine learning, IoT, cryptography, forensics, ICS, malware and mobile security.

The conference runs August 4 through 9 at Mandalay Bay in Las Vegas. Here’s what you need to know to get the most out of Black Hat 2018:

By the way — Threat Stack is sending a great team to Black Hat this year, so be sure to drop by Booth #2316 when you get to the show.

If you want to find out more about what Threat Stack is doing at the show or want to pre-register for a demo of our Cloud Security Platform® or the great party we’re co-hosting on August 8, click here.

Black Hat Basics

What you need to know about the conference:

The Black Hat USA 2018 conference opens with four full days of technical training (which runs from August 4–7), followed by the main conference, which spans two days (August 6–9) and includes more than 100 specialized Briefings, Arsenal, Business Hall, and much more.

Information security professionals hailing from myriad backgrounds (academia, corporate, and government sectors) converge to engage in hands-on training, learn about the latest security trends, and participate in thought-provoking discussions about the future of information security.

How to Register

Tickets to briefings and trainings are sold separately. But either type of pass offers access to the Business Hall and Arsenal also. It’s best to hurry because the price increases as the date approaches.

Choose From 14 Specialized Tracks

Black Hat 2018 is offering more than a dozen specialized tracks to allow attendees to customize their conference experience and get the most from the many learning opportunities packed into this six-day event:

Parisa Tabriz is Delivering the Keynote 9–10 a.m., Aug. 8

Parisa Tabriz is a Director of Engineering at Google. She is tasked with making Chrome a stable and secure web browser. Tabriz has also served as a consultant to the White House U.S. Digital Service to enhance security of government technology, lectured at the Harvard Kennedy School, taught hacking to minors, and consulted with entertainment writers on cybersecurity stories.

In Back Hat 2018’s keynote speech, Tabriz will talk about making technology safer at scale for all users.

What’s in the Arsenal

Independent researchers offer demos to open-source tools that cover activity from mobile hacking to network defense. Attendees are able to interact with presenters during the demo sessions — which will run almost two hours.

Family Friendly Features

This is a conference for adults, but there is some accommodation for parents. Childcare provider Kiddie Corp will offer access to an on-site children’s program for children from 6 months through 12 years old at the the Mandalay Bay Convention Center on Aug. 8–9. Space is limited and registration is required.

A private facility for nursing mothers will be available within the child care room.

What the Website Doesn’t Tell You

This is a big conference that offers a lot of information. Lysa Myers offers some tips for getting the most out of the Black Hat conference:

  • Plan ahead to get into the sessions you really want. They do fill up.
  • This is a networking event. Set up some meetings to spend quality time with people who will be there.
  • You will get your steps in. The events are spread out over a large complex. And expect to walk around the Strip. Comfortable walking shoes may be more important than your laptop.
  • Speaking of your laptop. You should probably leave it at home. This is a conference about hacking. There will be hackers. Myers has great tips for securing your devices.
  • Finally: This conference is in the desert in August. It’s going to be hot. Hydrate!

Remember the first tip is about planning. So let’s take a look at the trainings and briefings you may want to focus on:

Key Trainings

Before the conference, there are four days of training sessions. For many of the sessions, students will need Amazon Web Service, Microsoft Azure, and/or Google Cloud Platform accounts.

Here are some of the interesting courses:

Cloud Security Hands-On (CCSK Plus V.4)

Trainer: James Arlen, Contributing Analysts at Securosis

Aug. 4–5 & Aug. 6–7

  • What to expect: Not only is this an explanation of cloud security issues and fundamentals, it’s a preparation course for the Cloud Security Alliance CCSK version 4 exam.
  • Who should take this course: This course is designed for security professionals who need to manage cloud security. Students will need a laptop that can connect to Amazon Web Services and make SSH connections.
  • About the instructor: James Arlen is a Contributing Analyst at Securosis and part of the security team at a major cloud provider. He has been implementing information security solutions for more than 15 years.

Advanced Cloud Security and Applied Devsecops

Trainer: Rich Mogull, Founder of Securosis

Aug. 4–5

  • What to expect: The first day will feature a discussion of cloud technologies, how they are built and their security issues. The second day is hands-on training that focuses on designing secure cloud architectures and building a SecDevOps toolkit for managing cloud security.
  • Who should take this course: Security professionals who want to expand their knowledge of cloud security and SecDevOps.
  • About the instructor: Securosis founder Rich Mogull has 20 years’ of experience in cloud security, data security, application security, emerging security technologies, and security management.

Automated Defense Using Cloud Services For AWS, Azure and GCP


  • Madhu Akula, Security Ninja and DevOps Researcher
  • Subash SN, Security Engineer at Appsecco

Aug. 4–5

  • What to expect: Students will learn how to develop automatic defenses for cloud infrastructures using serverless technologies and Elastic Stack. The training will focus on Amazon Web Services (for most of the examples), Microsoft Azure, and Google Cloud Platform.
  • Who should take this course: Anyone who wants to automate security monitoring.
  • About the instructors: Madhu Akula is a Automation Ninja and Subash SN is a security engineer at Appsecco. Both are involved in making secure infrastructures at scale.

AWS & Azure Exploitation: Making The Cloud Rain Shells!

Trainer: Bryce Kunz, Information Security Researcher

Aug. 6–7

  • What to expect: Learn how to apply cloud-penetration testing techniques to Amazon Web Services and Microsoft Azure environments. Students will learn tactics, techniques, and procedures for infiltrating and expanding cloud platform access.
  • Who should take this course: Students with some penetration testing experience who want to apply penetration testing to cloud environments.
  • About the instructor: Bryce Kunz is an information security researcher specializing in exploiting cloud environments in Salt Lake City. Kunz has worked on vulnerability research and penetration testing for national security agencies and tech companies.

Data Breaches: Detection, Investigation and Response

Trainer: Sherri Davidoff, CEO of LMG Security

Aug. 4–5

  • What to expect: Learn strategies for detecting and containing different types of breaches — including cloud account breaches, internal compromise, lost/stolen device, and ransomware. There will be a hands-on lab for analyzing and scoping the breaches.
  • Who should take this course: network and computer forensic professionals, incident response team members, law enforcement officers, and networking professionals. Basically anyone with a technical background who might be asked to investigate a data breach.
  • About the instructor: Sherri Davidoff is the CEO of LMG Security with 16 years’ of experience as a cyber security professional, specializing in digital forensics, penetration testing, and security awareness training.

Practical DevSecOps – Continuous Security in the Age of Cloud

Trainer: Mohammed “secfigo” Imran, Seasoned Security Professional & Author of DevSecOps Studio and Awesome-Fuzzing projects

Aug. 4–7

  • What to expect: Learn how to handle security at scale using DevSecOps practices. The training will use real DevSecOps tools and practices. The goal is to be able to successfully hack and secure applications before the hackers can.
  • Who should take this course: Any security professional, penetration tester, IT manager, developer, or DevOps engineer who wants to make security part of their organization’s software development process.
  • About the instructor: Mohammed “secfigo” Imran has eight years’ of experience in helping organizations develop information security programs and authored DevSecOps Studio.

Hands-On Hacking Fundamentals

Trainers: SensePost

Aug. 4–5 & Aug. 6–7

  • What to expect: Learn about vulnerabilities, how to discover them, and how to use them to pwn systems. This is a hands-on course that features targeting and exploiting systems found in networks and corporations in the real world. This course will help students understand what attackers are doing and how their attacks work.
  • Who should take this course: Anyone who is starting to learn about penetration testing and hacking.
  • About the instructors: SensePost hackers have more than 18 years’ of experience training and teaching around the world.

ERP Security: Assess, Exploit and Defend Sap Platforms


  • Juan Pablo Perez-Etchegoyen, Research Overseer at Onapsis Research Labs
  • Pablo Artuso, Security Researcher at the Onapsis Research Labs
  • Nahuel D. Sanchez, Security Researcher at Onapsis

Aug. 6–7

  • What to expect: Learn to assess SAP platforms for vulnerabilities, how to exploit them to gain better understanding of the risks, and how to mitigate that risk. This course will present the latest information on SAP-specific attacks and protection techniques. There will be hands-on exercises on how to perform vulnerability assessments and penetration tests of a SAP platform.
  • Who should take this course: Information security managers and professionals who manage the security risks affecting SAP platforms.
  • About the instructors: Juan Pablo Perez-Etchegoyen, research overseer at Onapsis Research Labs, Pablo Artuso, a security researcher at the Onapsis Research Labs, and Nahuel D. Sanchez, a security researcher at Onapsis.

Adversary Tactics: PowerShell


  • Matt Graeber, Security Researcher & Reverse Engineer
  • Matt Nelson, Active Red-Teamer & Security Researcher

Aug. 4–7

  • What to expect: Increase student’s proficiency with PowerShell, the language and shell that drives automation across the Windows and Azure ecosystem. Students will learn how to configure, audit, monitor, and bypass the preventive and detective controls that PowerShell has to offer.
  • Who should take this course: Anyone who has an understanding of PowerShell basics who want to use it for developing attacks and defenses.
  • About the instructor: Matt Graeber, a security researcher and reverse engineer who specializes in the advancement of attacker tradecraft and detection, and Matt Nelson, an active red teamer and security researcher.

Key Briefings

The briefings are worth continuing professional education credits for anyone certified through ISC2. The materials presented will also be available after the Black Hat 2018 conference. These sessions are held during the two days of the conference after the training sessions are over.

Behind the Speculative Curtain: The True Story of Fighting Meltdown and Spectre

This panel discussion led by Eric Doerr, general manager of MSRC at Microsoft, Matt Linton, a chaos specialist at Google, Art Manion, a senior vulnerability analyst at CERT/CC, and Viresh Ramdatisier, head of product security at Apple, doesn’t promise all the answers when it comes to responding to massive threats and coordinating that response with other platforms. But hopefully some answers will be learned from how these organizations responded to the Meltdown and Spectre attacks.

Attention Spanned: Comprehensive Vulnerability Analysis Of AT Commands Within The Android Ecosystem

Grant Hernandez, a University of Florida graduate student, explains how AT commands can be used to trigger functions in modern smartphones. These commands designed in the 1980s for modems still have enough usability in Android devices to bypass security controls and access sensitive information.

Breaking the IIot: Hacking Industrial Control Gateways

Thomas Roth, founder of leveldown security, presents a security review of industrial control gateways — devices that connect infrastructures to centralized management systems. These systems can be attached to power grids, city infrastructures, or industrial plants. The presentation will focus on how these devices can be attacked and their security shortcomings.

Catch Me, Yes We Can! – Pwning Social Engineers Using Natural Language Processing Techniques in Real-Time

Marcel Carlsson, principal consultant at Lootcore, and Ian Harris, a professor at the University of California – Irvine, tackle social engineering with natural language processing. The approach aims to detect questions and commands that may be malicious requests for private or protected information.

Compression Oracle Attacks on VPN Networks

Ahamed Nafeez, an independent security researcher, discusses how plain-text attacks threaten VPNs via TCP compression. Attacks can be made on browser requests and responses that tunnel their HTTP traffic through VPNs, ESP Compression, and other optimizations. This briefing explores the possibility of VPN attacks, defenses, and mitigation practices.

Detecting Credential Compromise in AWS

William Bengtson, a senior security engineer at Netflix, presents a paper on the detection of compromised credentials in Amazon Web Services. Credential compromise can lead to abuses that threaten data and infrastructure security. The paper describes a way to detect compromised credentials in Amazon Web Services.

Too Soft[Ware Defined] Networks: SD-Wan Vulnerability Assessment

Sergey Gordeychik, product director for Cyber Network Defense at DarkMatter, and Aleksandr Timorin, head of the security research group in DarkMatter xen1thLab, will present on software defined wide-area network (SD-WAN) technology. SD-WAN is replacing routers for branch office connections in organizations. The firewalls and perimeter security features are attractive targets for attacks. The presenters will discuss attack surface, threat model, and real-world vulnerabilities in SD-WAN solutions, and more.

Wrangling With the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities

Matt Miller, a partner security software engineer working as part of the Microsoft Security Response Center, and Anders Fogh, a principal security researcher with G DATA Advanced Analytics, will discuss Microsoft’s approach to researching and mitigating speculative execution side channel vulnerabilities. This new approach was needed when a new class of vulnerabilities became known as Meltdown and Spectre.

It’s Las Vegas, Baby

This year’s conference is at the Mandalay Bay Resort and Casino on the Las Vegas Strip. In addition to the casino, it offers the Shark Reef Aquarium and Mandalay Bay Beach — a lazy river, wave pool, and beachside casino.

As mentioned, it is on the Las Vegas Strip, so it is accessible to plenty of other hotels, casinos, and non-gambling activities if you need a break from the threat analysis. Vegas isn’t only known for gambling after all, but also for incredible shows.

More Resources on Black Hat 2018 (and Las Vegas)

Other articles, news, and resources on the Black Hat conference:

Will we be seeing you at Black Hat USA 2018?

To check out what Threat Stack is doing at Black Hat this year, take a look at our Black Hat Event page. Sign up early for a demo of our Cloud Security Platform®, RSVP for our party at the Skyfall Lounge, and more.

When you’re in Las Vegas, be sure to drop by Booth #2316. We hope to see you there!

How to Find and Remediate Open Infrastructure Ports

Read BlogRead