Table of Contents
I’ve been attending DEFCON since 2012, and I consider it one of the top cybersecurity conferences in the world. The reasons are clear: the pervasive security culture, the strong community that has grown around this event, and the high technical level of the talks that delve into the latest trends in the sector.
I want to highlight three of those cybersecurity trends that hooked me from the most recent edition, DEFCON 32, and will be setting our agenda for the coming years.
What Is DEFCON?
DEFCON is often called a ‘hacker convention’. It has been held annually in Las Vegas, Nevada since 1993 and, today, attendees come from a broad background, such as computer security professionals and security researchers.
This means that DEFCON brings together a wide range of perspectives from various industries and security levels, aiming to incorporate and address the diverse challenges faced across the cybersecurity landscape.
Given the variety of actors involved, the conference is divided into ‘villages’ – dedicated spaces arranged around a specific topic, for example Aerospace Village, Biohacking Village, and Social Engineering Village.
Two of the biggest villages are the Red Team Village and the Blue Team Village. These are based around the idea of Red Team – a group that takes the role of the enemy to identify security flaws and expose them – and the Blue Team – the team that designs defensive measures against attacks.
This year at DEFCON, nearly a hundred renowned speakers come together to share their knowledge and experience with the cybersecurity community, focusing on the trends that have emerged throughout the year. Let’s look at some of the standout trends from DEFCON 32.
Trend 1: Bypassing EDRs
In a year marked by the unusual atmosphere following the CrowdStrike outage and Kaspersky’s banned operations in the US, DEFCON saw several presentations on Advanced Exploitation Techniques and security bypass methods, particularly those focused on evading Endpoint Detection and Response (EDR) systems.
Three presentations stood out in this broad discussion: EDR evasion tool BOAZ, the HookChain technique, and a talk by Volexity which looked at Defeating EDR Evading Malware with Memory Forensics.
Let’s have a look at these discussions in more depth, and how these challenges affect the traditional cybersecurity ecosystem.
BOAZ
In Thomas X. Meng’s BOAZ presentation, we saw the effectiveness of antivirus (AV) solutions against eighteen open-source evasion frameworks. No AV could detect all evasion techniques, and no evasion tool could bypass all AVs. The study highlights the limitations of AVs, which rely on signature and heuristic engines to balance performance and security.
Enterprises and users often make EDR their cybersecurity backbone, including as a core framework and the last line of defense. These findings, however, suggest that, by understanding AV detection methods, it’s possible to combine techniques to bypass security without using commercial tools or zero-day exploits.
To find out more, you can read about the project here: BOAZ Evasion and Antivirus Testing Tool (for educational purpose).
HookChain
In another presentation, Helvio Carvalho Junior underscored the fallacy of believing that using a top-rated solution guarantees 100% security.
His HookChain technique demonstrated a high success rate against the top fifteen EDR solutions in the Gartner Magic Quadrant market research reports, offering a fresh perspective on bypassing EDR security.
Carvalho did not aim to rank the effectiveness of any particular EDR, his research aims to reinforce that no security method or device is 100% reliable. This means that a comprehensive cybersecurity strategy should be built on complementary solutions that provide visibility and resilience against potential breaches, ensuring that weaknesses in one area are covered by strengths in another.
You can see the slides from Carvalho’s presentation here: HookChain technique: A new perspective for Bypassing EDR Solutions.
Defeating EDR Evading Malware with Memory Forensics
Volexity presented a talk offering an in-depth analysis of various EDR evasion techniques from a forensic perspective.
They highlighted how attackers continually develop methods to evade detection while pursuing goals such as code injection and credential theft.
These evasion strategies often target the most fundamental layers of hardware and software, including call stack frameworks and system calls. As a consequence of this, EDRs struggle to maintain their effectiveness.
See the slideshow from Volexity’s talk here.
This trend should make companies think about what their strategy could be in case their EDRs were breached. What complementary solutions provide sufficient visibility and alerts about possible breaches to determine their response?
Trend 2: Evolving Command and Control
Another notable trend I observed at this edition of DEFCON is the significant focus on innovating Command and Control (C2) frameworks, systems, and infrastructures.
The Red Team Village scheduled a range of compelling talks on this topic:
- In one presentation, New Skill Unlocked: C2 Infrastructure Automation, they showcased a suite of tools and knowledge for creating scalable, operationally secure C2 infrastructures through automation.
- In another, titled ‘Bespoke C2s’, highlighted methods for crafting unique C2 servers for each engagement by leveraging various programming languages, obfuscation techniques, and communication protocols.
- I found all of this fascinating – but the most significant development, in my opinion, (because of its detection implications) was a presentation on Google Command and Control (GC2). This is the first serverless C2 framework that leverages Google Docs and Microsoft Graph for communication and data exfiltration. While this project began a few years ago, its maturity, compatibility and the innovative use of different Application Programming Interfaces (APIs) and infrastructures, particularly Microsoft Graph, showcased at DEFCON, highlight a growing trend in evading traditional security stacks. It’s also worth noting that C2 frameworks using platforms like WhatsApp, Telegram, and Discord are becoming increasingly effective for attackers and are each more common in the wild. This approach to C2 infrastructure architecture poses a significant challenge to traditional detection methods, as connections to Google and Microsoft APIs (Reddit, Github, and so on) and their infrastructures (such as domains, IPS, Google and Microsoft certificates) are very common in corporate environments.
The prominence of Living off the Land (LotL) techniques across nearly every stage of the cyber kill chain essentially exploit the common and native components of the victim’s system to carry out attacks. This makes them particularly challenging to detect and mitigate, underscoring the critical need for companies to enhance traffic monitoring and pay close attention to any anomalies in their networks.
Trend 3: AI Is a Reality in Cyber Attacks and Security
Over the past two years, AI integration in cybersecurity projects was often experimental, with techniques and frameworks incorporating AI almost as a proof of concept. However, this year marked a significant shift, particularly with the inclusion of Large Language Models (LLMs) in both attack and defense strategies.
LLMs have been actively integrated into various attack simulations, enabling Red Teams to better mimic adversaries’ potential AI-driven tactics. On the defensive side, Blue Teams are leveraging these systems to enhance their efficiency, allowing for faster and more effective responses to threats.
In one presentation, GHOST in the Model: Generating AI-Assisted Threat Models for Efficient Offensive Security Testing, I saw how GenAI LLMs are pushing the boundaries for penetration testers and Red Teams, enhancing security efforts right from the design phase.
In another talk, I was impressed by the effectiveness of open-source AI tools in accelerating vulnerability detection.
A key takeaway, however, is that as AI advances attack simulations, it inevitably benefits real attackers, enhancing their skills and making their operations more efficient.
As a final point, the widespread adoption of AI tools is opening up a fascinating new field of action, not just “AI in cybersecurity” but “cybersecurity for AI”. This emerging domain is becoming the next frontier for cybersecurity researchers and, inevitably, attackers as well.
The possibilities are vast, and DEFCON’s AI Village showcased numerous talks on techniques like prompt injections and data poisoning. It’s clear that this topic is set to become a central focus of future conferences.
DEFCON 32 – My Final Thoughts
Now that DEFCON 32 is all wrapped up, what are my big conclusions and are the things that will keep me up at night?
Firstly, I am delighted that DEFCON continues to grow, consistently adopting the latest trends in the cybersecurity world to share with a community of all skill levels. Its unique and vibrant atmosphere is always focused on spreading knowledge in a way that’s both engaging and impactful.
This year, I saw that advanced exploitation techniques for traditional security tools such as EDR are on the rise, challenging and rethinking the conventional security stack for measures that allow for a true last defense in case of bypassing any stage.
Taking into account the three trends which stood out to me (EDR bypassing, evolving C2, and the growth of AI) no security tool or system provides companies with 100% security; companies must seek visibility in different ways.
My observations at DEFCON 32 reinforced to me the importance of following network traffic and anomalies. Lumu Defender ‘fills the gaps’ of a traditional security stack, and catches many dangers that might bypass a traditional firewall or EDR. If you don’t already have it, open a Lumu Free account today to start gaining better visibility on your network.