Written by Tianyi Lu, Chief Architect
Compared to larger security conferences, such as Def Con or Black Hat, DerbyCon is more intimate. For me, this means that I’ll have more opportunities to engage speakers and have meaningful conversations. This intimacy is by choice: the conference is quite exclusive, with tickets selling out within minutes of being released.
If you’ve never attended, DerbyCon is held annually in Louiseville, KY and is typically attended by several thousand attendees that range from individual cybersecurity contractors to high-level security architects from major companies like Facebook, Google, Twitter, Walmart, and so on.
Moreover, it’s rumored that undercover agents from the NSA, FBI, and CIA are in attendance every year.
Seeing Red
Compared to other conferences, DerbyCon is heavily focused on the red team, with most of the talks being about exploits, how specific exploits/malware operate, and the TTPs (Tactics, Techniques, and Procedures) that malicious actors – members of the “red team” – utilize.
Understanding how malicious actors – the “red team”, as it were – operates is important in understanding how to defend against them.
The blue team – cybersecurity firms and defenders (like us) – are constantly working to reverse engineering the thinking and reasoning employed by the red team. This is a constant struggle that we must participate and lead if we are to be successful in keeping the web – and our clients – secure.
Takeaways From a Talk About App Security
Tech companies value their security and the security of their users. No company wants their name, product, or operating system tied to the next big breach.
In one interesting talk I attended, Apple described their new built-in security features in the latest version of MacOS. Called code signing applications, it effectively acts as a digital notary. Developers seeking to create a new app for the Mac or iOS ecosystem are required to register with Apple and have a valid developer ID. This ID works with a security agent on the Mac (called the Gatekeeper) and is designed to ensure that the apps users are downloading are legitimate and safe.
Unfortunately, Gatekeeper is quite easy to bypass and thus doesn’t provide more than a cursory level of security. This is a prime example of why it’s important to take security seriously and be diligent. Even though device manufacturers go to lengths to secure their products and ecosystems, the red team is working just as hard to circumvent them.
Cat and Mouse
Every year DerbyCon unveils several 0-day exploits. These exploits – security gaps found in code that haven’t been patched or discovered by their respective vendors – represent a very real risk to people and organization utilizing the affected software. These exploits are not created by DerbyCon, but are “released” in that security professionals and researches disclose them publicly for the first time.
0-day exploits are particularly dangerous because the red team often takes advantage of them, using them in ways and antivirus/antimalware software often doesn’t recognize.
As usual, it’s an ever-evolving game of cat and mouse. As there is no singular security tool that can subdue the reds, we reply on changing the economics of an attack via a “security in layers” approach. Given that no one method or tool is invulnerable, this layered approach has demonstrated itself to be the most economical and effective way of approaching security.
By having many layers of defenses that work in concert with each other, you deter attackers and make yourself an unappealing target. Resources are limited, and carrying out an attack requires a financial and labor commitment. By being more secure than your peers, you become a less appealing target, and attackers will shift their efforts elsewhere.
We’ll See You at DerbyCon 2019!
All told, this years DerbyCon was an eventful one with great information and excellent opportunities to connect with security professionals from all over the United States (and the world). We will be back again next year.
Until next time!
