Denim Group has been acquired by Coalfire. Learn More>>

Bringing Sanity to BlackHat Week – A Survival Guide for First-Timers

Ahhhhh. BlackHat Eve. That week before Black Hat where overworked security folks all over the world attempt to clear out their email inboxes prior to jetting out to Las Vegas for a week in enclosed conference centers with thousands of other like-minded security nerds. But when we talk about Black Hat as a singular event – a monolithic entity – that is a misnomer. Really, what I’m talking about are the three organized conferences that take place almost simultaneously: Black Hat USA 2016, DefCon 24, and B-Sides at Mandalay Bay, Paris, and Tuscany Suites & Casino respectively. Throw in the countless vendor parties, press events, and good old fashioned meet ups that occur during the week of August 2-6, 2016 in Las Vegas and you have more “stuff” than any normal human can consume. What this week has become is the largest aggregation of security pros, hackers, wannabes and newbies who use the word “cyber” as a standalone noun at their own expense.


So what do we have to look forward to? Aside from a week of dehydration, fallen arches, and inevitable hangovers…

There are a multitude of sessions at the three formal conferences to choose from. How does a reasonable person make a choice of what to hit in a week in Vegas given the limits of time and geography? Bree Fowler, of the Associated Press, posed the question in New York City earlier this June, and I had no real answer. What follows is my feeble dissection of a list that is too big to curate. What are likely to be the tasty sessions based purely on the pre-conference hype and well-written conference abstracts? What will likely play out next week at one of the largest security conferences in the world? Here we go!

Tasty Sessions

Yes, picking cool sessions is largely a hit or miss activity based upon pre-conference buzz and appealing abstracts. As next week draws closer, the realities of time, space, and geography kick in and some serious choices on what to attend and what not to attend come in to play. As a hardened security guy this is an unscientific list of what I want to see. I hope that one or two might be worth penciling in to your itinerary too.

BlackHat USA 2016

Dan Kaminsky, The Hidden Architecture of Our Time: Why This Internet Worked, How We Could Lose It, and the Role Hackers Play, August 3, 9:00 – 10:00 am.

Dan Kaminsky’s keynote is likely a top 5 “can’t miss” session for the week. He might even have one or two surprises up his sleeve – he usually does. The world is changing, and the Internet needs to change with it too. Dan will tackle the role of government in this change. No doubt big picture stuff, but we that for starting off Black Hat on a strong note.

Bryant Zadegan and Ryan Lester, Abusing Bleeding Edge Web Standards for AppSec Glory, August 3, 10:20 – 11:10 am.

Web applications remain a primary attack vector in spite the fact they have been so for nearly a decade, according to analysts like Gartner. Given how fast organizations are moving to implement DevOps, application security will become even trickier. The latest on how to play appsec whack-a-mole should be interesting and Bryant and Ryan are really smart guys.

Zinaida Benenson, Exploiting Curiosity and Context: How to Make People Click on a Dangerous Link Despite Their Security Awareness, August 3, 11:30 am – 12:20 pm.

Phishing remains a top attack vector attacking layer 8 (humans). I have no doubt that new and unusual ways to dupe users will be revealed in this session. Although this is a well-trodden area, phishing seems to evolve and mutate. This session will be well worth hitting to hear details on the latest evil.

Jeff Melrose, Drone Attacks on Industrial Wireless: A New Front in Cyber Security, August 3, 1:50 – 2:40 pm.

Drones – heck yeah! You can will one of the numerous giveaway drones from the expo floor and put it right to work after Black Hat. Seriously, as an ex-Air Force guy this is right up my alley and will no doubt be a mind bender and departure from the standard vulnerability talks.

Peleus Uhley, Design Approaches for Security Automation, August 3, 4:20 – 5:10 pm.

I don’t have to tell you that security automation is the way of the world. If you’re a security person stuck in the bowels of and trying to dance with the DevOps team, this will be worth hitting to up your automation IQ. It is where the world will end up in the not-too distant future.

Kenneth Geers, Cyber War in Perspective: Analysis from the Crisis in Ukraine,

August 3, 5:30 – 6:00 pm.

OK, a deeper analysis of the Russian (?) attack on the Ukrainian power grid is probably worth hearing. Although the potential for chicken little sky is falling buzzword overload might be present, I think the case study of what happened in the Ukraine is important for all to understand in this age where attacks have morphed from defacements and data loss to out-for-count downtime.


Jack Daniel, Hire Ground, August 2, 11:00 – 11:30 am.

Jack Daniel is a security community institution, the heart and soul of B-Sides, and a must meet if you haven’t. This session is likely going to be a great way to kick off B-Sides once you make it to the Tuscany Suites. One burning question for B-SidesLV 2016 – Can Jack out-do his all-Denim suit from last year?


Unfortunately, at the same time is another one:

Wendy Nather and Dean Webb, Network Access Control: The Company-Wide Team Building Exercise That Only You Know About, August 2, 11:00 – 11:30 am.

Wendy is another security community institution – former CISO and industry analyst, and current security expert at the Research Director at Retail Cyber Intelligence Sharing Center (R-CISC). Wendy is a great speaker – I like the topic, but that’s almost inconsequential as I’d recommend attending a Wendy session regardless of the topic. Key question for 2016 – What color of hair will Wendy have this year?

Chris Eng and Wendy Everette, Security Vulnerabilities, the Current State of Consumer Protection Law, & how IOT Might Change It, August 2, 2:30 – 3:00 pm.

A meaty topic that touches IoT and consumer protection laws – unfortunately unchartered territory for government, regulatory agencies, and the security industry. I’ve been on the speaker’s circuit with Veracode veterans Chris Eng and Chris Wysopal for a time, and have no doubt Chris Eng will push us to think about the coming privacy concerns that IoT will represent for all of us as consumers.

Andrew Morris, Flaying out the Blockchain Ledger for Fun, Profit, and Hip Hop, August 2, 2:00 – 2:55 pm.


Rod Soto & Joseph Zadeh, No Silver Bullet. Multi contextual threat detection via Machine Learning, August 3, 10:35 – 11:30 am.

Blockchains and how they might be used to build trust models and secure things is a hot topic in security circles. Machine learning is no different and is a potential game changer for the industry, making this session worthy of attendance. If you can’t make these, make sure to catch at least one other on blockchains and machine learning because they will likely have a huge effect on what we do.

Defcon 24

Matteo Beccaro and Matteo Collura, (Ab)using Smart Cities: The Dark Age of Modern Mobility, August 4, 1:00 pm.

With everything connected, the doomsday scenarios of shutting down a city becomes less and less science fiction and more and more someone’s problem to solve. This session will either get you thinking or make you buy that small home in the country off the grid. Should be fun.

Evan Booth, Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker, August 6, 11:00 am.

From a pure curiosity standpoint, this session might be worth attending. You’ll never look at that office coffee maker the same way again either way.

Fred Bret-Mounet, All Your Solar Panels Are Belong to Me, August 6, 4:30 pm.

Oh my! Last year it was guns, this year solar arrays.


I can’t even begin to think of the many bad things that can happen from someone taking over an entire solar array, but I guess we’re going to find out. This will bring an entirely new take on renewable energies – you can new renew your root access credentials conveniently, courtesy of the manufacturer.

As you get a sense, there are hundreds of great sessions next week. None of us will do justice to all of them, but perhaps between physical attendance and social media we won’t miss the Jeep hacking equivalent of 2016. Good luck. We’ll see you out there next week. @johnbdickson.


About John Dickson

John Dickson web resolution

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years’ hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

Leave a Reply

Your email address will not be published. Required fields are marked *