Thousands of security practitioners, vendors, and researchers from 111 different countries packed the Mandalay Bay Convention Center in Las Vegas last week for the first in-person Black Hat since 2019. Since the 2019 Black Hat, new technologies and security providers have increased, but so have threats, actors, and social/political/economic concerns. This year’s high attendance demonstrated the desire for in-person conferences to make a full-fledged comeback, but the continued growth of cyberbreaches shows that security progress is unfortunately still lacking.

Vendor marketing teams had a shorter window than prior years to refine booth and banner messaging between the RSA Conference and Black Hat 2022. At Black Hat this year, Zero Trust messaging was surprisingly very low, while themes around risk reigned supreme. Vendor booths were varied, ranging from boxing rings to lock-picking contests, while ample LEGO swag from multiple vendors helped build encouragement from the practitioner-heavy DEF CON crowd.

Assessment and detection of assets and threats or recent acquisitions were highlighted in many booths, especially from the startups in “Innovation City.” Recent calls for security collaboration have meant vendors are no longer shying away from keeping data for themselves and are exposing APIs for the benefit of the security community. Startups are using these APIs to ingest whatever data they can and provide their own proprietary risk scoring and prioritization. Expect more vendor entrants into this asset/threat prioritization and prediction space, some of which will eventually get bought by larger vendors.

The keynotes from ex-CISA director Chris Krebs and long-time security journalist Kim Zetter reiterated a similar theme that, in the 25 years since the first Black Hat, we are not more secure. Krebs offered an optimistic approach and was encouraged by emerging innovations of security products, predicting that tools will help improve security, but first, due to humans’ constant need to connect things to the internet, things will get worse. He referenced a quote from Daniel Miessler underlining that software remains vulnerable because it’s not beneficial yet. Zetter echoed the sentiment that security must (and slowly is) becoming a business problem and that security fundamentals must improve. She added that the Colonial Pipeline breach taught us that maintenance, user training, and incident response plans are the most important means to keep organizations secure.

Black Hat attendees came decked out in their T-shirt best, with phrases like “I spy with my APIs” and “Exploit Wednesday” weaving throughout the conference. My favorite t-shirt was Simon Pavitt’s “I AM LYING TO YOU” during his and Stephen Dewsnip’s briefing “‘No Mr. Cyber Threat!’ – A Psychological Approach To Managing the Fail-to-Challenge Vulnerability.” In their talk, they addressed how security practitioners can use gamification to change end user behavior by thinking of security training as “level one” of a video game. They make their social engineering training easy by wearing obvious T-shirts and labeling USB drives “VIRUS” or “EVIL.” By giving users easy wins, they’re rewiring their psychological process of identifying threats. Vulnerability management vendors such as Balbix have added gamification, and it will be interesting to see if other products and vendors apply Pavitt and Dewsnip’s research.

Lastly, a tip to organizations looking to meet with a new (or perhaps any) analyst during a big, vendor-agnostic conference like Black Hat: Analysts invest a lot of time scheduling and mapping out routes to our next meeting at a conference. Make it easy for me to find you! One organization texted me a hallway view of our coffee shop meeting location, with a large arrow drawn toward their table. Others held signs (limo driver-style) outside elevators. Some folks looked up my Forrester or LinkedIn photo in advance. This optimizes your analyst meeting time and helps keep me on schedule for my next meeting.