Blue Team Con 2024: Sharing Security Insights and Defense Strategies in Chicago
From the Chicago shoreline, Lake Michigan looks like an ocean until you go to the top of one of the many towering skyscrapers. Then, you can see Indiana and Michigan across the water in the distance. From ground level at the shores of those two states, it is easy to see the iconic silhouette of Chicago. The lake doesn't feel quite as big with a little perspective change. The world of cybersecurity is a lot like that lake; without the proper context and perspective, it can seem like an insurmountable sea of threats and alerts. Fortunately, elevating knowledge level and sharing information to gain a clearer vision of how to improve cybersecurity is what we got to do at Blue Team Con 2024.
Early September saw Chicago welcome over 700 cybersecurity professionals and students to this amazing event with two speaking tracks offering 30 different sessions, two full days of workshops, villages, an Unconference, and more. All the content focused on helping the "Blue Team," those cybersecurity defenders, including anyone interested in safeguarding organizations.
Here are just a few of the highlights from Blue Team Con 2024.
Understanding the Open Source Software Landscape
Blue Team Con was fortunate enough to have Aeva Black, Section Chief, Open Source Security, at CISA as the event keynote. In their presentation "How to Be a Responsible Consumer of Open Source Software," Aeva began with a reminder of how pervasive open source software (OSS) has become, even citing the federal copyright laws and cases that lead to this approach to software being used by industry. Unfortunately, most open source is developed without economic benefit in scale with the value it provides, leading to issues like those seen in the Xz Utils attack.
The section chief then explained a few examples of a different kind of law to sum up the problem. First, an adaptation of Marten Mickos' Law:
"Companies have money but no time. Communities have time but no money."
They cited Linus' Law: "Given enough eyes, all bugs are shallow," and introduced us to the corollary, "Given too few eyes, all software contains issues." We need to find a better path toward working together and sharing resources now–before the owner of your favorite repositories simply stops maintaining their projects. To learn more about how to defend and support open-source, they directed us to the CISA website's Open Source Security resource guide.
Understanding vulnerabilities takes multiple perspectives
Omer Tal, Security Researcher at Seemplicity, presented "Building on CVSS, EPSS, and KEV: A Practical Approach to Vulnerability Prioritization." The number of new CVEs every day is skyrocketing. Prioritizing which ones to address has become increasingly complex, and trying to rely on one metric alone leads many organizations to waste time on issues that might not affect them.
Tal broke down three frameworks, each approaching the topic from a slightly different perspective:
- CVSS - Common Vulnerability Scoring System. This is a universally applied system that is available in all CVEs, but it is a static score. It can not take into account other elements like reachability or other security precautions.
- EPSS - Exploit Prediction Scoring System. This model uses machine learning to predict the likelihood of exploitation, which is getting better over time. However, the model has blind spots for past vulnerabilities and usage context.
- KEV - Known Exploited Vulnerabilities. This is a curated database of vulnerabilities actively exploited in the wild, providing verified threat intelligence and remediation efforts that have proven successful. This is limited in scope and is only ever looking backward with no prediction model for emerging threats.
Tal proposed using a prioritization model that can account for all three of these scoring systems. For example, if there is a new CVE that has a CVSS of 7, an EPSS of less than 1%, and no KEV entry, you might rank that lower than one where there are many KEV entries, and the EPSS is 75%. He ended by urging us all to use any and all data we can gather when prioritizing the vulnerabilities to address and leverage automation wherever we can.
Real-Life Adventures in Incident Response
Driving home the entire point of Blue Team Con, Patrick Scherrer, Information Security Manager at Rea Magnet Wire gave us the play-by-play retrospective on how his company survived a ransomware attack in 2023. In his session “Dennis, This Is the Big One,” Patrick recounted a harrowing real-life ransomware attack that struck at 5:00 am on a Saturday, impacting 500 machines at his company and everything they did as an organization.
By 7:00 am, the security team had launched their response, scrambling to restore systems from backups while fighting against time and an evolving threat landscape. However, that is when they realized they had never prepared for this situation, and the "playbooks went out the window." The title comes from the exact message that was sent to his boss on that day.
Fortunately, they were about to rebuild, and in a more resilient way, to quickly get back to production within a few days. This process took sleepless nights, intense troubleshooting, and reaching out to some outside companies to help. He stressed the importance of communication for managing the evolving situation. Patrick left us with these hard-learned tips:
- Prepare for the worst.
- Stick to your plan, as making a new one in an incident is stressful.
- Be flexible because not everything is going to go as imagined.
- Have outside help vetted before an incident happens.
- Have a 'reserve corps' trained and available.
Mentoring the future defenders
In his talk, “Bridging The Generation Gap: Cyber Workforce Development through STEM Outreach and Mentorship,” Moeiini Reilly, Research Technologist at Georgia Tech, discussed the pressing need to develop the next generation of cybersecurity professionals. Right now, there are over 3.5 million open cybersecurity positions globally, and this number will likely increase. There simply are not enough people with the right skills right now. He said we need talented people willing to learn, but we need a new model to engage this next generation of professionals.
Working with the university, he runs paid apprenticeship programs that provide job training for students in high school and even younger. Introducing security to them can be a challenge at first, but being treated as valued team members who can contribute helps them build skills they can leverage to help keep us all safe in the future and, importantly, put on a resume. He highly suggested that everyone get involved in mentoring and look for ways to help better incentivize folks who are willing to learn on the job.
Security takes more than just the Blue Team; it requires everyone
There were so many other amazing talks and conversations at Blue Team Con, but central to all of them was a sense of urgency about finding new ways to defend our organizations from emerging threats. Your author was able to give a talk about IaC security and governance. Since it was later in the event schedule, it was tuned to the audience after many discussions about this subject throughout the event.
Just like the city’s towering skyline emerging from the shores of Lake Michigan, Blue Team Con helped attendees rise above the fog of daily security alerts and gain a broader perspective on the threats we face. We took with us not just new strategies and insights but a renewed sense of purpose—to defend, to mentor, and to continue pushing the boundaries of what’s possible in the world of cyber defense. Until Blue Team Con 2025, keep fighting the good fight.