Disclaimer: The following article will highlight my work and achievements in 2023. I am not sure if this is going to be worth reading, but I will try my best to make it helpful and educational for others, to not only let it sound like self-praise. If you had a rough 2023 and are currently struggling, you might want to skip reading this as it will contain self-praise. Be aware that sometimes, all that matters is surviving. You don’t need to win a challenge coin, gain a huge amount of followers, or whatsoever, to be worth existing. Sometimes, the biggest battles are fought and won inside oneself. If you feel like you didn’t accomplish enough this year, know that you probably did way more than you feel right now! ❤
Hello and welcome back to another blog post. It will be a bit different from the normal content I share with you on this platform. As the year 2023 is coming to an end I had the idea of creating a yearly summary of important cyber security events, meaning attacks, vulnerabilities and general changes in the Threatactor landscape, which have been observed in the past 12 months. However I agree with the common narrative that there have been so many important events and attacks, that you could easily create a summary for each week on its own, without touching every topic of importance.
Instead, I have decided to write a personal summary of my year as an independent cybersecurity researcher. I have to admit that I struggled a little with the question if this was going to be content followers would enjoy. However, after creating a Twitter poll it got immediately clear that you would like to read it.
So without further delay, let’s start reflecting on the year 2023 from the eyes of yours truly Gi7w0rm.
Social Media
I guess the best way to start is probably by reflecting on my social media activities. After all social media is probably how most of you have discovered me.
At the beginning of 2023, it was probably clear to most of us that the social media landscape would start to change. Two months prior El no Musk had bought Twitter. Many of us knew this would imply some drastic changes in the way the platform was gonna work. In fact, at the beginning of the year, we saw several known researchers leaving the platform. A prominent example:
https://twitter.com/GossiTheDog
For me, the topic caused and is still causing a huge headache. First and foremost I guess that many content creators on Twitter can agree that we are all afraid to lose what we have built over the last months and years. There has been more than one occasion where Elon’s takeover and the changes in the company’s structure caused annoying and sometimes even critical bugs in the platform’s functionality. Additionally, the statements and overall behavior of the new CEO are at least not acceptable if not totally disgusting. More than once I had to put my ethics aside in exchange for staying in the community that I have learned to enjoy and appreciate a lot and I am not proud of that.
As of today, there still seems to be no viable alternative to Twitter. After all, it still is where most of us are active, and where most of the information, which is so crucial in Cyber Threat Intelligence, is initially shared.
I hope that in the upcoming year 2024, we will either see a change in leadership or a good alternative. My eyes are currently on BlueSky for if Twitter should fall apart. Yet, despite the overall struggle with the platform itself, my follower growth on Twitter reached a new climax in 2023. According to the Twitter analytics page, I made an astonishing amount of 6138 new followers over 10 months between January and October 2023. Sadly, since November, the analytics page seems not to be fully functional anymore, currently presenting the user with the following message:
Still, this amount of new followers means I doubled my account size over one year. It’s an impressive growth that I would never have expected, nor can I explain. A massive thank you goes out to every person who appreciates, likes or even interacts with my content. Without you I wouldn’t be able to have the impact I seem to be having.
Nevertheless, I noticed a rather concerning side effect of this constant and in my eyes sometimes unexplainable growth. While I certainly love what I’m doing, seeing all these people, watching out for my content and sometimes even looking up to me, creates a big amount of pressure. Several times this year I have struggled with the feeling that I am not creating enough content, or that I am not creating content valuable enough for all the amount of attention I seem to be generating.
While I do not believe that, I have overcome this struggle yet, I believe that I am not the only person with a bigger following that has experienced this pressure. My current approach when faced with such situations is to remind myself, that I am just one human being in the vast chain of interacting gears in the cybersecurity ecosystem and that, after all, a lot of the stuff I am doing, is not intended to please a bigger audience, but to improve the overall cyber security landscape by trying to protect, to make aware, and to collaborate. The immense growth in followers and overall attention is a side effect of this greater cause.
Collaboration
Collaboration is a very important aspect of my current stand as an independent researcher. Looking back at the past year, I have noticed that one of my key skills in the cyber security world does not seem to be my overall technical expertise, but my capability of interacting with other individuals. Many of my projects during the past year have been the result of a growing network of peers, contacts and friends in the infosec community, which I keep proactively expanding every week. To give you an example just have a look at my recent blog posts. All of them were the results of collaborations with different cybersecurity researchers who reached out to me concerning a cybersecurity problem they were facing. Without these interactions, I wouldn’t have done the research which you can read here.
Additionally, the collaboration not only allowed me to find interesting research topics, but also enabled me to try out, and on some occasions even beta-test, certain cybersecurity tooling. I want to use this opportunity once again to give a huge shout-out to Kenneth from Validin LLC, Gregory from LeakIX, Ali from Hatching Triage (now part of Recorded Future), Amir from SoSIntel, Aidan from Censys, Herrcore from UnpacMe, fr3dhk from Malbeacon and the unnamed people with closed source tooling, which all allowed me to review, test and use their software for free. Your tooling and your willingness to apply my feedback are huge contributors to my daily research. There has been more than one time where my access to your tools has allowed me to solve a challenge, or make a discovery, which I would not have been able to do without your support in giving me access to your tools. I greatly appreciate you for supporting me as an independent researcher.
This thank you also extends to all the researchers who have collaborated with me or helped me during the last 12 months.
I want to encourage everyone who reads this to reach out to other researchers and help and collaborate with them. There are a lot of opportunities and possibilities that arise when the good guys join forces in trying to make the Internet a safer place. In fact, “Cybersecurity is a team sport” has become one of my favorite quotes during 2023.
Projects:
In this section, we are going to take a look at the main projects I have been pursuing during the last year. In its essence, we can probably split it into three sections: Malware Analysis & Threat Hunting, IoC Collection & distribution and Vulnerability reporting. Let’s have a look at each of them individually.
Malware Analysis & Threat Hunting:
This topic is probably the most interesting, but also the most difficult to measure of the above-mentioned topics. There have certainly been some occasions where I succeeded in uncovering threat actors, their infrastructure, and sometimes even their real-life personas. Some of these occasions have been shared via this blog, but most of my activities regarding threat actor hunting are shared via my Twitter page in countless short replies and tweets. It is difficult for me to put a number to the real impact this is having.
Nevertheless, I did manage to release five blog posts detailing some of my approaches to researching threat actors and their infrastructure. Each of them has amounted to around 500 to nearly 1000 reads and several hundred more views. The best-performing post was my article about uncovering the DDgroup, in which I detailed the hunt for a threat actor group that has been active for at least four years. The group is using publicly shared malware and dynamical DNS to configure a vast infrastructure of fast-changing servers to attack different targets around the globe. The article has been a prime example of putting one of the aforementioned tools by ValidinLLC to use by uncovering, threat actor infrastructure using historical DNS data. Up to this day, I am still seeing attacks that can be attributed to the above-mentioned group.
The second best-performing article was about a full-fledged Java RAT I dupped DynamicRat, which had been observed in a fishing attack against a US city government. In the released article I described the different features of this newly discovered piece of malware and pointed out its capabilities. However, the story was not over with the article's release. Afterward, I dug a lot deeper and was able to track down its potential developers and likely users. But this is a story for another day.
The blog post on which I received the most feedback is the investigation of the 7777 botnet. The topic was initially brought to me by DunstableToblerone and its investigation proved to be a lot of fun. Already during the investigation, I was contacted by several individuals who had seen attacks by this yet undescribed collection of compromised IOT devices. Even after release, several researchers and blue team security members reached out with questions or observations in regards to the botnet. I must admit that I enjoyed it to see this, as it means that the topic I brought to the table was indeed interesting to several people, and helped them to understand the nature of what was attacking them. To this day, there are many unsolved questions regarding this botnet. For example, a piece of software responsible for the attacks has yet to be discovered. But the investigation is far from being over as there have been some discoveries during the recent weeks. One of them is that the botnet is growing in size again after a continued decrease in the recent months as was laid out in my post. It currently has around persists on about 13.000 devices. I am looking forward to taking another look at this activity cluster in 2023.
I must admit that I would have liked to create and share more blog posts in the past year. Sadly, on the one side, I have a lot of additional obligations meaning time is a limiting factor, and on the other side, there has been more than one occasion where I started writing a blog post and researching stuff only to realize that in the end the investigation wouldn’t be worth a post, as the outcome of the research was not as expected.
IoC Collection & distribution
My second major project of this year was hunting, collecting and sharing/re-sharing network-based indicators of compromise, meaning domains, URLs and IP addresses of C2 infrastructure via several web-based platforms. Those platforms mainly consisted of Threatfox, Urlhaus, OTX-Alienvault, GitHub and Viriback’s C2 panel tracker.
And luckily, due to the Threatfox Stats page, I can tell you that I submitted exactly 37.460 valid C2 indicators over the 12 months of 2023. Of those, 99% were C2 addresses, consisting of IP:Port combinations, domains or URLs, depending on the malware. This earned me the first place in contributions by an independent researcher to ThreatFox:
I can’t stress enough how important this work was to me during the year. I often have a very limited time window because as a Student, SOC employee and growing adult, there are a lot of obligations on my table. Writing and automating my IoC collection pipeline allowed me to contribute to the security of many while only spending about 1 to 2 days a week on the overall subject. The impact on the other side should not be underestimated. If we imagine that there are tons of companies out there relying on free and unpaid work by abuse.ch, it's great to think that I might have helped protect companies around the globe over 30.000 times. Of course, not all indicators will have the same hit rate and protection value. But still, I actively helped to protect people around the globe and that's what matters the most :)
Besides uploading indicators to Threatfox, I also made sure to share them all on my Github:
I must state that at the current time, I am not completely happy with the state of the GitHub repository. When I started, I had some scanners running every week, (#WormsWeeklyIoC on Twitter) which would result in a file that was then pushed to Github. But the more sources I queried and the less reliable my weekly scanners got, the more I opted for other methods to collect C2s. So the current repo is the result of piling up indicators from different topics and using different methods over a 12-month timespan and I feel it needs some rework. I am currently considering making 1 single file for every malware and then pushing new indicators to the file instead of creating a new file every 1 or 2 weeks. Feel free to share your opinion on this with me.
This change would also help me with improving my sharing activity on OTX-Alienvault, which has gotten the least attention of the 3 platforms. The reason for this is mainly the state of the OTX-Alienvault platform. During the year I encountered several bugs on the platform itself. And every time one problem would resolve itself, a fresh one raised which made using the platform efficiently a difficult endeavor. I hope to improve here as well.
The greatest challenge with Indicator sharing was the huge amount of false positives contained in malicious binaries. To give you an idea of what I mean, just look at the following list:
https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FalsePositives/fps_2023.txt
Every indicator on this list has been extracted from a malicious binary using a configuration extractor. My initial thought was that the indicators extracted in this manner should be reliable, right? Well, I was proven very wrong. The most difficult challenge in this is not the clear false positives. I started to filter out things like localhost IPs and domains like google.com pretty early on using RegEx. The difficult thing is the amount of malware shared containing legitimate services, especially if you can not see at first glance, that the service is benign. If an actor decides to put an adult film website into the C2 of their binary, you just need to see the domain to say: Alright, that's someone being funny. But what about: 204[.]79[.]197[.]200? Would you have seen straight away that this is a bing[.]com IP? It was used in a Rhadamanthys sample some months ago. I didn’t see it straight away and submitted it to ThreatFox. Imagine the impact of this mistake. Hundreds if not thousands of networks globally flagging Bing as a Rhadamanthys stealer execution? Networks that potentially have several hundred users each using Edge by default? I must have caused some people a real headache that day, all because in a list of 140 IP:Port indicators one IP was not what it appeared to be. That was a frustrating experience, especially because my intentions were good and the outcome was straight up the opposite.
I have not found a perfect solution for this problem as of today. My current way of doing things is submitting every indicator list I intend to share to the OTX-Alienvault Pulse creation page. While AlienVault is not bug-free, their false-positive detection seems to be pretty reliable. I also make sure to add every FP I discover to a filter list and manually review the lists for potential flaws. At this point, another big shoutout has to be given to Mikhail Kasimov. During my work collecting indicators, he was of immense help. Not only did he integrate a lot of my work into another malware detection product, called Maltrail, helping to further protect people out there from malicious content, but he also volunteered to review every single new list I added to my GitHub repo over several months. To make it clear, these are hours of non-paid work to help me in my efforts to get those IoC out there.
I am looking forward to continuing to share indicators in 2024 and beyond. I am certain that there is room to improve and if my time permits I will certainly do so.
Vulnerability Reporting
Well, this topic started only some months ago, but it is truly amazing to see all the fruits this work has yielded so far.
Around the end of July 2023, so 6 months ago, I started to greatly expand my use of the LeakIX webscanning platform. To introduce the company and its platform to those who do not know it, here is an explanation from one of the authors:
LeakIX is a cybersecurity company that specializes in providing businesses with comprehensive visibility into their internet-facing assets. The company’s platform collects and analyzes data on IP addresses, domains, and other network assets to help organizations identify and mitigate security risks, including exposed databases, misconfigured servers, and vulnerable softwares.
LeakIX offers a range of tools and features to help users gain a deep understanding of their digital infrastructure. This includes a search engine that enables users to explore the entire internet and find relevant information on their organization’s assets.
A core and unique feature of LeakIX consists of the reporting functionality. As users navigate through the search engine results, LeakIX facilitates the creation of reports, which can then be dispatched to the respective companies. This offers a secure and complimentary service to assist vulnerable companies, prioritizing prevention as LeakIX primary objective.
It is this last unique feature that made me really like the platform. In its essence LeakIX lets you find vulnerabilities across the whole internet and responsibly report them to the affected company. As you can do it using the platform functionalities and their e-mail addresses, you have the great opportunity of reporting vulnerabilities voluntarily with the image and backing of a company, giving your statement an altered impact due to the legitimacy the company provides to your message.
So once I got vetted access to the platform with no limits on resource usage, access to all vulnerability impacts up to “critical” and direct contact with the developers, I started reporting vulnerabilities at scale.
My first challenge in the first 3 days of access was to report as many vulnerable Ivanti MobileIron Core instances in Germany as I could find.
As you can see in the above tweet, I reported 102 instances in Germany, some with companies of high value. For those of you who don’t know the CVE-2023–35078 (later extended by CVE-2023-35082) would have allowed a full compromise of the Ivanti Instance plus the ability to control all devices connected to the instance itself via an unauthenticated API access vulnerability. I made no exception in reporting. If you were a company in Germany and you were among those first 102 analyzed LeakIX results, you would have gotten a report from me.
However, these reporting efforts were pretty disappointing. When I sent out all those reports, I expected at least some sort of reaction. Don’t get me wrong here, I was not expecting a bounty at all. Bugbounty programs are there for a reason and if a company doesn’t have one, I don’t expect anything in return for my report. I just wanted to make the world a bit safer. A simple “Thank you for your report” would have been enough. But from the 102 (+ x not reported via the platform) critical vulnerabilities I reported in those days, I got exactly 3 responses. I was pretty sad about this result. It felt like I had worked 4 days around the clock for nothing in return. A huge shoutout goes to a small German company that provides work for people with disability. Their IT Admin sent me the following text:
Hello [name],
thank you for the note, we have not received any information from Ivanti about this security vulnerability. However, we were able to react immediately, after you pointed it out to us. It’s nice to see that such skills are also used for something good.
Thanks again & regards
And I must say this felt good! I am not sure if I would have continued reporting if it was not for this small E-Mail.
Yet, after this rather disappointing journey, I decided that it was probably better to reduce the scope of my activity. Instead of reporting everything to everyone, I focused more on stuff that could have a huge potential impact on companies and individuals around the globe. This included but was not limited to high and critical vulnerabilities in critical infrastructure like governments, energy companies, educational facilities, and the military sector.
Some of you might think that this would mean occasional reports as those facilities are probably among the safest out there, right? Well, working with LeakIX has started to change my perception of global IT security. Of course, we all know the above-asked rhetorical question is rather a joke than reality. However, working with LeakIX has given me a clearer picture of the insecurity of nowadays critical networks. I don’t want to step on anyone's toes here so I will not provide details on which vulnerabilities I reported to whom. But take the following tweet of mine as a reference:
This means that on a random Tuesday in 2023, about 400 governmental servers could have been compromised worldwide. And that's only with the limited visibility of known vulnerabilities enumerated by LeakIX. The real number is likely way higher. To add up, this screenshot is only taking into account systems that have a .gov(.*) domain pointing at them. It is not scanning for government-owned ASNs, not scanning for systems without clear identification, etc. I think there is a lot to improve here…
What was interesting for me to observe in the second half of 2023, was the global race between attackers and defenders that broke out every time a new sophisticated vulnerability came to light. To name just a few:
- Citrix ADC aka. Citrix Bleed ( CVE-2023–4966)
- CISCO IOS XE backdoors (CVE-2023–20198 and CVE-2023–20273)
- WSFTP (CVE-2023–40044)
Every time such a vulnerability dropped, LeakIX started seeing hundreds of sensitive systems around the globe exposed and then shed light on a global race between attackers and defenders. It was amazing to observe firsthand how server after server they were either fixed or compromised during the upcoming weeks.
Yet, it must be said that the attackers seem to have a huge advantage over the defenders, especially if you are not looking at targeted but at opportunistic attacks.
Let's take a simple example: The Citrix Bleed vulnerability was released 10.10.2023. Using a research article by Assetnote released 15 days later, the first public PoCs started to show up. A good friend of mine, Chocapikk, released their working PoC 1 day later the 26.10.2023. Four days later on 30.10.2023, it was already clear that at least two ransomware groups were actively mass exploiting the issue and collecting the stolen session tokens that enable access to the vulnerable Citrix instances. Now, what would you say how many systems are vulnerable as of today? Well, according to my data, it's roughly 2500 systems. You might be saying that those are probably unimportant systems in remote locations nobody cares about, right? Sadly, this is not true. While writing this article I identified at least one company with more than 23.000 employees and 30 Mrd annual revenue, whose systems are still exposed today. In fact, on 27.12.2023 I reported the same vulnerability in 5 devices of a global Energy company whose machinery and equipment are used in thousands of energy facilities around the globe. It's terrible to think what an attack on this company could have caused. And it's highly likely someone somewhere will already have had a look at the company and might already have stolen sensitive data in a more covert espionage attack that did not end up in something as destructive and obvious as a ransomware attack.
The whole point I want to get to here is that companies need to step up their game regarding asset and public exposure management. It can not be possible for so many systems to take that long to fix. People like me should not be able to access the most sensitive international systems using known attack vectors that are months if not years old. I know that this is a sad reality. But companies and governments around the world should improve on this matter quickly. The impact of modern-day cyberattacks has become too big to ignore such problems, especially when they can often be fixed with the simple click of an “Update” button.
Well, enough on this. Here are my overall stats on reported vulnerabilities between 01.07.2023 and 27.12.2023, though I might have missed some as I did not keep any record and counted them just now:
241 entities with 259 IPs in 13 countries all high or critical severity. Those entities can be split into the following sectors:
This however does not include the following reports:
- 364 Ivanti Mobile IronCore reported to German NCAZ
- 8391 high and critical vulnerabilities to CERT France
- 321 vulnerable websites to CERT France (CVE-2023–27372)
Those reports are not included as mass reporting does not seem to have the same impact as a single or small amount of reporting with more detailed information.
Several reports with the UK NCSC resulted in me getting rewarded with an NCSC challenge coin:
An amazing reward that can only be surpassed by the amazing reward I got from the US CISA. A challenge coin with a personal recognition letter by Jen Easterly, the director of the authority.
I can’t stress enough how proud this reward has me. A huge thank you and shoutout to Allan Liska, who made all of this possible, by always supporting me in my efforts.
Additionally, I want to recognize my friend Chocapikk who provided me with many PoC exploits and helped me time and time again in proving vulnerabilities which I consequently reported.
Finances
Before bringing this review to an end, let's have a look at the financial aspect of my work. As you have noticed, my work is facilitated by a lot of people who let me use their tools in exchange for sharing my research, collaboration, or constructive feedback. This allows me to reduce spending to a very small fraction of what I would have to pay if I paid for all the tools. I do have however some current expenses which I pay on a reoccurring basis. Let's do a sum-up:
1x Hetzner VPS (37,37 € per month) = 448,44 €
1x .de domain (3,90 € per year) = 3,90 €
1x Patreon OALabs (4€ per month, started in July) = 24€
2 x VPN (12 months each) = 59,99€ + 74,81€
1x global proxies = 16,30€
2x (1 month virtual SIM) = 18,26€
Makes a total of 645,70€ I paid for my ongoing independent research. I explicitly list the OALabs patreon here as it is a purely educational resource and my way to give back for the free license for the UnpacMe project. I highly encourage you to check out the OALabs Content and the UnpacMe project yourselves.
Luckily, there are those of you out there who started to support my work. So I do have the honor to release my independent research “income” as well!
2 monthly donors since February — 5€ x2 x 11 = 110€
A huge thank you to Tom.K and David ❤
1 monthly donor since September — 10€ x 4 = 40 €
12 One-UP tips = 340 €
Top 3:
Prodaft = 100€
x3ph = 80€
Wild_Phish = 50€
This makes a total of 490 € in income.
Now, if you will watch my Ko-Fi page closely you will likely see that the amount of donated “Kofi’s” is way higher. There are 2 reasons for this.
First, in October 2023, Chocapikk got his first well-deserved bug bounty after I tipped him off on a critical vulnerability that had recently been released. He rewarded this tip-off with a 500€ split of his reward in the form of a donation. The other is a 900€ donation by one of LeakIX’s founders. To be honest I nearly fell off my chair when I saw the donation coming in. As it turns out, our ongoing collaboration and my reporting had yielded them with a new client and they made sure to reward my effort as well. I see both of these donations apart from the rest because they are a one-time result of my work and dedication and not so much a present from a voluntarily acting person out there. Nevertheless, I have huge respect for the way both Chocapikk and LeakIX handled these events. Both were not obligated to share their money and both did it anyway.
Another expense that won’t make it to the list is my BlackHat Europe ticket which came in at 1251,09€ for a reduced student ticket, without any form of transport or hotel included. I stemmed that event at my own expense and only because of my Gi7w0rm persona as I finally wanted to meet some of my followers and peers in real life. This is why it needs to be mentioned here, but same as the 2 large sums above it will not be calculated.
In total, calculating the income of 490€ minus the paid 645,70€, this makes a net loss of -155,70€ for the year 2023.
Considering all the amazing stuff I was able to do, this is an acceptable loss for a full-time hobby. However, if you feel like supporting my work, here is where you can find my donation link: https://ko-fi.com/gi7w0rm
I am currently trying to collect some money to update my rig in 2024. Sadly my old one is slowly falling apart from its continued use over the last 7 years.
BlackHat Europe
While I do not want to expand too much on this section, my yearly review would be incomplete without mentioning my first conference experience. In December 2023 I had the great opportunity of visiting BlackHat Europe in London, England. As it was both my first time in London and my first cybersecurity conference, it was a week full of new experiences and impressions. I loved to get to know London and its sights and people. And I was amazed by all the amazing researchers and fellow “nerds” at BlackHat and in London itself. Cheers to fr3dhk for inviting me to meet the CuratedIntel team in a local pub. It was exactly the kind of come-together I was looking forward to when planning my trip to the UK and it could not have been any better!
During the two days of the conference, I was accompanied by Dunstable Toblerone and together we spent tons of time speaking with the different visitors and listening to the talks by different security researchers.
Best talk: Keynote by Ollie Whitehouse
Link: [Not yet available]
Reason:
- Huge focus on making clear that collaboration between researchers and governments should be improved. I am a huge supporter of this effort.
- Calling out the right people/companies for wrongdoing. Security should not be an “additional paid feature!”
- Overall inspiring and positive outlook for the future. The talk was a great motivation to start my first time at a Con
Downside of the Event: The price
Reason: As described in the Finances section above, I paid around 1251,09€ for a student ticket to BlackHat. I do not consider myself a poor student. I come from Germany, a country with a good financial situation. Additionally, I am working in IT-Security which makes my monthly income higher than the income of several fellow students from my dorm. Still, the amount paid for a student ticket, with all discounts applied, was more than my monthly income. I do not agree with this pricing. It is keeping a lot of young talent away from this conference as the only real way to pay for it is probably with the support of a company. I can only imagine a few people from my university who would be able to do this journey out of pure interest.
After the event, I discussed with Dunstable Toblerone and we both agreed that the money we paid was not worth the content we received. The BlackHat Arsenal, which was one of the key reasons for me to visit, was put into a cramped space next to a central staircase, putting 8 tables for presenters with microphones and some approximately 200 listeners in a small and cramped space of about the size of a big livingroom. As you can imagine putting that many people plus several people with mics into this relatively small area with bad acoustics, had the effect that the noise made it nearly impossible to follow any of the Arsenal presentations. The overall talks on the different stages were great and had nice content, but it seemed that the most space and presence was given to the different vendor booths in the vendor's section. Well, I had some great conversations with people there but to no one's surprise, the people in this place were mainly about selling you stuff. When looking back at the event I can’t stop feeling like I paid 1200€ for some talks I could watch as a VoD and about 25 hours of people trying to sell me something. My takeaway is that I won’t be visiting BlackHat Europe next year. It seems to be a conference for people who want to get business contacts in the industry and not so much of a cool get-together as I imagine BSides or the C3 Conference must be. Looking forward to trying those out next to see if my overall feeling is correct. Nevertheless, I am super happy to have visited my first conference and I am looking forward to many more in the future, hopefully not only as a visitor but maybe even as a presenter? :)
Conclusion and final thoughts:
Well, this blog post got longer than expected. I feel it was a good idea to write it as it allowed me to reflect on the past year and the ups and downs of my research. It also allowed me to vent a bit, which is something one should do from time to time.
If you want to take anything away from this, I suggest these 3 points:
- Collaboration in infosec is everything. I encourage everyone out there to reach out to others about your research, thoughts and questions. So far it has only resulted in positive outcomes for me.
- The modern-day internet is still very vulnerable and there is a lot that needs to improve. Updates should not take months to reach some of the most important systems out there, but this is still a harsh reality
- Hard work and dedication to something you like pays off. Don’t be afraid of starting to do it.
Let me close this blog post by saying that the last year has been a very good one for me. I had contact with many awesome people around the globe who share the same passion as me. I reached high scores, topped leaderboards, and received medals. And at moments, I was genuinely proud of myself. The last and hugest thank you and shoutout goes to all the friends, followers, supporters and great like-minded people of the infosec community. After all, you are the people that allow me to do a lot of my work. Thank you for being here with me and enjoying this journey. Wishing you all a happy, successful and healthy 2024 ❤