Earlier this month, I attended The Diana Initiative (TDI) conference in Las Vegas. Looking to challenge myself out of my comfort zone and to learn something new, I signed up for TDI’s Blackhoodie Reverse Engineering workshop. Below is more about my experience at the workshop and some conference session takeaways.
The Diana Initiative
The Diana Initiative is a Las Vegas, non-profit organization that aims to create a more inclusive information security industry. TDI 2023 was a 1-day security conference that was formed as a commitment to helping all the underrepresented folks in Information Security. With the theme of Lead the Change, they offered 2 speaker tracks, a career village, a career fair, a lock-picking village, a makers village, and a few stand-alone workshops all hosted at The Westin.
Blackhoodie Reverse Engineering Workshop
Blackhoodie was a free, women-only reverse engineering workshop offered at TDI 2023. The focus of the workshop was to explore the inner workings of software, learn what happens with compilation, understand the transformation of high-level code to low-level assembly language. We also started learning Ghidra, a powerful tool that can be used to decipher and comprehend disassembled code.
Before the actual workshop, I was sent instructions on how to install a VM on my laptop, as well as instructions to set up a Google Cloud environment and Ghidra. The night before took a while to update as I was using a VPN on hotel wifi (truly do not recommend using hotel wifi, it took forever).
The course itself started with an intro to reverse engineering, which is:
a process through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task.
Reverse engineering is used to understand how a program works for documentation/ research purposes, defense purposes, and offensive purposes. This can be done through the use of static analysis tools, such as disassemblers and decompilers; manual debuggers; OS monitoring tools, such as Wireshark; and API monitor tools.
The speakers were great in explaining the theory of it all, but it quickly began to go over my head as we ventured into assembly language. While the workshop was poised as friendly to beginners, I think it would have helped to come into this setting with a C or C++ programming background.
Exploring the Rest of the Conference
After the workshop broke for lunch, I came back and decided that the theory portion was good enough for me. Instead, I used the rest of my time at the day-long conference to explore the conference. After chatting with some recruiters and getting a free headshot taken, I was able to attended two track sessions.
A Framework for Shared Security Language
The first session was called Come Together: A Framework for Shared Security Language presented by Lea Snyder, a Principal Security Engineer at Microsoft. Snyder presented a case in which she and her team were trying to find the right building blocks to improve on a synced vulnerability taxonomy.
It was hard to pick a handful of takeaways as this session was packed with so much knowledge. Snyder highlighted that the most effective way of defining a taxonomy and implementing it (by putting it into practice) are to:
- Make a taxonomy that’s easy for teams to adopt through the use of spreadsheets and wikis
- Be aware of what the team already uses (because culture change is hard)
- Remind people about the taxonomy, how to use it, and where to find it
- Have this be a living document, revisit regularly, and ensure there’s someone who is held accountable for maintaining the document
As someone who is working regularly with taxonomy at my own day job, I found these to be extremely valuable reminders and approaches that I’ll be attempting to implement myself in due time.
The Why and What it Took to Become an Expert Pentester
The second session was a panel called The Why and What it Took to Become an Expert Pentester. The panel was made up of female pentesters from Cobalt and Gong: Andreea Druga, Vanessa Sauter, Gisela Hinojosa, and Elizabeth Ramirez. Some of the more important takeaways from that session were:
- To succeed as a pentester, come with an attackers’ mindset. Try to think as one of them to understand threats and how to assess risks
- Certifications are not required to succeed in the industry, knowledge gained is much more valuable. However, certs are nice to have and a good way to get your foot in the door.
- The best way to be a hacker is to hack things and be curious- try sandboxes, free trainings online, bug bounties, do your research!
- To get started, find a domain or area you like (such as network security) and stick with it!
It was great to hear directly from pentesters about their experiences out in the field and the different ways they got to starting in this career. It’s always seemed to be an intimidating field, but these women made pentesting seem much more approachable and gave great advice, especially for newcomers!
Overall, I wish that this conference was stretched over a two-day period instead of one-day so that I could have attended more sessions and could have also stayed for the entire workshop I signed up for. There was so much to explore but one day wasn’t enough to cover it all or enough for me to connect with other attendees. However, I am definitely looking forward to attending TDI again in the future!