Blue Team Con 2024: Career Village, ICS Hacking, and conference Tips

Summary

On-site, hands on training, labs and presentations with a defender-focus were on display at the 2024 Blue Team Con held in Chicago, Illinois. More training, (new) labs, and several ICS events.

Introduction

Blue Team Con (“BTC”) just celebrated its fourth year “bringing cybersecurity defenders together”. Held in Chicago, IL, the convention featured two days of training followed by two days of talks. In addition, vendors were on site running labs with their gear so that the defender could get up to speed on products, quickly. Having attended BTC 2023, the 2024 program felt familiar yet upgraded.

New to me this year was the Lounge, presented by Hunter Strategy. The Lounge provided a section to just get away and unwind a bit from the conference floor. New swag was unveiled this year and while not to the level of the BTC adult onesie, I am happy with my new con shirt.

Interesting Presentations

It is very nice to see an increase in training opportunities, from 4 in 2023 to 6 in 2024. 2025 promises more trainings as the steering committee works to meet demand of the community.

I did spend quite a bit of time in two of the villages: the Career Village and the ICS Village.

Career Village

The Career Village is a hot item! If you are looking to talk 1:1 with a hiring manager in industry, get there early to sign up for a spot. You will get 30 minutes of time to talk about the industry, career opportunities, your approach to interviewing or a review of your resume or LinkedIn profile. All for free! So, get there early and grab your spot.

Industrial Control Systems Village

ICS Village had a hands on environment that encouraged hacking. There were multiple ways to approach the problem, either through the Human Management Interface (HMI) or through an examination of ports. While I was accustomed to using tools such as wireshark and nmap, I was introduced to Malcom – a “powerful, easily deployable network traffic analysis tool suite” combining all my tools into one.

Malcom is a jointly funded project between the Computer and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) with a bit of an emphasis on Industrial Control Systems (ICS) protocols (e.g., ModBus and BacNet). Malcom is presented in a browser with dashboards. The dashboards are plugins such as network graph, yaml-based alert reports, and a list of ports, protocols and services. Now while you can get this information in pieces from other tools, having everything in one tool makes searching across the entire data set quick. No more flipping between nmap results, wireshark and hand-drawn notes.

Malcom is free! That’s right, free. CISA even has youtube videos to get you started. Why wouldn’t you use this tool?

The ICS village allowed you to control (hack) a water treatment station and a power plant. These were simulated using a Honeywell CIPer 50 PLC. A Programmable Logic Controller (PLC) is a ruggedized piece of computing equipment that is typically found in industrial environments. PLCs provide different types of interfaces (such as binary and analog) which are used to control industrial equipment. Data and commands are over Ethernet, Wi-Fi or cellular.

The ICS environment brings 70 year old technology into the 21st century. ICS systems were designed for high availability and safety. ICS systems are not regularly patched or brought down for maintenance. And encryption only slows down the time it takes to shut off a machine. ICS defenders must deal with insecure-by-design products as well as a wide variety of protocols.

Approach for ICS Village

I’d like to say I polluted the water and blew up the power station but I did not. I could have stayed the entire day at the ICS village but would have missed the talks. However, I will share my approach, before I knew about Malcom.

1. Go to the HMI webpage
   1. Tried to hand-jam a few of the most common passwords
2. Enumerate the environment
   1. I chose to use nmap
3. While that’s all running, I went to the Honeywell website and started downloading the user’s guides and any tech docs so I could get a feel for this device.
4. Once nmap returned with some web servers, I fired up dirb to see what else was freely available.
5. Also pivoted to hydra to use a username list and rockyou
   1. Realized my local version of hydra was broken and had to start up kali. Defs start in kali next time.
   2. Didn’t get a crack in time.
6. While knocking at the front door, I took a look at the ports and services from nmap.
   1. nmap tries to guess the service but you can’t take those at face value.
7. Started wireshark and then collected pcap to start looking at the data.

That’s as far as I got with my approach before exploring Malcom. Next time, I would start with Malcom and all its visual tools. Or, I would start wireshark earlier to see if I could decipher what type of traffic I was seeing. Typically with ICS, you’d look for small packets. Definitely can’t wait to have another go!

At this Village, I sat next to a person who was struggling through this challenge. They asked me a question which then started a whole conversation about the tools we were using, how and why I was using what I was, and our journey into cyber. Making these connections are what BTC is all about.

tips for attending

Come as you are. Dress a bit funky if you want to. Everyone is welcome at BTC. Here are a few tips from me, BitsDanceForMe.

1. Drink the coffee. The Farimont hotel has amazing in-room coffee.
2. Girl Scout Cookies are not a substitute for lunch. Go eat. (Thanks Bryson!) BTC provides info for local places to eat that are of various price points.
3. Don’t eat alone. Even if you go to lunch at 2, sit next to the only other person in the bar. They are into cyber.
4. Leave your ego at the door. No one person knows everything.
5. Ask the damn question. Others have it as well.
6. Know how to pull up your LinkedIn profile QR code (from the app, click on the search bar and then the box on the right hand side)
7. Don’t worry about having a paper resume. The Career Village will review electronic or paper.
8. Try a CTF. Just try.
9. Even if you don’t know anyone, still go to BTC. You’ll walk away knowing people.
10. Go to the Hacker Charlatan game show. You won’t regret it.
11. Dance!

Conclusion

If you’re looking for a chill, come as you are con, that’s all about good times and defending, Blue Team Con is you’re place. Tickets are already on sale for BTC 2025! I snapped mine up already and hope to see you there.

Special see ya’ later to conf1ck3r, majorlefty, Dwayne, apexxor, and that kid from Indy!