Reflections from DEFCON 31 | InfoSec @Twilio

Reflections from DEFCON 31 | InfoSec @Twilio

In August 2023, more than 30 Twilions from the Information Security (InfoSec) team attended DEFCON 31. In the post pandemic era, amidst a challenging macroeconomic environment and being a part of a remote-first company, many Twilions have been seeking ways to continue to foster deeper connections and engagement with each other.

The conference provided an excellent opportunity for us Infosec Twilions to reconnect (with each other), rekindle (our sense of purpose), and reaffirm (our sense of belonging). In this post, we will explore the highlights of Twilio’s presence at DEFCON 31 and share our reflections from this experience.

In preparation for the conference, our security leadership established guidelines to ensure that the Twilions attending could extract maximum value from this experience, both professionally and interpersonally. A dedicated group of InfoSec Twilions, representing various teams, came together to plan and coordinate our time there to ensure everyone benefitted from this shared time together.

Specifically, we created:

• A planning team to coordinate group dinners
• A Slack channel for communication leading up to the conference
• A Signal group for secure communications during the conference

The planning team organized group dinners for all participants, providing an excellent opportunity for everyone to gather, despite differing schedules during the conference. Additionally, most Twilions stayed at the same hotel and arranged group travel to and from the conference, dinners, and other activities.

Collectively, our primary objective was not only to acquire security knowledge at the conference but also to break down team silos and foster camaraderie among our peers, capitalizing on the rare opportunity to be physically together. Following the conference, the planning committee conducted a retrospective to gather insights from all attendees for this joint blog post.

Villages and talks

DEFCON 31 had many villages and talks, spread across four buildings this year. Villages are places where conference attendees can gather to learn more about a specific topic in cybersecurity. For example, you can learn more about threat modeling at the Application Security Village, hack healthcare devices at the Biohacking village, and pick locks at the Lock Pick village.

Villages usually have a multitude of booths and several volunteers who are subject matter experts in that specific area. We spent an average of 10-15 minutes between sessions navigating to our next destination. The best way to plan for attending villages and talks is to be early, and cluster your sessions within an area of close proximity to save time on walking in between places.

The easiest win for many teams was attending talks related to our day-to-day job and learning about the latest bugs or discoveries. This helps keep us abreast of security trends. For example, at the Cloud Security Village, a security researcher spoke about discovering the use of non-production AWS API endpoints to make production changes to your AWS environment, while evading AWS Cloudtrail logging. This talk provided valuable takeaways for the Cloud Security team, prompting us to consider implementing additional monitoring measures to bolster our system defenses, in case attackers manage to evade AWS CloudTrail.

We also had the chance to explore security areas beyond our typical roles. We had a great time exploring the payment village, learning about how payments work and trying to bypass security on POS (Point of Sale) terminals.  In the voting village, we learnt about the different aspects of election security, discussed the attack surface and tried different techniques to exploit voting machines! With diverse backgrounds and experiences, we were able to bring unique perspectives to the table and learn from one another during these exercises.

The diverse security villages and technical talks offer an exceptional avenue to delve into the various realms of security. It proves especially beneficial for those in the early stages of their careers, providing a glimpse into the intricacies and demands of becoming an expert in specific fields. Moreover, mingling with the experts and volunteers at these villages offers invaluable opportunities for socializing and gaining knowledge.

CTFs

Villages often have live hacking exercises, known colloquially as "capture the flag" events or CTFs. CTFs showcase an array of vulnerable systems or devices. Participants attempt to exploit them in order to capture a "flag", which can be a string, a password, or any piece of information that is only visible once the device has been compromised.

At DEFCON 31, most villages have a CTF and some conference attendees exclusively attend to compete in these events. This year, we engaged in the IoT (Internet of Things) CTF, involving real IoT devices like webcams, routers, and sensors. The goal was to compromise these devices and capture flags, such as configuration files or passwords. We were able to hack a few of these devices. Some of them were vulnerable due to a known and outdated software stack. Some devices had unchanged default credentials. Some were simply misconfigured, allowing privileged access through unauthenticated backdoors.

This exercise  demonstrated real world configurations and the ease of which they can be compromised. It was a sobering reminder that security is so important, and should be included in every step of the design process. Moreover, the added aspect of participating as a team and building camaraderie enhanced the overall experience.

Security reality  

Despite the industry's progress and our diligent efforts to safeguard our company, we were humbled to discover not only how easily exploitable the world remains but also how many unknowns persist. Attending talks, participating in villages, and conversing with industry peers allowed us to see the extent of security work that still lies ahead.

Our encounters at the conference shed light on specific vulnerabilities, such as the complexity and potential leakage of secrets with tricky K8s RBAC, the alarmingly simple tampering of voting machines demonstrated in the voting village, and the outdated and insecure technology still prevalent in the world of payments, with the continued use of magstripe cards for backward compatibility.

Additionally, our concerns were amplified by the chaotic state of IoT, characterized by difficulties in firmware upgrades, pervasive default passwords, and other known vulnerabilities. Our attendance at the A.I. talks highlighted the unknowns facing A.I. and LLMs (Large Learning Models), as well as the compliance-related responsibilities imposed by privacy laws and regulatory requirements.

These experiences served as a powerful reminder that the world we live in continues to be a perilous landscape, one that is disturbingly easy to exploit and hard to navigate.

Value of in-person events

As part of a globally distributed, remote-first company, we consider ourselves to be very skilled at collaborating and communicating virtually. However, an in-person event like DEFCON 31 created an exciting space for us to get together with groups that we rarely interact with, share our diverse perspectives, and build strong connections.

During our retrospective, a common theme from all the participating individuals was the value of bringing everyone together and identifying opportunities to collaborate across security. We felt incredibly energized from meeting and connecting with our fellow Twilions. This experience deepened  our relationships, strengthened the bonds within our respective teams, and also fostered deeper relationships across the entire security organization at Twilio, as well as with our industry peers.

Reflection point

The conference served as a pivotal moment for our security team's growth, offering an opportunity for reflection. By actively engaging with industry professionals and our colleagues, in a new environment away from our home offices, we gained valuable insights that allowed us to introspect on areas in need of improvement.

First and foremost, the conference was a huge call to action for the Twilio Information Security team to invest more in the telecom space. One of our action items from the DEFCON 31 retrospective was to utilize this unique opportunity provided by the Telecom Village. We are looking to better utilize our Global System for Mobile Communications (GSMA) membership and are identifying future sponsorship opportunities. 

Listening to the amazing talks and exploring the various workshops inspired us to commit to sharing our work with the wider security community. The InfoSec team at Twilio organizes weekly demo sessions internally that enables teams to share knowledge and showcase their work. But, we realized that we should share our stories, lessons learnt, and insights outside of Twilio to make the entire community stronger.

As we drive innovative security projects to completion, we want to take it a step further and share this work, so that we as a community can collectively benefit from it. Going forward, we plan to engage in public speaking and write blogs, making sure to highlight the amazing things that we are all working on and are truly passionate about.

Finally, we’re eager and determined to apply the skills and knowledge gained at DEFCON 31 to our current roles and help improve Twilio’s security posture and program maturity. This also makes a strong argument for continued investment in conference attendance and in-person collaboration.

Conclusion 

DEFCON 31 had a robust Twilio InfoSec representation, with active participation from our Product Security, Cloud Security, Enterprise Security, Third-Party Security, Threat Detection and Response, Security Platform Engineering, and Recruiting teams. In our day-to-day work, we typically interact within smaller circles within the organization. DEFCON 31 presented a unique opportunity for broader engagement, connection, and meaningful conversations with the larger team. Moreover, the presence of security leaders from our org allowed everyone to have their voices heard in a meaningful way.

Overall, our participation in DEFCON 31 highlighted how transformative in-person events are for a remote first company like ours. This experience provided substantial returns on investment for the entire security team, reinforcing our commitment to attending similar events in the future to reconnect and network. We hope our reflections from this conference prove valuable to you and your team as well.  

A big shout-out  to the DEFCON 31 organizers, goons, villages, volunteers, and everyone else who had a part in putting together the event this year. A conference this size is not easy to organize, and the effort that goes into planning and executing this does not go unnoticed by us! THANK YOU!

This blog was written as a joint collaboration among the following individuals: Adithya Karthikeyan, Ariel Shin, Arthi Singh, Bhawandeep Kambo, Dan Smith, Divya Balasubramanian, Fabian Lim, Gabe Bello, Ryan Van Antwerp, Sarah Liu, Stephen Aghualor, Trea Kines

We are hiring! Checkout our careers page for details about open roles on the InfoSec team.