The RootCon Hacking Conference

.container-columns-rootcon {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 0;
}
.image-column-rootcon {
text-align: center;
/* Remove any padding or margin that could be added here */
padding: 0;
margin: 0;
}
.image-column-rootcon img {
display: block;
max-width: 100%;
height: auto;
}
.caption-rootcon {
padding: 10px;
font-size: 10px;
/* Remove any padding or margin that could be added here */
padding: 0;
margin: 0;
}
.caption-rootcon p { /* target the p element inside the caption*/
margin: 0; /* Reset default paragraph margins */
padding: 10px; /* add back in the padding */
}
img.rounded-circle {
border-radius: 50%;
width: 100px; /* Example: Ensure width and height are equal */
height: 100px;
object-fit: cover; /* prevents distortion */
}

Exploring digital defense trends
What happens when some of the sharpest minds in technology come together to share ideas, solve complex problems, and push the boundaries of digital defense?
That’s exactly what Andrew Fuentes, DevSecOps Engineer at Adaptive in Manila, discovered during RootCon Hacking Conference — a dynamic mix of technical challenges, eye-opening sessions, and unexpected wins.
Adaptive’s commitment to innovation and excellence drives us to create an environment where learning never stops. Whether it’s through exploring cutting-edge technologies, exchanging ideas with industry experts, or tackling real-world challenges, we empower our people to expand their skills and make an impact. That’s why we actively support our team’s development through a variety of training opportunities, including courses, conferences, and workshops.
A great example of that is the RootCon, where Andrew not only gained valuable insights but also brought back fresh ideas to share with the team. In this blog post, he walks us through his personal journey, highlighting the standout moments, key takeaways, and lessons learned from both the hands-on activities and thought-provoking discussions.
Whether you’re curious about the world of cyber resilience or looking for inspiration to level up your skills, there’s something here for you.
What is RootCon Hacking Conference and why is Adaptive attending?
RootCon is the premier cybersecurity conference in the Philippines, uniting cybersecurity professionals, tech enthusiasts, and hackers from all over the country. Founded in 2008, the name “RootCon” combines “root” (the Unix superuser) and “con” (short for conference), signifying its deep roots in the security and hacking community.
RootCon 18 was held from September 25 to 27, 2024 at the Taal Vista Hotel in Tagaytay overlooking Taal Lake and its active volcano, about a 2-hour drive south from Metro Manila. The conference was a hub for learning, collaboration, and hands-on experience. It featured talks, workshops, and demonstrations covering the latest trends and best practices in cybersecurity. RootCon was an interactive experience that encouraged participants to engage directly with the material.
To top it all off, RootCon offered a collection of specialized “hacking villages” which were dedicated spaces focusing on different aspects of hacking and security. We will dive into this later!
RootCon Workshop Tracks
There were two different workshop tracks during RootCon. A participant could only choose one track, as they were concurrent:

Combating Cyber Extortion: This workshop track covered ransomware’s evolution, mechanics, and tactics; covering encryption,locking, and mobile technology. It explored Ransomware-as-a-Service (RaaS) and highlighted targeted organizations, equipping participants to mitigate this threat.

Cyber Defense Analyst (Offensive Security Defense Analyst Starter Course): This workshop track introduced key Security Operations and Defensive Analysis topics , including the NICE Framework (National Initiative for Cybersecurity Education), Windows and Linux endpoint features, and diagnosing cyber attacks through log analysis.

Day 0: The CyberDefense Analyst Training Experience
RootCon named its days as follows: Day 0 was exclusive to Human+ ticket holders, Day 1 marked the start of the talks, and Day 2 featured more talks and the awards ceremony.
Day 0 kicked off with a bang, and we received some cool merchandise: stickers, an ID badge made of metal (something you don’t see every day). I loved the stickers! They combined art, humor, and tech in a way that truly captured the hacker vibe. The packaging itself screamed creativity, and the stickers from OffSec and Kali Linux were absolutely on fire!
SOC and SIEM: Setting the Foundation

This session introduced the role of SOC (Security Operations Center) Analysts, the team responsible for monitoring and analyzing logs to defend against threats. The key takeaway was the importance of a structured approach to SIEM (Security Information and Event Management). Simply handing your SOC team a SIEM tool and saying, “Go nuts,” doesn’t work. The team needs a clear skill set, goals, and frameworks to operate effectively.
The first half of the session focused on:

Log Sources: Understanding logs from Windows and Linux systems.
Prioritization: Identifying high priority event logs and knowing what to look for first.
Windows Event IDs: Breaking down their structure and relevance.
Attack Methodologies: Analyzing logs to understand how cyberattacks unfold.

Capture the Flag (CTF) Challenge
In the second half of the day, we put our skills to the test with a CTF challenge. The scenario involved a cyber attack and our job as SOC analysts was to comb through more than 3 million log records to uncover the following:

The first recorded attack.
Tools used by the attacker.
Signs of initial entry.
Actions taken inside the system.
Files created or downloaded.
How the attacker achieved root admin access.

It felt like searching for a needle in a haystack. Initially, I was nervous since I had no prior experience as a SOC analyst. But I drew from my attacker side experience with CTF challenges from TryHackMe, thinking like an attacker while working as a defender.

The setup included:

A VM with the ELK Stack.
3 VMs as targets.
1 VM simulating the attacker.

The challenge was paced exceptionally well. The lecturer and assistant lecturers provided tips and guidance, helping us understand where to start and what to focus on. These hints, based on the earlier lecture, pointed us toward key event IDs, TTPs (Tactics, Techniques, and Procedures), and attacker behaviors.
After I made some initial progress, they stepped back, allowing us to explore on our own. Slowly but surely, I began uncovering the attacker’s trail. I felt like a detective piecing together a crime by analyzing logs.
Just as the room was deep in forensic mode, chaos struck, we all got logged out of the SOC Dashboard! Someone had changed the password and locked everyone out. The lecturer, clearly amused and smiling, said “I’m gonna find you!” with a mix of friendly banter and a subtle challenge.
Once we regained access, I focused on solving the puzzles. Piece by piece, I worked through them until, to my surprise, I saw my name climb to the top 4 of the leaderboard.

I was thrilled! I felt so close to winning. What started as a learning experience turned into a real competition for me. With no prior experience as a SOC analyst, I never imagined making it onto the leaderboard. By the end, I found almost all the flags, except for one. I finally ended up being on 9th place on the leaderboard.
I received a Hacker Badge and some awesome swag from OffSec. It was surreal, I had come just to learn but ended up in the top 9.

EOD Report
Day 0 was really a blast! This training was really the highlight of my RootCon experience. Reasons why I loved this CyberDefense Analyst Training:

Hands-On Learning: The course provided practical scenarios that allowed us to apply what we learned in real time. The hands-on labs (CTF) were particularly engaging, giving us the opportunity to work with actual logs that simulated cyber attack scenarios.
Expert Instruction: The trainers from OffSec were industry veterans who brought a wealth of knowledge and experience. Their insights into real world cyber threats added depth to the learning experience,giving high probability entry points of hackers and where to look.
Comprehensive Training: The course covered a broad range of topics essential for any aspiring Cyber Defense Analyst. From understanding Windows and Linux event logs to dissecting cyber attack methodologies, the training was both challenging and enlightening.
Interactive Environment:
With a group of like minded professionals, we engaged in discussions, problem solving, and even some friendly competition during the exercises.

Day 1 and Day 2 Talks + Key Takeaways
I woke up excited for Day 1, eager to dive into the talks and explore the exhibition booths. The previous day’s win gave me a confidence boost, and I was hoping to join the CTFs again. However, I decided to prioritize the talks, as that was the main reason I came to RootCon. The event was packed with engaging, thought provoking and sometimes downright scary talks that highlighted the fast paced and constantly evolving cybersecurity landscape. While I can’t cover every session in detail, I want to spotlight my favorite talk and mention some of the more memorable ones.

Apocalypse: The Perils of Generative AI
The most memorable session for me was Scott Jarkoff’s “Apocalypse: The Perils of Generative AI.” It tackled the profound dangers posed by AI, diving into its unpredictability, persuasiveness, and potential misuse. Jarkoff explained how AI could be weaponized for bioweapon engineering, autonomous cyberwarfare, psychological manipulation, or even synthetic reality overwrites.
One chilling example was the potential misuse of deepfakes. Imagine receiving a video call from your CEO, complete with their familiar face and voice, instructing you to take a critical and potentially damaging action. How could you verify authenticity in such a scenario? Jarkoff proposed using a company safe word – a secret, internally shared phrase that isn’t documented anywhere.
For instance, if your CEO instructed you to “destroy the production database” and he/she used the safe word “alakazam,” you would know the request was legitimate (hopefully, your CEO would never give such an order!). This talk left me a lasting impression of the vulnerabilities we face in a world of rapidly advancing AI.
More interesting talks

Security of CI/CD Pipelines: The main challenge in CI/CD pipeline security is not only prioritizing security but also ensuring visibility. Without a clear understanding of the attack surface, securing it becomes impossible. For instance, do you know how many jobs are currently running and whether they are legitimate or malicious? The proposed solution involves visualizing all agents and dependencies. This can be achieved by using color-coded indicators to represent critical states, such as vulnerable dependencies or failed jobs, and linking them visually for enhanced clarity and monitoring.
LOLBAS (Living Off The Land Binaries and Scripts) discussed techniques attackers use to evade detection.
Using Microsoft Products for Malware Delivery provided insights on exploiting legitimate tools to bypass defenses.
Securing Cyber Security Budgets gave practical advice on communicating risks in financial terms to gain organizational support. The key steps are: understand compliance and laws in your region, analyze risks, and frame arguments in business language.

The range of topics was incredible, from speakers demonstrating how they discover and report Zero-Day vulnerabilities to government affiliated professionals recounting real life stories of recent malware and ransomware attacks on government agencies. These speakers shared how they identified and mitigated threats, providing invaluable insights.
Each session added depth to my understanding of the cybersecurity world, blending inspiration with practical takeaways. This event truly enriched my perspective on the challenges and innovations shaping our field.
The Hacker Villages
RootCon offered a diverse collection of specialized “hacking villages” dedicated spaces focusing on different aspects of hacking and security:
Hardware Hacking Village
Ideal for tinkerers and DIY enthusiasts, this village welcomed all skill levels to explore microcontrollers, soldering, circuit design, IoT projects and more. The village provided a supportive environment that fostered creativity and hands-on learning, complete with tools like microcontroller dev boards, soldering equipment, and even 3D printers.
Car Hacking Village
Focusing on automotive security, this village educated attendees about how cars can be vulnerable to hacking. Inspired by similar initiatives at DEFCON (one of the largest hacking conferences in the world), it offered insights into the latest research and trends in automotive cybersecurity, featuring tools like CAN Bus hacking devices and SDR (software defined radio) equipment.
Cellular Assault Village
This area shed light on the security risks associated with cellular communications. Through demonstrations of attacks such as SMS interception and call spoofing, participants learned about vulnerabilities in cellular networks and how to protect against them.
Red Teaming Village
Designed for those interested in offensive security, this village immersed attendees in the mindset of an attacker.Personally, the Red Teaming Village was my favorite because it gave me a new perspective on hacking. The speaker was a highly skilled Red Team professional (an Offensive Security Manager at Red Rock IT Security Inc with significant progressive industry experience working with public and private entities, holding multiple industry certifications) who shared what really happens in real life scenarios, providing valuable insights into offensive security.
One of the key takeaways for me was the importance of understanding the highest probability paths to gain access, rather than just running tools and hoping for the best. Sometimes you don’t need to root or escalate privileges on every single machine, just enough to achieve your true objective.
The session also revealed tactics used by real world threat actors, such as grooming domain names or purchasing expired legitimate business domains to use as phishing infrastructure or as command and control servers. This clever approach leverages the trust and history of the domain, making attacks harder to detect and more likely to succeed. These practical insights were eye opening and underscored the sophistication of modern adversaries.
Recon Village
Focusing on reconnaissance, OSINT (Open-Source Intelligence), and cyber threat intelligence, this village provided talks, live demos, workshops, and Capture The Flag (CTF) events. It was a space for sharing knowledge about how information is gathered and used in cybersecurity operations.
Lock Pick Village
Highlighting the physical aspect of security, this village teaches the art of lock picking and the vulnerabilities of physical locks. This year’s focus was on high security locks, offering in depth discussions and hands on demonstrations.
Takeaways from the cybersecurity experience
Attending an event like this can be overwhelming, especially if you’re not deeply familiar with cybersecurity. With so much happening at once, it’s impossible to absorb everything, so having a clear goal is essential.
Lessons Learned:

Set a Goal Beforehand: Decide what you want to learn or focus on before the event. This helps you navigate the schedule and prioritize effectively.

Stay Focused and Prioritize: Events like this are fast paced, with multiple sessions happening simultaneously. Knowing your priorities helps avoid decision paralysis and ensures you get the most out of the experience.
If you plan to attend RootCon 19 or a similar event in the future, come prepared with a clear path or focus in mind. This will help you manage the overwhelming pace, make better decisions, and maximize what you take away from the event.

The post The RootCon Hacking Conference appeared first on Adaptive.
Read more Go to the Source – The RootCon Hacking Conference