The Non-Stop Malicious Traffic: Inside Black Hat’s NOC

Black Hat Asia Conference Exposes the Complexity of Securing Networks in an Era of Hackers

The Black Hat Asia conference recently held in Singapore gave attendees a peek at the difficulties of securing networks in an environment where the vast majority of network traffic is deemed malicious, and considering what to be concerned about isn’t merely a needle-in-a-haystack problem, but more like a needle-in-a-needlestack problem. IBM X-Force’s global lead in active threat assessments, Neil Wyler, and NetWitness’ senior systems engineer, Bart Stump, took center stage to give attendees a behind-the-scenes tour of the event’s enterprise-grade network operations center (NOC). The NOC was responsible for supporting various networking requirements such as attendee Wi-Fi access, business hall stands, and technical trainings, briefings, and vendor demonstrations.

The Emergence of Sophisticated Malicious Traffic

Wyler explained to the audience that at Black Hat, most of the traffic is malicious, ranging from people demoing attacks to red team trainings. Thus, it doesn’t make sense to block any traffic unless there’s a direct attack on the infrastructure, like the registration system, for example. To help sort out malicious traffic, the NOC used several dashboards that showed a real-time view of everything flowing through the network. This helped the NOC analysts capture statistics on device profiles, cloud application connections, among other information. The NOC also captured raw packet data that helped analysts go back and rebuild sessions there seems anything suspicious, allowing them to look at every single action someone is doing with every packet. This is not possible using logs only.

Using Dashboards for a Quick Visualization

To fast-track potential issues, the NOC created heat maps that offer a quick visualization of where Wi-Fi, Bluetooth, and even peer-to-peer wireless connections were being used. The map provides a quick visualization of where cyber issues might be afoot, offering an interesting perspective for the NOC team to identify potential issues. During the Black Hat Asia Conference, the NOC tracked 1,500 unique devices connecting to the network, including mobile phones and Internet of Things (IoT) devices. About 72% of that traffic was encrypted, and the research team noted that this is a refreshing sign, indicating that more people are becoming aware of the importance of encrypting traffic.

The Escalating Need for Vigilance in the face of Hacker Sophistication

The NOC team identified several interesting scenarios during the event. In one incident, an individual was creating WAV files such that all the NOC systems alerted at once. Wyler noted that the individual was injecting SQL on public-facing websites, compromising WordPress sites, running vulnerability scanning, and scanning for open ports. After he moved from attacking restaurant websites to probing payment sites, it was obvious that the activity wasn’t demo-related, so the team pinpointed the person and sent them a cease-and-desist email. Other incidents involved a VPN issue that was transmitting a user’s location information in plain text, and an endpoint detection and response (EDR) vendor that was sending all of the usage data it was collecting back to its servers unarmed. In all cases, the NOC team worked closely with the affected entities to resolve the situations.

Conclusion: The Need to be Proactive in light of Emerging Threats

The Black Hat Asia Conference offered proof that the cybersecurity industry’s vigilance against emerging threats must continually evolve in light of the growing sophistication of malicious actors. However, despite the high incidence of malicious traffic, the NOC is committed to supporting the secure operation of attendee traffic. Therefore, it is providing reminders to attendees who may inadvertently be sending login credentials and other information in plain text, among other security risk alerts. The NOC’s approach is uniting the security industry towards securing events and networks against emerging security threats.