Tales from The Black Hat NOC: Organizing the Chaos

Jul 31, 2016 | by RSA

A glimpse into training day.

Yesterday marked the official start of Black Hat 2016, kicked off with various training courses spread throughout the convention center.

For the RSA NOC team this meant a chance to validate yesterday's installation and get an initial glimpse into the activity within and around the classroom and conference networks before the full deluge hits the wire during the briefings. As the conference ramps up, so too will the volume and variety of traffic that one would expect when allowing thousands of hackers access to an unfettered network - so expect much more to come - but here is a small glimpse into this ephemeral digital world.

While the sources are few, the logs are plentiful. The RSA NetWitness Platform is capturing and summarizing network and web access logs from Fortinet equipment and wireless access points from Ruckus and merging it with RSA NetWitness solutions for a single, consolidated viewpoint.

Web activity and operational overview via log data collected from the Black Hat infrastructure

On the full packet capture side we've certainly started to see a few interesting things, but the first order of business was simply to build out a few dashboards to get a handle on the data. In the spirit of Black Hat, we decided to have a little fun with one dashboard in particular, calling out some tools we've seen generating network traffic, protocol visibility, executable file transmission, and clear text password transmission (complete with associated username - you may want to think twice about how you authenticate at a hacker convention)

Our (affectionately named) LOL Packets dashboard dipping toes into the happenings within the Black Hat network

We're also processing all portable executable, PDF, and document file types captured in transit which is starting to (unsurprisingly) bubble up evidence of potential malware.

Malware Analysis summary of suspicious files and their relative to Static, Network, Community (VirusTotal) and Sandbox analysis

Over the coming days we'll be sharing some of the more compelling events, interesting statistics, and overall mischief we uncover as we peer into this world and try to bring some order and understanding to the chaos.

Author: RSA

Category: Research and Innovation, RSA Point of View, Blog Post

Keywords: Black Hat, Black Hat 2016, Black Hat NOC, NetWitness, Security Analytics