Tales from the Black Hat NOC: Attendee Attacks, Loud and Proud

Aug 03, 2016 | by Scott Carter

We are approaching the end of Black Hat's training days. It's an interesting time when the expo floor still sits quiet, but the Black Hat network is as noisy as ever - as seen by the RSA volunteers working inside the Black Hat NOC.

The majority of this noise is being generated by teachers and students, demonstrating or practicing techniques, both new and old. This, however, doesn't do anything to prevent the RSA Netwitness Suite from lighting up like a Christmas tree.

So, what sort of "gifts" did the Black Hat attendees put in front of that tree this year? Here's just a small sample from yesterday's "noisiest" traffic to give you an idea...

I <3 Grifter Incident:

  • My favorite investigation from yesterday. 1.23 GB of content transferred in just a few minutes will make you think twice about overlooking that ICMP traffic.

RSA Netwitness Alerting off of ICMP Tunnelling

ICMP Payloads - Who Doesn't Love Grifter?!

Thanks For A Perfect Example Rob

It's not the first incident that's made us smile in the Black Hat NOC - after meeting attendees over the past few days, I'm confident it will not be the last.

Scantastic Incidents:

  • Scanning alerts have blown up in the Black Hat NOC alert queues. Both inbound and outbound, it seems that everyone is just wanting to reach out and touch each other. Who knew there would be so much love?

I scan you, you scan me, one big disfunctional family

I hope you've enjoyed the glimpse into the incident queue. Fortunately, it's time for me to head over for my next shift - I'm sure they will have all sorts of new goodies for me today. I look forward to sharing them with you again soon. Until next time,

Your RSA Black Hat NOC Team

Author: Scott Carter

Category: RSA Fundamentals

Keywords: Black Hat, Black Hat NOC, Black Hat NOC 2016, ICMP Tunnel, NetWitness, RSA Netwitness, Security Analytics, Security Operations