Around RSA

Tales from the Black Hat NOC: Finding Mr. Robot?

Nov 04, 2016 | by Miha Mesojedec |

Mr Robot

The most significant part of Black Hat Europe 2016 finally started, and as expected - we are watching the arrival of smart security experts, who have come to the event to exchange information or show off their latest tools and products. While it's hard to say what kind of skilled "hackers" we can expect during last two days of the conference, where anyone can create its own "Mr. Robot" identity and hide behind it. If you have watched Mr. Robot series, then you know that Elliot (the main character of the show) is a "normal" cybersecurity engineer, but, outside of his professional job, he is also a hacker who has an abnormal capability to get data from any system, no matter how protected it is... So - how does all of this relate to Black Hat Europe?

RSA team members are working with the overall Black Hat NOC team this week, where we are analyzing logs and complete network traffic. As a team, we are trying to identify the potential "Mr. Robots" during this event and discover any malicious activity that is happening in Black Hat network. Our main goal is to hunt, fight, and defend, because we are the eyes and ears for the conference, and are working to provide full visibility within the event network, by using the latest version of RSA NetWitness Logs & Packets solution.

As one of the Black Hat NOC analysts, I'm tasked with hunting, and figuring out what is happening in the network. With just a few clicks, we are able to see that people are abusing services for tunneling traffic (e.g. ICMP tunneling), using Non-standard ports when using normal services, using non-secure connections (e.g. FTP, POP3, etc), using plain text passwords, abusing network for Bittorrent downloads, or watching adult content.

BH NOC ICMP Tunneling

Of note - interesting things started to show up when we used the RSA Hunters Pack content for investigation, which we can use to quickly determine what is weird activity. In the beginning of a recent investigation, we discovered a Heartbleed attack which was publicly disclosed in April 2014. RSA NetWitness HEX reconstruction in the picture below show request Client Hello packet (16 03 02 00 dc 01 00 00 d8 03 02) which indicate Heartbleed attack. If we chop the packet to pieces then we get following result:

Content Type = 16 (handshake message); Version = 03 02; Packet Length = 00 dc; Message Type = 01 (client hello); Length = 00 00 d8; Client version = 03 02 (TLS 1.1)

Event Reconstruction

This incident was created in RSA NetWitness, and then put into the remediation queue, so that the Black Hat NOC team was able to properly mitigate this incident.

Further investigation within the Black Hat NOC revealed additional malicious activities in the network, and for the purpose of easy investigation - we created dashboards where we can drill down with single click, start a focused investigation, and quickly look for and spot our "Mr. Robots."

Threat Source

We did end up finding the Mr. Robot in question, and have been able to help the Black Hat NOC team gain more visibility into their network. You can find your Mr. Robot as well... and in order to do this, you need to have complete visibility with logs, network traffic and endpoints. During this week, the RSA Black Hat NOC team will continue to work to keep the Black Hat network safe.