Inside the NOC used to defend this year’s Black Hat


Defending the Black Hat network isn’t an easy task. Black Hat and their partners stand it up in a couple of days; assembling, testing and integrating a set of tools to run its Network Operations Center to quickly identify and stop malicious threat actors from attacking Black Hat’s infrastructure and disrupting the attendee’s conference experience. Last year’s event saw close to a billion separate threat events detected, a testament to how popular the event is in attracting attackers. Once again, Palo Alto Networks is part of the Network Operations Center (NOC) team defending this year’s conference network with its products Cortex XSOARCortex XSIAMNext-Gen Firewalls and Cloud-Delivered Security Services, working closely with our partners Arista Networks, Cisco, Corelight, Lumen and RSA/NetWitness.

Having this mix of partners in the NOC helps us all improve our products and deliver real customer value since we can collaborate to build new product integrations and remove incompatible data formats. For example, at one of last year’s events, we found a threat intel feed wasn’t working properly with XSOAR. Our team of product engineers were able to identify the problem and fix it throughout the event. We are also able to better share these feeds across partner vendor product lines, making for more comprehensive threat research and analysis.

Automation also helps the NOC team leverage their time and scale the operations. With the power of security operations automation, we are freed up from the more mundane tasks and can examine more complex threat patterns to protect the conference.

We also worked with Cisco to give them full visibility into DNS traffic by rerouting DNS requests to their servers with no changes required by attendees. This enabled more accurate detection of DNS-specific threats, which is especially important as analysts try to distinguish legitimate traffic from AI-generated traffic appearing on the conference network. Another NOC partner is Arista. By combining their product’s visibility with automation playbooks in XSOAR, we can identify which Wi-Fi access point and network address a suspect is using, and quickly block that traffic if an analyst identifies a malicious situation.

As with previous Black Hat conferences, we use these tools to automate and orchestrate our NOC operations so the team can resolve incidents efficiently. Some of these incidents occur as part of the conference’s content, such as attacks on cloud infrastructure as part of a scheduled training session on attacking and defending cloud infrastructure. Attendees and trainers are constantly exploring the network with tools and techniques as part of their Black Hat learning experience, and we don’t want to prevent that from happening.

We also see a lot of actual threats as well, those not generated as part of the conference’s expected activities. At past events, we have seen attendees’ computers which have been compromised, and we were able to warn them of the infection so they could perform incident response. There are cases where we’ve seen attendees abusing bandwidth by downloading huge files or the latest version of an online game. We have seen people try to attack the conference infrastructure from across the world or take other actions that could be illegal, so it helps that our tools can identify the source of the incident and quickly respond to it as required.

Of course, nobody is immune to human error, and we see plenty of incidents due to poor security practices or mistakes, such as a leaky Virtual Private Network from one attendee who wasn’t aware of their misconfigured VPN client application. We’ve also observed people using apps that either have broken or no encryption, resulting in confidential data being transmitted in the clear across the network.

The speed of our operations is of the essence because of the volume of suspicious traffic that traverses the conference network. Uptime and resiliency of the event’s infrastructure is our top priority. Much of the event’s content leverages online resources, so Internet connectivity and other online services must always be up and running.

With our automation playbooks in XSOAR, we can make quick changes to firewall rules to cater for unexpected changes during the conference. We can also reconfigure the network security configuration fast, which was required at a previous conference due to shipping delays on key equipment that didn’t make it to the venue in time. The delay meant on-the-fly reprovisioning of workloads, and changing access permissions to protect the modified network; this mimics some real-world scenarios when an infrastructure component fails, and there are a lot of moving parts to adjust.


Comments