BLACK HAT USA -- Las Vegas -- Securing Black Hat from Black Hat sounds like a great tagline, but it’s something volunteers at the Black Hat Network Operations Center (NOC) took very seriously last week when we were tasked to help secure one of the most hostile networks on the planet.
Our primary objective for network security was to maintain an open environment that was both available and performed well, but equally safe and secure. The principal challenge came from the Black Hat attendees themselves, a group of men and women who were constantly testing new attack techniques and tools against the network throughout the entirety of the conference. Thus, for those of us in the NOC, our goal was to get out of the way of attendees’ learning and calibration process because we share the belief that testing security effectiveness means testing with live attacks and the newest techniques. That’s what the bad guys do, and that’s how we learn to protect ourselves.
At the same time, Black Hat NOC volunteers must also ensure that all management and registration networks are protected and adhere to guidelines from both the event venue at the Mandalay Bay and the Internet Service Providers providing web access.
Many attendees understood the potential dangers of the Black Hat network and took steps to ensure their safety when accessing the network. The top 20 applications we observed were related to secure VPNs or other privacy-related applications. It appears that security professionals have started to learn they should always use a VPN on an open wireless network.
When the Black Hat NOC observed what could be classified as “threats” we believed them to be related to attendees testing applications and attack techniques rather than using applications for nefarious activities. The top threat detected was an application called Netcat – often used by penetration testers or in classroom environments to teach attacker techniques. Yes, it is possible real attackers with malicious intent could be using this as well; after all, it’s a very simple and easy-to-use application. But my gut tells me they would use something a little more effective.
The Black Hat NOC also observed a virus called JS/Frame.BDF!tr. This virus attempts to gain access to a victim’s computer and was the second most popular threat the NOC observed during the conference – most likely because the signature catches different types of web HTML and iFrame attacks.
Attackers sometimes use this virus with a social engineering technique, trying to trick a user into accepting a software update or some sort of web dialogue box they need to click ok on. Although it is possible to embed and use this attack in a manner that could evade anti-virus and other host protection technologies, there are much more sophisticated ways to get the same results that work much more efficiently.
In most cases the JS/Frame virus was used in a classroom or learning environment where attendees were learning about techniques, or it could have simply been the amateur attacker trying his luck on the Black Hat network. At an event like this, you are always going to have a few script kiddies who do not understand hacking and are using pre-built scripts and programs made by others to launch attacks.
Participants in sessions about web application hacking led the NOC team to software such as Zeus crawl, which was quickly contained and stopped by attendees themsleves as they learned how sophisticated malware works and propagates.
The NOC also observed outgoing Botnet traffic attempting to communicate with known compromised command and control servers. This included communication traffic from Neurevt Botnet and Cridex Botnet. It is difficult to guess if this Botnet traffic was communicating on purpose, perhaps for a Black Hat class, if attendees had become infected while at Black Hat, or if they had been infected before they even arrived at the conference. Since we saw Botnet communication appear all of a sudden on the first day rather than a gradual, predictable rise, I tend to believe at least a percentage of the traffic were attendees infected before they even arrived in Las Vegas.
Now, if you think anything like I do, you’re likely wondering, “Where are all the new attacks? Where are all the zero-days in the network?” The truth is, the goal of the Black Hat network is to promote sharing of information, and we take privacy and the ability for attendees to learn very seriously. If attendees were executing more sophisticated attacks, it is possible they may have been doing it thru encryption or VPNs. We did not observe any new exploits being taken advantage of or anything that I would define as a zero-day attack. We did see some new variants of old attacks that may not have necessarily been detected by security tools. However, we found nothing that we considered really earth shattering.
It actually makes perfect sense if you think about it. Black Hat is a learning environment and it is about sharing ideas. Zero-days, although they are pretty sexy in the security world, have a limited shelf life. However, when attendees learn the actual techniques behind well-known malware, they understand how it truly behaves and how attackers really think. This allows them to take that knowledge and defend their own networks.
What did we learn from Black Hat? Attendees are testing real attacker tools and techniques at the conference. But attackers are not truly testing, or bringing with them, complex attacks that take advantage of new, unknown exploits. (Or if they are, they are doing it over an encrypted non-observable channel.)
In any case, I wouldn’t worry too much. Unlike attendees, I can confidently say everyone involved in the Black Hat network takes privacy extremely seriously and no one would never run any type of SSL Intercept or Man-in-the-Middle attack, (Well, at least no one running the official network.) But you might want to look out for other attendees.
Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.