NDR
Corelight Open NDR Now Helps Defend Black Hat Events
Corelight’s Open Network Detection and Response (NDR) solution has been chosen by the esteemed Black Hat Network Operations Center (NOC) to help...
Want to hunt at Black Hat Asia?
It was January 2025 and it was a new year at a new job. I had just started at Corelight as a member of the TME team and received an invitation to work Black Hat Asia as a threat hunter in the Black Hat Network Operations Center (NOC).
However, would I be ready in time to represent Corelight while working with our partner organizations and Black Hat veterans? Before joining Corelight I spent six years working in endpoint threat hunting and my knowledge of how attacks work is robust. But this would be completely network-focused work, and it had been a long time since I used Snort and Sguil for network security monitoring (NSM). I was more than a little nervous when I answered the question by saying, “Yup, count me in.” I had a few months to get ready, so I immediately re-immersed myself in the details of NSM.
The next few months were a blur of projects which helped me get familiar with Corelight’s data and applications. I dove into Corelight Investigator’s search capabilities. With an eye towards Black Hat, I documented any useful queries I came up with. Many came from thinking through the intrusions I had seen in the past and asking myself how they might show up in the network traffic. What would it look like and what would it need to correlate with? I don’t think any of those initial queries were amazing, but they were a useful starting point and helped me to approach hunting from a network-centric perspective.
Then it was time for a very long flight from the United States to Singapore. I felt reasonably well-prepared, but soon it would be time to put what I had learned into practice — on a network with traffic that would send a normal NOC into panic mode.
Organized chaos
My first day at the NOC was two days before the training sessions were to begin. The Black Hat NOC includes security professionals from Black Hat, Cisco, Arista, Palo Alto Networks, MyRepublic, and Corelight. The NOC spreads across two rooms, one for the team to work in while the other becomes a temporary data center/storage area.
It was clear that most of these folks had been through this process before. At first it looked rather chaotic, but it didn’t take long to see that everyone was working through a well-prepared plan to build a complete and well-protected environment in just a few days.
Black Hat’s network is not a simple flat network intended to give attendees Internet access. A great deal of effort has gone into making it reliable and relatively safe. Each of the classrooms, conference rooms, and the general WiFi network have their own VLANs and access controls to prevent activity on one VLAN from disrupting another.
I was not really part of the setup process because I was so new to Corelight and the Black Hat NOC. Several of my teammates (Eldon Koyle, Mark Overholser, and Ben Reardon in particular; I encourage you to read their Black Hat dispatches), focused on getting our sensors configured and prepared.
For me, these two days were a chance to learn the environment and customize queries in preparation for day one of the conference, and I made the best of it. I had heard that the network activity at Black Hat Asia and Europe were generally calmer than Black Hat USA. So I would keep learning while under fire, so to speak, but without being overwhelmed by a torrent of activity to investigate.
The hunt
The Black Hat network is an interesting beast. Nearly everyone expects malicious activity to occur during the conference. Attendees were taking classes and listening to briefings on how things can be attacked and defended. This meant there were lab exercises that appeared malicious, except that there was no malice intended. It was common to see a classroom suddenly have a large number of people attacking a cloud host at the same time. A quick look at the traffic would confirm that everyone was doing something similar and that the class had begun a lab exercise.
Neil Wyler, aka grifter, describes threat hunting in this network as looking for a needle in a pile of needles. Shenanigans are always expected, but we were looking for activity that was intended to harm someone else, not just match a pattern or signature. Trying out an exploit against an in-class target host is normal here — and we had to keep that in mind.
I executed some of my prepared queries to look for signs of someone misbehaving outside of the “normal" malicious traffic. I would check to see if a host in one classroom was attempting to access another class network. I saw a number of port scans that were executed, but each time Black Hat’s segmentation and access controls appeared to be working. None of these attempts resulted in a successful connection, much less a successful attack.
This led me to wonder what was happening unintentionally, or at least what was being done despite what good practices and common sense would recommend. At one point, I decided to look for Server Message Block (SMB) activity, though I did not expect to find anything. To my surprise I found a single host connecting to an SMB server over the Internet! The SMB server was a Synology NAS device that had been configured to use Synology’s DDNS. This warranted a closer look.
The remote hostname matched a subdomain used for Synology remote access, so it appeared that the attendee was connecting to their home NAS. The plot thickened when I saw that they were accessing some rather sensitive documents regarding a Japanese bank’s security testing plans. One of the files accessed contained credentials and API endpoints!
The screenshot from Corelight Investigator shows an overview of what was discovered:
There are a couple of lessons to be learned from this person’s actions. First, don’t take work documents home to store on personal devices. The convenience may be tempting, but it causes nothing but trouble when it’s discovered.
Second, don’t share or transfer data over the internet using SMB. While SMBv3 does have encryption, the chance of using an earlier unencrypted version of SMB is just too high. SMB was intended for use inside a network, not for public-facing communications.
Finally, everyone who is transferring sensitive data over the Internet must make very sure that it is done using an explicitly encrypted method. Even if the source and destination networks are trusted, all of the hosts that the data passes through must be considered hostile.
And seriously, transferring sensitive data without encryption over a network where people are learning to attack systems? Just don’t!
The people of the Black Hat NOC
One of the things I enjoyed about my week in the NOC was mixing with folks who worked for all the partner companies. These companies compete amongst each other to varying degrees, but I didn’t notice any trouble collaborating here. We shared information about what we were seeing and helped each other when we needed some additional information. It was common to see someone walk over to a different partner’s table, ask for some help, and see them get what they needed.
A couple of reasons for this collegiality occurred to me. First, we all had been selected by Black Hat to provide a service for them. We had the common task of providing a reliable and safe network experience for all of the attendees, and everyone did their best to make this happen.
Second, being part of the Black Hat NOC means working under pressure, which is its own type of bonding experience. What’s more, many folks had served at multiple Black Hat conferences together. Black Hat Asia was a bit of a reunion for them; you could see it in the greetings and farewells. These are very dedicated, professional people and it shows.
Reflections
I expected questions from friends and colleagues when I was home, and sure enough I got them. What was it like? Did I enjoy it? Will I do it again?
It took me a couple of days to recover and to process my thoughts before I had good answers. It was a marathon week, for certain. Spending six hours a day doing network threat hunting while jet lagged is an experience.
But it was a great opportunity to use the tools and technology in a real network where a few thousand people were doing all kinds of things that were probably not maliciously intentioned — but which couldn’t be ignored.
The experience of being on watch, in that capacity, made the trip valuable to me. I also got to spend a great deal of time with my Corelight coworkers in one place, which is not the norm for us (we’re mostly a remote team).
Call it the difficult kind of fun, where one is part of a larger team with a common purpose that requires deep focus on tasks at hand. I wouldn’t compare it to a trip to Disneyland; this was work. But the camaraderie that develops during an experience like this is very cool.
Will I do it again? Yup, count me in! The next stop is Black Hat USA, where the hacking has a reputation for being far less polite and the network is far busier. I’m looking forward to taking what I learned from Black Hat Asia and applying it in Las Vegas this summer. See you then!