Adventures in monitoring a hostile network: Black Hat Europe 2024

Working in the network operating center (NOC) at Black Hat Europe, we’re never quite sure what we’re going to see. The anxiousness I feel there is similar to what I’d experience when I was blue-teaming for a corporate network. I could prepare all I wanted, read all the blogs about the current threat trends people and companies were tracking on the Internet, and review all the red team and vulnerability scanner reports to identify likely targets. But what actually happened always came down to decisions made by humans outside of my control.

The same is true at Black Hat, where we can prepare all we want, but ultimately what happens on the network is largely up to the students, trainers, and attendees. It could be completely benign and boring, or it could be a Very Interesting Week™.

The only difference between the corporate network that I was used to monitoring and the Black Hat network is the much-higher density of people on the Black Hat network that have (or are there to learn) the skills to cause havoc. Also, we’re generally not allowed to block things indiscriminately. These factors definitely amplify my anticipation, if not my anxiety. 

“The Internet is hostile.” —Captain Obvious

We are always on the lookout for attacks against the Black Hat registration infrastructure. Since the conference is processing thousands of attendees in a short amount of time, the registration infrastructure is hosted on-premises at the location of the conference for its duration. This ensures that if there is any degradation or interruption of internet connectivity, the registration staff can continue to process attendees into the conference quickly and seamlessly, preventing lines and maintaining a good conference experience for everyone. 

What this also means, though, is that the NOC is continuously monitoring and securing the registration infrastructure, which is exposed to the Internet to facilitate attendees’ last-minute registration and payments.

One thing everyone who has exposed any asset to the Internet knows is that within minutes, that asset will be at minimum tickled and/or probed, and at worst it will be attacked. If the attacks don’t come in the first few minutes, don’t worry; they’ll come eventually. This is why the Black Hat conference works with Palo Alto Networks to supply and configure a Next-Generation Firewall (NGFW) to filter inbound traffic and block obvious attacks, which significantly reduces the risk of having an Internet-facing service.

After the registration infrastructure was moved on-premises, it was not long before there was an IP on the Internet attempting multiple exploits against the web server. Thankfully, this activity was pretty obvious thanks to threat detections we received in Investigator, so we recommended blocking the IP out of an abundance of caution. After this bit of housekeeping we moved on to more interesting things.

The pentesters are coming!

Black Hat attracts pentesters, of course! Frequently we see them running actual, live penetration tests from the Black Hat network, with the machines that they bring. If the targets aren’t classroom infrastructure, we typically request that they stop, or route the traffic elsewhere. 

Black Hat Europe was, as one colleague put it, more “polite.” We did see one person log into the web interface of what appeared to be a bastion host for pentesting tools. At least this individual sent their activity from that host instead of directly from the shared network.

Of course, we’re able to see the details of the tools installed and used, because the connection to the bastion host was done over unencrypted HTTP connections, which leads directly into…

Stuff you thought was encrypted

One thing that would likely surprise people if they looked at the traffic on their network is that even with all the improvements made over the last couple of decades, there is still traffic on the network (or across the Internet) that’s unencrypted, often just because setting up and managing certificates for authenticating the encryption is an unwelcome complexity.

At Black Hat Europe, we spotted a user logging into a Guacamole server. Guacamole is a web gateway for remote access to other machines, often via protocols like Remote Desktop Protocol (RDP). The login happened over HTTP, and the authentication tokens were used over HTTP as well. With this information, anyone would be able to log in to the Guacamole server and gain access to all of the systems positioned on the other side of the gateway. The user likely didn’t intend to be exposed this way.

We also observed an attendee’s phone backing up photos taken at the conference to their NextCloud server via PUTs over HTTP. The use of a no-ip.org domain means this user was probably hosting this NextCloud instance at their home and using a dynamic DNS (DDNS) service to keep the domain pointing at their public IP address, as it might change over time. Like the Guacamole user above, this user likely didn’t realize how exposed they were.

These sorts of lapses in security and privacy happen routinely, and it’s usually because someone has set something up on their own as a learning experience, without realizing the risks they have taken or the damage they can do to themselves and others. 

Conclusion

One of the benefits of a continuous network monitoring and visibility system like Corelight Open NDR is that it is easy to spot, investigate, document, and remediate situations like those we saw at Black Hat Europe 2025. Continuous network security monitoring should be a cornerstone of every NOC and/or SOC; it enables security teams to effectively deal with threats to the enterprise network. 

We’d like to thank the Black Hat team for inviting Corelight to be a partner in the effort of keeping the Black Hat conference network online, safe, and secure, and we thank our partner organizations Arista, Cisco, and Palo Alto Networks for their contributions to making the Black Hat NOC a success! We’ll be back in the NOC at Black Hat Asia 2025: Come join us in Singapore!