Thursday, July 27, 2017

BHUSA17: Behind the Plexiglass Curtain: Stats and the Stories from the BlackHat NOC

Bart Stump, Neil Wyler

Both of the presenters have been on the review boards for DefCon and BlackHat and have been working on the NOC (Network Operations Center) for many years. Additionally there are 21 industry professionals in the NOC.

Used Palo Alto Networking as their core firewall vendor, 2G of bandwidth. Fewer wired rooms and fewer APs.  Everybody gets segmented to protect you as much as possible. You're paying a lot to be here, so availability is important, too.  Working with RSA and gigamon this year for analytics.

Most of the gear is in the basement to keep it from being so hot and noisy in the NOC.

The NOC is now on display and has a wifi "cactus". You can look at them, but not come into the actual NOC.

Working with Century Link, PAN, RSA, Gigamon, Ruckus and Pwnie Express.

Hit the limit of their networking capacity for the first time this year. Was saturated the first few hours on Monday AM, when people were downloading Windows updates.

Last year, some changes were made to the network outside of their control and it caused a 4 hour outage. This year they had a much better lock down.

Found rogue access points - one in a plant!

They don'[t block anything or any DNS requests, because many demos or training sessions need to access malware sites.

There were over 300,000 DNS  queries were observed to domains known to be malicious or host malware. Over 12,000 queries went to dynamically generated domains, over 7,800 NEWLY seen domans where queried from here.

The top 2 sites visited for windows updates. And the 5th, 7, 8 and 10th, too. Apple and Ubuntu hit hard, too. They advise users to patch before coming to this conference - many of these hits could be from expo systems, training, VMs, etc.

About 50% of the traffic was encrypted, down from last year. They did see one "VPN" connection that was done in the clear - oops! So, check your VPN is actually encrypting!

Found a new version of Emotet. Saw 404 errors from a site that kept returning different data sizes. This version was released on Tuesday and discovered at BlackHat on Wednesday.

There was 500K unique wireless MACs, 65K unique bluetooth MACs (80% Apple). Many devices moving between trusted BH Wifi network to Open Wifi. Next year people won't be allowed to take laptops in and out of NOC and will use preimaged machines.

Discovered 94 adhoc wifi networks, 55 APs on Non-USA wifi channels and 17 Pineapple APs.

See lots of old, unpatched OSes, out of date IOS, out of date apps. See things like webcams where authentication was encrypted but video stream of home security camera was not...

Going to use the BlackHat wifi? Recommend using VPN (NOTE: I do that at every conference or public wifi).