At the recent Black Hat Asia event in Singapore, IT experts warned that managing network traffic at the event is similar to hunting for a needle in a needlestack, due to the overwhelming majority of traffic relating to cybersecurity threats. Host Bart Stump and Neil Wyler, global lead of active threat assessments at IBM X-Force, provided insight into the event’s security measures and the enterprise grade network operations centre (NOC) environment. The NOC relied on dashboards to provide a real time view of everything flowing through the network, with the ability to capture statistics on everything from device profiles to which cloud apps attendees were connecting to. The NOC also captured raw packet data for platform analysts to study in the event of anything appearing suspicious. One dashboard even offered Wi-Fi and wireless connection heat maps of where people were congregating so the team could quickly focus attention on potential security issues.
Overall, the NOC tracked 1,500 individual devices connecting to the mobile network, such as phones, IoT tech and other endpoints and DNS queries were recorded at their highest level since 2018. Surprisingly, 72% of this data travelling through the network was encrypted. One domain called Hacking Clouds hosted the most user sessions more than the show’s general Wi-Fi network for attendees. The NOC team noted that TikTok made an appearance in their top 10 for the first time, and other top apps included Office 365, Teams, Gmail, Facebook and WhatsApp.
The team observed a few security incidents that emerged during the event, including where an individual generated so much malicious activity that all of the NOC systems alerted at once. The perpetrator moved from attacking individual websites to probing payment sites, at which point the team sent a “cease-and-desist” email. Another incident involved VPN issues, with one VPN leaking the user’s location information in clear text after the team plugged it into Google Maps. They found that an endpoint detection and response (EDR) vendor was sending all of the usage data it was collecting on the endpoints of its users in clear text back to its servers. One antivirus vendor was found sending unencrypted SMTP emails containing pricing quotes and other sensitive information in an unencrypted fashion, which made it easy for hackers looking to harvest this data. The team worked with all involved entities to resolve the issues.
Stump commented on the security features during the event, stating that they were to leave attendees more secure than when they arrived. The NOC team ensures that if data such as passwords are being sent in clear text, or when cryptomining activity is detected, attendees are instantly alerted. In summary, the event made planning for cybersecurity threats more pertinent, and it would be important to take into account both encrypted and unencrypted traffic.