As the first Black Hat 2017 attendees head out to the classrooms, the NOC team monitor attacks as they happen. The first few days will be heavily focused on penetration testing. To prepare to detect these attacks, we turned on the Scrutinizer Flow Analytics Algorithms, and sure enough, we are seeing more and more violated policies every five minutes.
Oldie but a Goldie
As I was finishing my morning joe, I went to the Alarms Tab and was not disappointed. Mind you, this would be a completely different reaction if we were monitoring a ‘regular’ network. However, here, at the Black Hat NOC, the havoc is a way of life and malware roams free.
A brute force password attack has been around since the beginning of time. It is crude but can be very effective. All you need to succeed in breaking in is a single user with a weak password. It does not have to be root since there are multiple ways around to escalate the privileges once in. The first time I ran into it was when a co-worker of mine set up a test server and chose a very weak root password for it. A few days later, the box was running IRC bots and trying to compromise the rest of the network.
Scrutinizer’s Breach Attempt algorithm looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack with a typical scenario being a dictionary attack on an SSH server. And yes, now it would be a good time to take a break and change your password.
You are just a few clicks away from finding a culprit
The good news is we have all the data we need to investigate the issue as Scrutinizer was collecting details surrounding the event. As the information is gathered, we will be able to put the puzzle together and hopefully discover what is happening, why it occurred and how long it will take to clean up. From small networks with a few routers to massive – distributed network environments, searching for the patient zero is often where it all begins.
Next, we launched the Pair Conversation Report to see who else the suspicious IP was talking to and what ports they were using to estimate the potential risks:
As we later found out, it was a ‘legitimate’ classroom activity with the attendees warming up. In a real life scenario though, it would be a real cause for concern.
Stay Tuned for More Updates
As the classes progress, we expect to see more and more violations detected. In the next blogs, which will be coming out daily, we will show you some of the custom reports we created for the Black Hat NOC 2017. Most and foremost, stay cool. It’s 102 degrees in the Gambling Capital of the World, and it’s just about to get hotter.